Overview

overview

10

Static

static

3

ddf3fd684f...20.exe

windows7-x64

10

ddf3fd684f...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-03-2024 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddf3fd684f553b4686987ec5cf532c20.exe

  • Size

    8.0MB

  • MD5

    ddf3fd684f553b4686987ec5cf532c20

  • SHA1

    085a5f8b6aa7eafaf8b7cd13e8aaf6756fba1db7

  • SHA256

    a5e43e7a219d301589d65f7dc18997c5b346e34e7d92063f1ed1f10263d34542

  • SHA512

    b5988a061e33f7a742bb42f55dce0145e1defbe7628819a2337349827408480625cb04eacade19ba2495ee366472cc33555ae227b7286b0c58ff909e322f47bc

  • SSDEEP

    196608:OcwTiBknYhfr5QILXP8ZV3PpLsExwsJC4Ct99QTKu6yTL+b0X820iwvefJ:dwWCnYRr5QIXU/3PpLsacVH3TyXz08J

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/853156671664685077/8KUuRAI41xE7p329lIVcKihvvEa-30CxP9F9UkMsip1CErSnArWO8ypnl26upafpelAy

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddf3fd684f553b4686987ec5cf532c20.exe
    "C:\Users\Admin\AppData\Local\Temp\ddf3fd684f553b4686987ec5cf532c20.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Users\Public\Music\test.exe
      "C:\Users\Public\Music\test.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2320 -s 1248
        3⤵
          PID:1028
      • C:\Users\Public\Music\Lunar_Builder.exe
        "C:\Users\Public\Music\Lunar_Builder.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2304

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dll
      Filesize

      94KB

      MD5

      14ff402962ad21b78ae0b4c43cd1f194

      SHA1

      f8a510eb26666e875a5bdd1cadad40602763ad72

      SHA256

      fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

      SHA512

      daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

      Download Submit

    • C:\Users\Public\Music\Lunar_Builder.exe
      Filesize

      2.9MB

      MD5

      582cad9b0466e4bda41eee88c88bb20c

      SHA1

      5b8ef7c91ab36c69f124216ae00709b899357bc6

      SHA256

      e7b63f2dd73be14a7ca5c917eb9b17371bcf8899370701c64ff9b652e5d5634b

      SHA512

      f3d81ff8991c092e13a8e6206ca0cf01d2ba67b0d4689be3700d981da61b46b8c521620f9621459f001b457ca948c0c9203bf40bee13603c774282abf6a3b2e1

      Download Submit

    • C:\Users\Public\Music\Lunar_Builder.exe
      Filesize

      3.0MB

      MD5

      3c18a1015aeda6ce22992b5ef31ef02f

      SHA1

      660e9c0ce47170423f303886a62015c57ab974f1

      SHA256

      8aa11abd7418386a4fdaa105e635848e67573070d0b0bb1969381d8c52186280

      SHA512

      5a57dad7c5b8593099351f8556064aec3fd7cae0894d8bb413b0b05b3d1d47a034ca7d66b1a6d298a1239bd631d4cd14711a0da38e332fae8ef05adc065496f4

      Download Submit

    • C:\Users\Public\Music\Lunar_Builder.exe
      Filesize

      2.6MB

      MD5

      9b772e9016c3a6433b88b1fc97c5331b

      SHA1

      c9119eb42e99642b5c521b56a1d26f52efb5f3ea

      SHA256

      7119f46290dcef5bf34a072b042b148967ba24fd23b6f6f975aca547954e2a1c

      SHA512

      f4812a5cbc10efda11ba26bf548f7eea2565902c8b7e9d7e20bda162d43d3f6c100edac578ff01e60ff7c42772b5f11bb4fb3d992bc4bf6cad557a2120ba088f

      Download Submit

    • \Users\Admin\AppData\Local\Temp\16ec68cf-d28f-4048-90c5-4286b379e033\SiticoneDotNetRT.dll
      Filesize

      136KB

      MD5

      9af5eb006bb0bab7f226272d82c896c7

      SHA1

      c2a5bb42a5f08f4dc821be374b700652262308f0

      SHA256

      77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

      SHA512

      7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

      Download Submit

    • \Users\Public\Music\Lunar_Builder.exe
      Filesize

      3.5MB

      MD5

      d417f0e1859d948643699f8235322d0e

      SHA1

      d50664b73affdeb2f4ce35932a0129fab5d8add6

      SHA256

      2e56efd1a1418fa8ab9ea33b8cc8f8bba2d136a7739d99533fc0d7b28ac4162e

      SHA512

      2a0aeca29efb8ae22b79ae59c0195ac22cac80df0d3dc3a5f6afd24fd0369f676735ff32ef753a75d91b409e9d7a1afb19249d1ba367c690182ed2d867fcd046

      Download Submit

    • \Users\Public\Music\Lunar_Builder.exe
      Filesize

      2.7MB

      MD5

      65a6935bd154291a023c91d2aad360d5

      SHA1

      0bb907c1d2b04a318c74a44189e324d9b4b3b61b

      SHA256

      0ff2c895ed93f1f3dbbb27f735decbe472d3aff8eccd8e54a784b547d4953883

      SHA512

      136fabae7687a7e3ebff66c163d1b9e340c9d5b48ff98456f9ecf4b3a928e80b01b2b9e9535196eb5f043d5caaa45142d8d5d5bcd85b72915d2de7adeb49b417

      Download Submit

    • \Users\Public\Music\Lunar_Builder.exe
      Filesize

      2.3MB

      MD5

      5717fa2859f86750be447ca82202b719

      SHA1

      8b86cd9126ec3f90af450052ae79edfb34240231

      SHA256

      e1462e82f89a1e99c6fb63dd526afba943a686818c6b92a9e6f1fa1aa8eb4e12

      SHA512

      0905701284df086d5f882206e5fcdc2a99dcc2856039dd40bc7eef3c14a5a10b2222c040329f00fa9e3a654aab1f145b4a450b71b01587803cad68e88519f6c2

      Download Submit

    • \Users\Public\Music\Lunar_Builder.exe
      Filesize

      2.8MB

      MD5

      22dfcf9deb439f6f99f1ec60c45331cb

      SHA1

      ddc7ace44254c005ba363b13a71e977c7d175720

      SHA256

      69164ad11646372e8a8766a5444491866d023d2b7a1d68b882cba3bdcbb79a59

      SHA512

      20b2165549b2689c41017dc7743f8a361c1e6fee40e468bcfcaff25a63d6f651f088c8772dd309c25f7a8780b228f9c581c8e0b65c4e8b2fd8467d3d312ba879

      Download Submit

    • \Users\Public\Music\test.exe
      Filesize

      41KB

      MD5

      41a0ce6435946c973c6dc624cf8e331a

      SHA1

      587798a56c97b24a7ac09e41e471a5ba022faf0b

      SHA256

      68eaf913650c3c9af5b9feb6f3720bf77166701bd6cf8fc4d44f9c0fae15ca62

      SHA512

      2f44c7151dde13672f7a64ca8dfb030ca7081132385f646d990ca5cdfd4112cd6ebfc621eac93ddcb8df26a368c47d067c3f0b05a13e14f70a0cd2fdf60ea681

      Download Submit

    • memory/2304-78-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-86-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-35-0x0000000074740000-0x0000000074E2E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2304-36-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-37-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-38-0x0000000005ED0000-0x00000000062B2000-memory.dmp

      Filesize

      3.9MB

      Download

    • memory/2304-39-0x00000000063B0000-0x0000000006588000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-22822-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-46-0x0000000074540000-0x00000000745C0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2304-47-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-48-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-50-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-52-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-54-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-56-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-58-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-60-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-62-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-64-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-66-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-68-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-72-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-74-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-70-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-33-0x0000000000C60000-0x0000000001C7A000-memory.dmp

      Filesize

      16.1MB

      Download

    • memory/2304-76-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-80-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-82-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-84-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-22821-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-90-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-92-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-94-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-96-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-88-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-98-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-100-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-102-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-104-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-106-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-108-0x00000000063B0000-0x0000000006583000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-22820-0x0000000005820000-0x0000000005860000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-22115-0x0000000073BA0000-0x0000000073BD7000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2304-2434-0x0000000074740000-0x0000000074E2E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2304-5528-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-5527-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-5526-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-5525-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-11790-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-11789-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-11791-0x0000000008110000-0x00000000082B8000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2304-20972-0x0000000000430000-0x0000000000470000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2304-11798-0x0000000073BA0000-0x0000000073BD7000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2320-31-0x0000000000080000-0x0000000000090000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2320-1995-0x000000001B1E0000-0x000000001B260000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2320-1558-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2320-34-0x000000001B1E0000-0x000000001B260000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2320-32-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

      Filesize

      9.9MB

      Download