b1901d597bcd062f8314c9983ebe8d973e923a0970967f845e58f37280857874 | Triage

Submit
Reports

Overview

overview

8

Static

static

3

Mercurial-...er.exe

windows11-21h2-x64

8

Resubmissions

07-08-2024 22:37

240807-2jy4jsygqg 8

Sharing

General

Target

Mercurial-Grabber-installer.zip
Size

6.0MB
Sample

240807-2jy4jsygqg
MD5

3084afc836b4de672a8d1342af767146
SHA1

155b28d5b365fa888f5bcda20382752a6d1220d7
SHA256

b1901d597bcd062f8314c9983ebe8d973e923a0970967f845e58f37280857874
SHA512

1bffe48d6cfba93751d76d8bf1a762658929551f69f9a7d767bac8ef472a83d088f45d9163a9af15e4b9e30c01d20b5cb8883cbadda44971d2ec617b09d4da09
SSDEEP

98304:bXgYtvkKyhWqxuI7nzgvUN6SgToyy/eZMaoEp6b6+gRv4Z9D0bj+aRExYrlkhoI5:LWhWqxvzgvhgyvZtuzgpIwbj+Xxk1Rmt

Score

8^/10

agilenet defense_evasion discovery evasion execution persistence

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Mercurial-Grabber-installer.exe

Resource

win11-20240802-en

agilenet defense_evasion discovery evasion execution persistence

windows11-21h2-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  Mercurial-Grabber-installer.exe
- Size
  
  6.1MB
- MD5
  
  9b17390bdb82604feaadd518f0443481
- SHA1
  
  ff4b3f4c183ee785417ab5ae152c4790202561d9
- SHA256
  
  c1d39052767f29065a5cccd0b9e30dc3bec392fcb08771433be65da55b365d69
- SHA512
  
  7259a51d4dc220074673c451050f59aa2e17df6ea920bf72f840ef046b42fd6c71ce5552598d78c9fd93766ee2528207752677e3acf62b05b5d9730382abaace
- SSDEEP
  
  98304:51U0tZ0YSL6M7CEzZ5W3CJ6YWhoq+VUnuuMkHOVgwSt5CJVtSnXmM7gj49B+DoId:vsL6M7rnW3vKqNn1KFSH6knXmBjcZPW
Score

8^/10

agilenet defense_evasion discovery evasion execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Indicator Removal

Clear Windows Event Logs

Obfuscated Files or Information

Command Obfuscation

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

agilenetdefense_evasiondiscoveryevasionexecutionpersistence

© 2018-2025

Terms | Privacy