Analysis
-
max time kernel
31s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-09-2024 18:23
Behavioral task
behavioral1
Sample
Executor.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Executor.exe
Resource
win10v2004-20240802-en
General
-
Target
Executor.exe
-
Size
41KB
-
MD5
82a090b7bd4ba38852f6945bb73d4604
-
SHA1
f13d74c1acc8c595d49088f98652f09ae563b227
-
SHA256
d51cc213190d73d035e5a51b928ec1563b95a8cbe0fee8cd5f736365cf91865b
-
SHA512
03f63c734b515dd1d960904fa87350d1b95d2848b6603ef365c6a2eb599a0b90ed39c7d5ea02c8ed4138a420be8f6a0805cee252a0cf2e12023b5aabcf2ba963
-
SSDEEP
768:iscaIyI97QT+xBcw7uZse8WTjjKZKfgm3EhwF:xc1zQTIe8WT/F7EOF
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1283129065590489211/dEU2uHt9OcimjvWOVka-qrppiq2WKyMjW0QOJzCKDx9yJv76ewzma8jOcUZOGqbMoepy
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Executor.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Executor.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Executor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 discord.com 9 discord.com 10 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Executor.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Executor.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Executor.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Executor.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Executor.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Executor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Executor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Executor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Executor.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2952 Executor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2940 2952 Executor.exe 31 PID 2952 wrote to memory of 2940 2952 Executor.exe 31 PID 2952 wrote to memory of 2940 2952 Executor.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Executor.exe"C:\Users\Admin\AppData\Local\Temp\Executor.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2952 -s 13842⤵PID:2940
-