Analysis Overview
SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
Threat Level: Shows suspicious behavior
The file Mercurial.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-22 09:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-22 09:29
Reported
2024-09-22 09:29
Platform
win10v2004-20240802-en
Max time kernel
8s
Max time network
7s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mercurial.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
Files
memory/3144-0-0x00000000743DE000-0x00000000743DF000-memory.dmp
memory/3144-1-0x0000000000C40000-0x0000000000F7A000-memory.dmp
memory/3144-2-0x0000000005F90000-0x0000000006534000-memory.dmp
memory/3144-3-0x00000000059E0000-0x0000000005A72000-memory.dmp
memory/3144-4-0x0000000005970000-0x000000000597A000-memory.dmp
memory/3144-5-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/3144-6-0x0000000005980000-0x000000000599C000-memory.dmp
memory/3144-12-0x0000000005CD0000-0x0000000005CEE000-memory.dmp
memory/3144-14-0x0000000005D50000-0x0000000005D5E000-memory.dmp
memory/3144-15-0x0000000005D70000-0x0000000005D7E000-memory.dmp
memory/3144-13-0x0000000005D10000-0x0000000005D46000-memory.dmp
memory/3144-11-0x0000000005C50000-0x0000000005CBE000-memory.dmp
memory/3144-10-0x0000000005C40000-0x0000000005C54000-memory.dmp
memory/3144-9-0x0000000005C30000-0x0000000005C40000-memory.dmp
memory/3144-8-0x0000000005C00000-0x0000000005C20000-memory.dmp
memory/3144-7-0x0000000005BE0000-0x0000000005C00000-memory.dmp
memory/3144-16-0x00000000066E0000-0x000000000682A000-memory.dmp
memory/3144-17-0x0000000006890000-0x00000000069A6000-memory.dmp
memory/3144-18-0x0000000005EF0000-0x0000000005F20000-memory.dmp
memory/3144-19-0x0000000009390000-0x0000000009398000-memory.dmp
memory/3144-20-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/3144-21-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/3144-22-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/3144-23-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/3144-24-0x00000000743DE000-0x00000000743DF000-memory.dmp