Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
31-08-2024 00:32
General
-
Target
ItroublveTSC.exe
-
Size
514KB
-
MD5
d8264e0921403244b0c29079bb732368
-
SHA1
d61b7c088ac4e118a6ac41fc4491961daa607773
-
SHA256
66359689b1ca80fbab24796d04cc3a91e3eb804de56635adc9d46a925758ffe6
-
SHA512
da4b6a9bee26db9bd788b19953f997620b06be3fa15f38da846c66cabc2f0cade80efc79e3e3b855a6435968a93984d26107836665db14a19eb9b44704899fed
-
SSDEEP
6144:WahO6sQA+WdlH4piJAiCC+c3e6iiixLifXiiiJ0Ny4SildqqQG2ixiiijEMiViiC:Wi4J+WbEGDfaAPiu15IQuUeeSMzg
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/899842638260338719/2a5S9S1gHhBIZB1ISPfnaBVgbTdkzaMWdmP_oGgFx14jtlvloXQRGQaYOY1Djoem1pL8
Extracted
nanocore
1.2.2.0
176.168.5.0:2605
d01924fe-4e8d-4b6f-850c-443e5741751a
-
activate_away_mode
true
-
backup_connection_host
176.168.5.0
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-31T04:06:57.831335236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2605
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d01924fe-4e8d-4b6f-850c-443e5741751a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
176.168.5.0
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe"C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ITROUB~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ITROUB~2.EXE2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD521fb013f93c6801759c9d395c216386e
SHA1832caf188f3f1dfa8d3287ef50281df0e2747c04
SHA2565161620f499b9090a58c8dd0df60aa08dc4da0909e71a555adb897d3431c7ade
SHA512b7111203a134806646a8ba4f4ffd03dd972ae86660e6f3f142d8557a3907f1721896edc4ca9512d11659109a0ccab063f2d438b3e64abf474735c6fe5016cac7
-
Filesize
202KB
MD56afe2574acea01baf839e828036e0201
SHA1df43ddd5ae26554e00a3a8ae4dceb251e65d52dc
SHA2560918b12b0d77703da052f21d4399e87a33dc2616ee9a6bf0a83f86f88e78781d
SHA5123b17d5849e6782144077618996ffb34a3596c329083022d3dcb556b1a1cde2104b6be86cef7f92e26af9dac81471350129aaf26d88298985dc6d040a7060ed9f
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB