Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31-08-2024 00:13
Behavioral task
behavioral1
Sample
mercurialll.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
mercurialll.exe
Resource
win10v2004-20240802-en
General
-
Target
mercurialll.exe
-
Size
42KB
-
MD5
c5b0524db04000a869b5d72c8d853055
-
SHA1
e49365c097c38c0c76ab45b7fcc9816c562d93ea
-
SHA256
42b41379ffd81e77b83fdd6fbef9b3867206e6a2a1b81bb5543fddcf4b60d1c3
-
SHA512
296ba85d8da2bf72da3394004278e738024118de78c0b9177cf45987d6d4348900d4405f7e6829b434be78d0e19d0128fe55fde7a0352e3f459090857f557186
-
SSDEEP
768:TUOmPE4lMmkpb9mpKuZPL9HqTjUKZKfgm3EhPB:7AibIpbL9HqTgF7EVB
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1279217204323156153/PfnFxjSTBGvOFUR_eBCUTW-98gwm5YlZ7kySbZHvpfCiTR6h5wK9dsiLKp3e86ugBnX0
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
mercurialll.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions mercurialll.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
mercurialll.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools mercurialll.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mercurialll.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mercurialll.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip4.seeip.org 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
mercurialll.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum mercurialll.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 mercurialll.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
mercurialll.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S mercurialll.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mercurialll.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mercurialll.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mercurialll.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
mercurialll.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation mercurialll.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer mercurialll.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName mercurialll.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 mercurialll.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mercurialll.exedescription pid process Token: SeDebugPrivilege 2548 mercurialll.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
mercurialll.exedescription pid process target process PID 2548 wrote to memory of 2764 2548 mercurialll.exe WerFault.exe PID 2548 wrote to memory of 2764 2548 mercurialll.exe WerFault.exe PID 2548 wrote to memory of 2764 2548 mercurialll.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mercurialll.exe"C:\Users\Admin\AppData\Local\Temp\mercurialll.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2548 -s 14002⤵PID:2764
-