Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
-
submitted
13-07-2024 00:52
General
-
Target
https://gofile.io/d/jCICOk
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1261457837645758516/cbFMY0vyoej9Fy1h9oLW6SKJKZGKJxVDKXx0A2CgiyfMXacUiQZNZ6_SbFXvwFMeEGKF
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 11 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/jCICOk1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff536a9758,0x7fff536a9768,0x7fff536a97782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1768 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2928 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5448 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5128 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5356 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Account Checker 2.0.exe"C:\Users\Admin\Downloads\Account Checker 2.0.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5652 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4756 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5468 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5752 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4412 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Account Checker 2.0 (1).exe"C:\Users\Admin\Downloads\Account Checker 2.0 (1).exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 --field-trial-handle=1864,i,11028281555568879067,18286196507294014043,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288B
MD5da7846231399ae4c3247ee76919e61b7
SHA1617aea97a40bd33e8ea2af296ddb8a84700dc3d5
SHA256c3b0a563dfc342e39d7d521a7528a6e30b94ba84a2a4f43bad7a9c2c23bcffda
SHA512f58deff17d89e4aa5dd3c6869b5bc17de84786a11e76a76e9620ec9e6c483ba91fedfd644c7dae9bce04df0959af09a45104c4d3f3274d123ecc245c2d0fb49d
-
Filesize
815B
MD5d5cb72ab8e8128eba9bdc72391047cd8
SHA15231c831ae5a2871b4dd3f3a322339f665e89c38
SHA25606b2f57554a845a7aff852c5ea037a5c1d6c89ed0a8085871dd1d05dfa07e77d
SHA5126127df611578e59f8f4c9d4909d1a3423c592d5cf4189cfee03a13bb2a21287a4fdf345cd2f7800b51f5516ea0905941b6a708e1ebbad14560abab24f4046519
-
Filesize
873B
MD5b2a07e7f137ea6dbad08adfe8f9fc982
SHA1b7891221396bfd23c86329070009c2d7150ab55e
SHA256c01dc8fdfd3318a9b8809427e5afceb28ada6f400d64f3817c747ff0bff0e304
SHA51209981310e1774b3a422a04c16ad46ae61785afbd4dece511866beb8a6c17a92ae080036314ff876bd61c50dbdb0b827533644642aab094a74ab8de73c226948a
-
Filesize
538B
MD5f4de5637b9baa65b1e21fcb90b3713ae
SHA17ee3c8af8d3c34503528c3f26ad4761ea3a0efb6
SHA256b60d60011a5f17c803e8a3be10aedfe2a29cee1534f6d00cd9f0857dc0ae2bd2
SHA51237359d7c9e805e20d09f4c8405228edc71f7a150562b20a2b6be5d75d3bd7cd2c427777fc6c4f77a12ccbdb4dfd0c09617c7a46187a56726fbfab13882ce5159
-
Filesize
6KB
MD53eb1b334a6a126251a9ad87668b55cec
SHA1a20b9c42fcc0eb8855a1b311d0e6da2971a9515e
SHA2560f87e3aea322cb556622f7f8641634d8bb7e1aded37ee9f2f4adfee96f708a6d
SHA512fa2df479ee2b04d065ec39b2822a42fd57bb666d51359ddb1c1f08d1427b0190ab90b863eccef6a18f3ce5abbd8c8bda17990d7631e59884ea00b682e5b11667
-
Filesize
5KB
MD5b340c746603b279da92f6d7b6f934a9e
SHA12b1223a91b81aba4b6147f776795c0e2f9e658c1
SHA25605ab374168ac843ba342d81d34a46f4b3376f4944c4fb290cf8b281f0480f7f0
SHA512f1e732078b49da3bf91440c1d1b5b0867d6e72917935ade18250e451d0d069d6934048b9be6b321586655bbc80de4d6fffb74f1339a2b8dce78a4057791042cd
-
Filesize
5KB
MD597e603db803af2d8048c3377c65c8d98
SHA1e021a167a3c6ecd03118a20c3233c181d7cb70e8
SHA2564c6b29ad515e1d197a87b50db5d0a5e91458b79c15af9d512ee991416887e6e1
SHA5123a6e6c9ba6638be428dd905ceace20b8280775a3dce601501717f39cd3a96f5863f1150c003bab90a5027eb5b11e0becb33b759c85a5148254e8fb1926981345
-
Filesize
150KB
MD56ee7eae91b742fcf28c0821639be96a5
SHA14f2ffe802eabc3eb95bcc9c6152513e3168d0de7
SHA256e5f11178894e96b818fa8430febdeeab23371ea5fb309acb9e875b8c862c4acb
SHA512214b83018cbd01abd354b2fb7c437c03345cab902cdde6984c22a94b546c0485decbe24f81db0916533497994fe1f3de6b870b64e8e18f8b6aefb3f9a38698df
-
Filesize
184KB
MD5caa43fcc4bbd3848137466549fe3f666
SHA15147cb3eb9299d7624fe9f87b003a7a94d16704e
SHA2560fac0c2fa45227b5fb336f409e8135cee353281e1cc06c4eeccad22cab9a2588
SHA5128fa9fdace352cc095f88c9c12aeeda2c667e8d74545ca45d60d5bda173c6779dd675097a877eeafcafc8a128c70d65f59f0b97241002c134c7ad12682f1a0455
-
Filesize
150KB
MD59d605d35018a10ce2e6e1a55b8d3bd90
SHA11f8060f2acbaba5841487bcbc7ad7fe87bd96eae
SHA2563b1c981efc45ad3d12b0ca6c35b26fde786fa3d3e8236cd76dfe4a7cc707d1df
SHA51200b95ebb4bdfe153cebd50b4355facc198da47679a711cf44f44ba06a40f6777de88d4abc6a032a2d2449acf5414589814862ebe44b45deefa11f4eea0a03d59
-
Filesize
150KB
MD5e09842b1d039a70e71add6ab8c5e0956
SHA18e99aed62a0747f9e511094ebffad00a76625d85
SHA2561b0198a4cabe67a3fbb18ab58206e80743c049566010030ce2bc33a03fe89932
SHA5121144705b414349d0a6a197767ad7cb8af686d4f61d03dda801e0a0b228af8fc4d95113dd8369c9bbb734b12457f77fa8a65d7c4492b06548636965c20d200d5c
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
42KB
MD53dc096ec22653f256fd8616f051f9abf
SHA1f4cf83d49ee03979bda01715022042f85f2395a6
SHA2560312be764894589d593357b31e0e13ce8298a25073dce356412a5f8672caee43
SHA5125e6ad60a02b2900501a5c6f19931fd4c0a4a436d6ca3eb3da4ec45a30291e83f3d95ec2c2eda6be7dda19faac54e973485df40ae6e699c3540b4a54cb45af2f9
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
4KB