Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Mercurial.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/06/2024, 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mercurial.exe

  • Size

    3.2MB

  • MD5

    a9477b3e21018b96fc5d2264d4016e65

  • SHA1

    493fa8da8bf89ea773aeb282215f78219a5401b7

  • SHA256

    890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

  • SHA512

    66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

  • SSDEEP

    98304:5kjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:lzJpjS346t1bIfuq07

Score
10/10
mercurialgrabberagilenetevasionstealer

Malware Config

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Obfuscated with Agile.Net obfuscator 11 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
    "C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2527.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC26C87854AC3C42A5B159416C1EADC289.TMP"
        3⤵
          PID:1660
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4392
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:916
      • C:\Users\Admin\AppData\Local\Temp\output.exe
        "C:\Users\Admin\AppData\Local\Temp\output.exe"
        1⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        PID:372
      • C:\Users\Admin\AppData\Local\Temp\output.exe
        "C:\Users\Admin\AppData\Local\Temp\output.exe"
        1⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        PID:4880

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\output.exe.log
        Filesize

        42B

        MD5

        84cfdb4b995b1dbf543b26b86c863adc

        SHA1

        d2f47764908bf30036cf8248b9ff5541e2711fa2

        SHA256

        d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

        SHA512

        485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES2527.tmp
        Filesize

        1KB

        MD5

        4f01af59a47b73c5d83e0d48e6879b72

        SHA1

        df90148a17f04b84fee67542286f521997ba8562

        SHA256

        bc5f71656ca3facedcbc427890e717c124838e581c8f416ecc87dccec8a61490

        SHA512

        aec056de0de9023ff75be6f7d3fca9544e2ef91807691810ffcb9d9e95fe32f6e1bf4565161f2505427a047ea4c53770863132f6bb43825533740ed56874beef

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\output.exe
        Filesize

        41KB

        MD5

        1ae3d619476698e29becb89a9c30f345

        SHA1

        bcf64cf88a36718bba794f89584b0129ab864b46

        SHA256

        6a3007725ddfea52d6d052fa736ea435a6e320567c51cf3eb655c04be397317d

        SHA512

        c93d6d723d5199860ac2ce2a37d47c84feea452757c584f46bc522e18dcdbb9d26aed6fa6720608c9fc8cefac8ef522ffb576a6ea8d1d8f0e21be3d23f732f22

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.0.cs
        Filesize

        11KB

        MD5

        4c4caed8341fcfc1863ce89e240835af

        SHA1

        a7b90ca5da31f68ec9b9b2ab525f721f8f1e4f0a

        SHA256

        ac065ef41c0a2163c9ef56f83ded6d715122613d2318a8ad12c95ef7398da8d9

        SHA512

        5a49f71337bdff78a706f74885eb0820ddbd00d7248c5c665d9155732deb009d4fd881647a3901a83cab55e51571781be5c9834771c1976db5f639f1a35dacd3

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.1.cs
        Filesize

        5KB

        MD5

        8aab1997664a604aca551b20202bfd14

        SHA1

        279cf8f218069cbf4351518ad6df9a783ca34bc5

        SHA256

        029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f

        SHA512

        cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.2.cs
        Filesize

        7KB

        MD5

        6fdae9afc1f8e77e882f1ba6b5859a4e

        SHA1

        33eb96f75ffe9a1c4f94388e7465b997320265a5

        SHA256

        a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d

        SHA512

        97bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.3.cs
        Filesize

        8KB

        MD5

        6ba707982ee7e5f0ae55ce3fa5ccad17

        SHA1

        d094c98491058ed49861ce82701abe1f38385f18

        SHA256

        19af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797

        SHA512

        d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.4.cs
        Filesize

        2KB

        MD5

        fae5458a5b3cee952e25d44d6eb9db85

        SHA1

        060d40137e9cce9f40adbb3b3763d1f020601e42

        SHA256

        240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06

        SHA512

        25f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.5.cs
        Filesize

        4KB

        MD5

        42f157ad8e79e06a142791d6e98e0365

        SHA1

        a05e8946e04907af3f631a7de1537d7c1bb34443

        SHA256

        e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed

        SHA512

        e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.6.cs
        Filesize

        6KB

        MD5

        8ec0f0e49ffe092345673ab4d9f45641

        SHA1

        401bd9e2894e9098504f7cc8f8d52f86c3ebe495

        SHA256

        93b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac

        SHA512

        60363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.7.cs
        Filesize

        16KB

        MD5

        05206d577ce19c1ef8d9341b93cd5520

        SHA1

        1ee5c862592045912eb45f9d94376f47b5410d3d

        SHA256

        e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877

        SHA512

        4648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.8.cs
        Filesize

        561B

        MD5

        7ae06a071e39d392c21f8395ef5a9261

        SHA1

        007e618097c9a099c9f5c3129e5bbf1fc7deb930

        SHA256

        00e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718

        SHA512

        5203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.9.cs
        Filesize

        10KB

        MD5

        380d15f61b0e775054eefdce7279510d

        SHA1

        47285dc55dafd082edd1851eea8edc2f7a1d0157

        SHA256

        bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717

        SHA512

        d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\2zjn4oya\2zjn4oya.cmdline
        Filesize

        833B

        MD5

        e87b1b3e0b2eb448c08f07848f06d80a

        SHA1

        b5aac8728897231e8f76391be9f35fe3dd09518e

        SHA256

        636223f6cd878dafa7f78d3fdc83a0917592434c3985e9a843a139e0898660e0

        SHA512

        0d80b181e7c999adcbf62f262565d8df6c9ac5446080578fa4fb378004308551fe45e93e419a14df18b8f0334d2f570dd73622b62fd5701ab9bdb897da28b627

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC26C87854AC3C42A5B159416C1EADC289.TMP
        Filesize

        1KB

        MD5

        2c8070f084ff635f9e016b831cd6ef16

        SHA1

        84d8287a21eaf176ebd7b3efe8571b3862de873a

        SHA256

        535d007133ddae112030480aac0b6954d4aac98bcd69b0ef192a010770564a4f

        SHA512

        f7dd550984e579912cf8fa688c53985308862954688b44482c83c05d61274519812a5ea9b6ddcfcd8972d117c8e3edfa6da0e23f3c8ea17ef0bdab80bf0d4c1f

        Download Submit

      • memory/372-67-0x0000000000470000-0x0000000000480000-memory.dmp

        Filesize

        64KB

        Download

      • memory/524-10-0x0000000005090000-0x00000000050A4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/524-15-0x0000000005170000-0x000000000517E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/524-18-0x0000000005450000-0x0000000005480000-memory.dmp

        Filesize

        192KB

        Download

      • memory/524-19-0x00000000087A0000-0x00000000087A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/524-20-0x0000000073430000-0x0000000073B1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/524-21-0x0000000073430000-0x0000000073B1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/524-22-0x0000000073430000-0x0000000073B1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/524-23-0x0000000073430000-0x0000000073B1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/524-24-0x000000007343E000-0x000000007343F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/524-25-0x0000000073430000-0x0000000073B1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/524-26-0x0000000073430000-0x0000000073B1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/524-27-0x0000000073430000-0x0000000073B1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/524-28-0x0000000073430000-0x0000000073B1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/524-29-0x0000000073430000-0x0000000073B1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/524-16-0x0000000005990000-0x0000000005ADA000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/524-17-0x0000000005AE0000-0x0000000005BF6000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/524-14-0x0000000005160000-0x000000000516E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/524-12-0x0000000005120000-0x000000000513E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/524-13-0x0000000005190000-0x00000000051C6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/524-0-0x000000007343E000-0x000000007343F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/524-11-0x00000000050A0000-0x000000000510E000-memory.dmp

        Filesize

        440KB

        Download

      • memory/524-9-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/524-8-0x0000000005050000-0x0000000005070000-memory.dmp

        Filesize

        128KB

        Download

      • memory/524-7-0x0000000004EB0000-0x0000000004ED0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/524-5-0x0000000073430000-0x0000000073B1E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/524-6-0x00000000029A0000-0x00000000029BC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/524-4-0x0000000002990000-0x000000000299A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/524-3-0x0000000004EE0000-0x0000000004F72000-memory.dmp

        Filesize

        584KB

        Download

      • memory/524-2-0x0000000005490000-0x000000000598E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/524-1-0x0000000000260000-0x000000000059A000-memory.dmp

        Filesize

        3.2MB

        Download