Overview

overview

10

Static

static

3

2024-06-11...uk.exe

windows7-x64

10

2024-06-11...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe

  • Size

    17.5MB

  • MD5

    2d2da9e3a1b925524f8f3beded725a51

  • SHA1

    3a854d9eadb761f41fc97cac483a07b2c223fcf2

  • SHA256

    baf1e179e63392ebdd6e59a1765d9ffe307ca28e22681f855bf2f71a0280d538

  • SHA512

    c1ed6de456dafbda4a38071e6021b3387ac69d56eb7e70209ca8085f28a1270161b8d82990731e21538ab03e5d7f95ec79b83839cbbc3e181f25ed8e03a76107

  • SSDEEP

    393216:lqTHLS9CQ+rxdiJjxpQnwZch9BbKy/H3EbN/nww71ekGVhU9nC:87O2rxdi3pQnwZ+/gR/nwwUVh7

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/927257108951486515/GbBnf4EBb2a3JwBZqh5mpUFw3MuJDHB8lxKcjmyg9c1-L8tXje_7OreKQrCr9Qsh7ruT

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Detects Windows executables referencing non-Windows User-Agents 2 IoCs
  • Detects executables Discord URL observed in first stage droppers 2 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\DiscordNuker.exe
      "C:\DiscordNuker.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1740
    • C:\Update.exe
      "C:\Update.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4580
        • C:\Windows\system32\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1020
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
    1⤵
      PID:3836

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\DiscordNuker.exe
      Filesize

      46KB

      MD5

      8b23371692c0bab493e54d637df160fd

      SHA1

      957685d2dc2fac7edfaaf19d7d97ac6f729602e0

      SHA256

      078054366b44f2e630cadb617a66783f7723dec85b1585840ae3c76bedd7fd6b

      SHA512

      498580a856ae980a792a7e84ab1abc282e0a300e586e3fe0f588d99398ffb61dc67e6910def40121c862438fba797565b57c5773bfc3282e8ce6ccb39036a5dd

      Download Submit

    • memory/1740-23-0x00000000009F0000-0x0000000000A00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1740-24-0x00007FF939363000-0x00007FF939365000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1740-25-0x00007FF939360000-0x00007FF939E21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1740-31-0x00007FF939360000-0x00007FF939E21000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1740-35-0x00007FF939360000-0x00007FF939E21000-memory.dmp

      Filesize

      10.8MB

      Download