Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
ItroublveTSC.exe
Resource
win10v2004-20240802-en
General
-
Target
ItroublveTSC.exe
-
Size
514KB
-
MD5
d8264e0921403244b0c29079bb732368
-
SHA1
d61b7c088ac4e118a6ac41fc4491961daa607773
-
SHA256
66359689b1ca80fbab24796d04cc3a91e3eb804de56635adc9d46a925758ffe6
-
SHA512
da4b6a9bee26db9bd788b19953f997620b06be3fa15f38da846c66cabc2f0cade80efc79e3e3b855a6435968a93984d26107836665db14a19eb9b44704899fed
-
SSDEEP
6144:WahO6sQA+WdlH4piJAiCC+c3e6iiixLifXiiiJ0Ny4SildqqQG2ixiiijEMiViiC:Wi4J+WbEGDfaAPiu15IQuUeeSMzg
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/899842638260338719/2a5S9S1gHhBIZB1ISPfnaBVgbTdkzaMWdmP_oGgFx14jtlvloXQRGQaYOY1Djoem1pL8
Extracted
nanocore
1.2.2.0
176.168.5.0:2605
d01924fe-4e8d-4b6f-850c-443e5741751a
-
activate_away_mode
true
-
backup_connection_host
176.168.5.0
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-31T04:06:57.831335236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2605
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d01924fe-4e8d-4b6f-850c-443e5741751a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
176.168.5.0
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
ITROUB~2.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions ITROUB~2.EXE -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
ITROUB~2.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools ITROUB~2.EXE -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ITROUB~2.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ITROUB~2.EXE -
Executes dropped EXE 2 IoCs
Processes:
ITROUB~2.EXEsvchost.exepid Process 2528 ITROUB~2.EXE 3032 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ItroublveTSC.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ItroublveTSC.exe -
Processes:
svchost.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip4.seeip.org 35 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
ITROUB~2.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ITROUB~2.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ITROUB~2.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
svchost.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ITROUB~2.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S ITROUB~2.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ITROUB~2.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ITROUB~2.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ITROUB~2.EXE -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
ITROUB~2.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer ITROUB~2.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName ITROUB~2.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 ITROUB~2.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation ITROUB~2.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
svchost.exepid Process 3032 svchost.exe 3032 svchost.exe 3032 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid Process 3032 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ITROUB~2.EXEsvchost.exedescription pid Process Token: SeDebugPrivilege 2528 ITROUB~2.EXE Token: SeDebugPrivilege 3032 svchost.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
ItroublveTSC.exedescription pid Process procid_target PID 400 wrote to memory of 2528 400 ItroublveTSC.exe 84 PID 400 wrote to memory of 2528 400 ItroublveTSC.exe 84 PID 400 wrote to memory of 3032 400 ItroublveTSC.exe 101 PID 400 wrote to memory of 3032 400 ItroublveTSC.exe 101 PID 400 wrote to memory of 3032 400 ItroublveTSC.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe"C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ITROUB~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ITROUB~2.EXE2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD521fb013f93c6801759c9d395c216386e
SHA1832caf188f3f1dfa8d3287ef50281df0e2747c04
SHA2565161620f499b9090a58c8dd0df60aa08dc4da0909e71a555adb897d3431c7ade
SHA512b7111203a134806646a8ba4f4ffd03dd972ae86660e6f3f142d8557a3907f1721896edc4ca9512d11659109a0ccab063f2d438b3e64abf474735c6fe5016cac7
-
Filesize
202KB
MD56afe2574acea01baf839e828036e0201
SHA1df43ddd5ae26554e00a3a8ae4dceb251e65d52dc
SHA2560918b12b0d77703da052f21d4399e87a33dc2616ee9a6bf0a83f86f88e78781d
SHA5123b17d5849e6782144077618996ffb34a3596c329083022d3dcb556b1a1cde2104b6be86cef7f92e26af9dac81471350129aaf26d88298985dc6d040a7060ed9f