Analysis
-
max time kernel
58s -
max time network
60s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 08:59
Behavioral task
behavioral1
Sample
Ij2Q9Xhw4Y.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
18 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
Ij2Q9Xhw4Y.exe
-
Size
42KB
-
MD5
ea47fefbd157685f965b0b525e45cfc3
-
SHA1
4b9dc380793fb735d2ab60612f92746835b47351
-
SHA256
e5b94992dc8f2666ecf4510e2507bda305edb9e83c75b963eae8533bfcb30cfa
-
SHA512
f2edad570d5837ab31bd8d5368057acf1fb2764dba95d01d6654a4ad458a56e084d1d99d26a2b6a5fba95e3056ad755b8cd2dfef36f25ac179f3882e83b323c0
-
SSDEEP
768:Nj65E9E//4MyuZuLanTjuKZKfgm3Eh/Sb:OEIDKLanTaF7EFi
Score
10/10
Malware Config
Extracted
Family
mercurialgrabber
C2
https://discord.com/api/webhooks/1246387239450312725/BkqGXbQYgbYWLGksNphV51YVctifU8VPooAOotPM5xnV11lm6P01faflv-0cvwItfQm0
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Ij2Q9Xhw4Y.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Ij2Q9Xhw4Y.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ij2Q9Xhw4Y.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 10 discord.com 11 discord.com 17 discord.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com 3 ip4.seeip.org 5 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Ij2Q9Xhw4Y.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Ij2Q9Xhw4Y.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Ij2Q9Xhw4Y.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Ij2Q9Xhw4Y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Ij2Q9Xhw4Y.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Ij2Q9Xhw4Y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Ij2Q9Xhw4Y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Ij2Q9Xhw4Y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Ij2Q9Xhw4Y.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "12" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4504 Ij2Q9Xhw4Y.exe Token: SeDebugPrivilege 2824 taskmgr.exe Token: SeSystemProfilePrivilege 2824 taskmgr.exe Token: SeCreateGlobalPrivilege 2824 taskmgr.exe Token: SeBackupPrivilege 4036 svchost.exe Token: SeRestorePrivilege 4036 svchost.exe Token: SeSecurityPrivilege 4036 svchost.exe Token: SeTakeOwnershipPrivilege 4036 svchost.exe Token: 35 4036 svchost.exe Token: 33 2824 taskmgr.exe Token: SeIncBasePriorityPrivilege 2824 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe 2824 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3128 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ij2Q9Xhw4Y.exe"C:\Users\Admin\AppData\Local\Temp\Ij2Q9Xhw4Y.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
C:\Windows\System32\pb7nq5.exe"C:\Windows\System32\pb7nq5.exe"1⤵PID:4572
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3971055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3128