Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2024 00:41

General

  • Target

    ItroublveTSC.exe

  • Size

    514KB

  • MD5

    d8264e0921403244b0c29079bb732368

  • SHA1

    d61b7c088ac4e118a6ac41fc4491961daa607773

  • SHA256

    66359689b1ca80fbab24796d04cc3a91e3eb804de56635adc9d46a925758ffe6

  • SHA512

    da4b6a9bee26db9bd788b19953f997620b06be3fa15f38da846c66cabc2f0cade80efc79e3e3b855a6435968a93984d26107836665db14a19eb9b44704899fed

  • SSDEEP

    6144:WahO6sQA+WdlH4piJAiCC+c3e6iiixLifXiiiJ0Ny4SildqqQG2ixiiijEMiViiC:Wi4J+WbEGDfaAPiu15IQuUeeSMzg

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/899842638260338719/2a5S9S1gHhBIZB1ISPfnaBVgbTdkzaMWdmP_oGgFx14jtlvloXQRGQaYOY1Djoem1pL8

Extracted

Family

nanocore

Version

1.2.2.0

C2

176.168.5.0:2605

Mutex

d01924fe-4e8d-4b6f-850c-443e5741751a

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    176.168.5.0

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-07-31T04:06:57.831335236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2605

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    d01924fe-4e8d-4b6f-850c-443e5741751a

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    176.168.5.0

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe
    "C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ITROUB~2.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ITROUB~2.EXE
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4432,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
    1⤵
      PID:1556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ITROUB~2.EXE

      Filesize

      42KB

      MD5

      21fb013f93c6801759c9d395c216386e

      SHA1

      832caf188f3f1dfa8d3287ef50281df0e2747c04

      SHA256

      5161620f499b9090a58c8dd0df60aa08dc4da0909e71a555adb897d3431c7ade

      SHA512

      b7111203a134806646a8ba4f4ffd03dd972ae86660e6f3f142d8557a3907f1721896edc4ca9512d11659109a0ccab063f2d438b3e64abf474735c6fe5016cac7

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe

      Filesize

      202KB

      MD5

      6afe2574acea01baf839e828036e0201

      SHA1

      df43ddd5ae26554e00a3a8ae4dceb251e65d52dc

      SHA256

      0918b12b0d77703da052f21d4399e87a33dc2616ee9a6bf0a83f86f88e78781d

      SHA512

      3b17d5849e6782144077618996ffb34a3596c329083022d3dcb556b1a1cde2104b6be86cef7f92e26af9dac81471350129aaf26d88298985dc6d040a7060ed9f

    • memory/956-7-0x00007FFA2F053000-0x00007FFA2F055000-memory.dmp

      Filesize

      8KB

    • memory/956-8-0x0000000000A00000-0x0000000000A10000-memory.dmp

      Filesize

      64KB

    • memory/956-9-0x00007FFA2F050000-0x00007FFA2FB11000-memory.dmp

      Filesize

      10.8MB

    • memory/956-10-0x00007FFA2F053000-0x00007FFA2F055000-memory.dmp

      Filesize

      8KB

    • memory/956-11-0x00007FFA2F050000-0x00007FFA2FB11000-memory.dmp

      Filesize

      10.8MB

    • memory/956-15-0x00007FFA2F050000-0x00007FFA2FB11000-memory.dmp

      Filesize

      10.8MB

    • memory/2660-19-0x00000000752B2000-0x00000000752B3000-memory.dmp

      Filesize

      4KB

    • memory/2660-20-0x00000000752B0000-0x0000000075861000-memory.dmp

      Filesize

      5.7MB

    • memory/2660-22-0x00000000752B2000-0x00000000752B3000-memory.dmp

      Filesize

      4KB

    • memory/2660-23-0x00000000752B0000-0x0000000075861000-memory.dmp

      Filesize

      5.7MB