Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

GFX locato...39.exe

windows7-x64

10

GFX locato...39.exe

windows10-2004-x64

Analysis

  • max time kernel
    10s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 15:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GFX locator by 89_39.exe

  • Size

    41KB

  • MD5

    50448b99a6ab09d371ba1bb9f348bbb2

  • SHA1

    cdfa4b634d498af21946404397b9166c395d273e

  • SHA256

    44398ef8657a9fbb73eb1bfe7b3657241d0497318dcafabdd86669ee5dc32dc6

  • SHA512

    4fe0e40ba1396d8e238d5fef255fab22d88a1aaab005ca71cceaa55bfb2f061ea1997e2c0f3e82be3ca3a4bd65fae26edcd9dc4914d72f6d7aed4bcda2a12bd2

  • SSDEEP

    768:oscaIyIbubDIA3ruQw3uZleuWTj6KZKfgm3EhR/:vc1Zub3ueeuWTOF7Ez/

Score
10/10
mercurialgrabberevasionstealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1275113676453580880/9MyUKYUCniUZuZMT3Ww37_BxIGyZdN9irR0Ljml5MW18Tz7TxMIpOI_aDCPDu_qayZOt

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GFX locator by 89_39.exe
    "C:\Users\Admin\AppData\Local\Temp\GFX locator by 89_39.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:2604

Network

  • flag-us
    DNS
    ip4.seeip.org
    GFX locator by 89_39.exe
    Remote address:
    8.8.8.8:53
    Request
    ip4.seeip.org
    IN A
    Response
    ip4.seeip.org
    IN A
    23.128.64.141
  • 23.128.64.141:443
    ip4.seeip.org
    GFX locator by 89_39.exe
    152 B
     3
  • 8.8.8.8:53
    ip4.seeip.org
    dns
    GFX locator by 89_39.exe
    59 B
     75 B
     1
    1

    DNS Request

    ip4.seeip.org

    DNS Response

    23.128.64.141

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2604-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-1-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2604-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2604-3-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-4-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

    Filesize

    9.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.