Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27/04/2024, 22:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/RobloxGrabber/MercurialGrabber
Resource
win10-20240404-en
windows10-1703-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
https://github.com/RobloxGrabber/MercurialGrabber
Resource
win7-20240215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral3
Sample
https://github.com/RobloxGrabber/MercurialGrabber
Resource
win10v2004-20240426-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
https://github.com/RobloxGrabber/MercurialGrabber
Score
1/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587323854753993" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3372 chrome.exe 3372 chrome.exe 3628 chrome.exe 3628 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3372 chrome.exe 3372 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe Token: SeShutdownPrivilege 3372 chrome.exe Token: SeCreatePagefilePrivilege 3372 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe 3372 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3372 wrote to memory of 3140 3372 chrome.exe 82 PID 3372 wrote to memory of 3140 3372 chrome.exe 82 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 4996 3372 chrome.exe 86 PID 3372 wrote to memory of 2684 3372 chrome.exe 87 PID 3372 wrote to memory of 2684 3372 chrome.exe 87 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88 PID 3372 wrote to memory of 3136 3372 chrome.exe 88
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/RobloxGrabber/MercurialGrabber1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe8756ab58,0x7ffe8756ab68,0x7ffe8756ab782⤵PID:3140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1900,i,13160110163143322557,7390100469192833208,131072 /prefetch:22⤵PID:4996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1900,i,13160110163143322557,7390100469192833208,131072 /prefetch:82⤵PID:2684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1900,i,13160110163143322557,7390100469192833208,131072 /prefetch:82⤵PID:3136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1900,i,13160110163143322557,7390100469192833208,131072 /prefetch:12⤵PID:3680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1900,i,13160110163143322557,7390100469192833208,131072 /prefetch:12⤵PID:5048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 --field-trial-handle=1900,i,13160110163143322557,7390100469192833208,131072 /prefetch:82⤵PID:4556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1900,i,13160110163143322557,7390100469192833208,131072 /prefetch:82⤵PID:3052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1900,i,13160110163143322557,7390100469192833208,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3628
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57e2b2def9597fcd50d0a6c60dfcb1b6c
SHA1de4b8dbe203cd312b55c29dc95319684d790cf05
SHA2569cdeb1939da7fab56bba1b1316bb643c8ec149f772ae81140dbcff307c7a2a15
SHA512b394f7ef0523ac438d2a05e51fecc443ce95792f5d34dbcfdf4db4996df741210df295068f1bc64fcf082805da772e24ae4065d16e5a21fe750536daa9b40dc7
-
Filesize
2KB
MD599e4e9924b8e41fc020432f00d627c11
SHA17c1c030b5c1536d3577e7d807c269ec1045d71f3
SHA2560afdc497631720e894c39cb0784edc16b731e22c19b0b913fdee6e48987aedc5
SHA5129c5e5a71a478686a7428eba3bdd595a692d7d49b53c29a7bb28d6c9283d627cc4bbb679b8d510cbdb51a73073fd5c8ed6095d7443ac869d534b0a6b9a14ab197
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD576584b1f378714611ee8c84d54c88e9e
SHA1ee423ee6867cb48ccc487424baa3c80171774ad7
SHA256c4980b1e9102db94353c5666d8100722e389a6bafdcbc47cd135dd2b11fdbe2c
SHA512428290f512b7e2698f12e17e7743c107a980d10b12e2b46eae5191c235e35793e3f6ce2b278739a92c2da02509b6340b903d88801f4e14425096af10103b7a03
-
Filesize
7KB
MD5aa6ded46fcf5ec9f65047d4acef09cce
SHA13916cf2ddf698769318f38a82f9214a356998969
SHA256dcc18bb4c3dd03e77556f6220edde49140f1a543c3ad50cb86bf0188b9368988
SHA51277ed795144df63419d87ada948ba5876766d6b5ed723360e0edbd5834ccace312ea540e842c8024a624495d3769e6ff4b6d10598ae2cb1549773b72f5b1aaef5
-
Filesize
130KB
MD553d1b5b097daf13fcd3cde119f8ab81b
SHA1bba65ce3cf9540c9dcb2b1994b31bb6c37199467
SHA2563a97effb854d25b6de6221eb0c2838147de75bd6d7fb4188e8f7adb57325f447
SHA512d8a60383fdc740f82de697eee1c2bf91012d106f1edda725aad5cea047440679c297788b0c516fdb1ea322f8f02bbbff1409ea64f0324148cb7fc01044b7d7ca