Malware Analysis Report

2024-11-30 19:25

Sample ID 240922-lf5txssdrq
Target Mercurial.exe
SHA256 890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
Tags
agilenet discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

Threat Level: Shows suspicious behavior

The file Mercurial.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet discovery

Obfuscated with Agile.Net obfuscator

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-22 09:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-22 09:29

Reported

2024-09-22 09:29

Platform

win10v2004-20240802-en

Max time kernel

8s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercurial.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe

"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp

Files

memory/3144-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

memory/3144-1-0x0000000000C40000-0x0000000000F7A000-memory.dmp

memory/3144-2-0x0000000005F90000-0x0000000006534000-memory.dmp

memory/3144-3-0x00000000059E0000-0x0000000005A72000-memory.dmp

memory/3144-4-0x0000000005970000-0x000000000597A000-memory.dmp

memory/3144-5-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3144-6-0x0000000005980000-0x000000000599C000-memory.dmp

memory/3144-12-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/3144-14-0x0000000005D50000-0x0000000005D5E000-memory.dmp

memory/3144-15-0x0000000005D70000-0x0000000005D7E000-memory.dmp

memory/3144-13-0x0000000005D10000-0x0000000005D46000-memory.dmp

memory/3144-11-0x0000000005C50000-0x0000000005CBE000-memory.dmp

memory/3144-10-0x0000000005C40000-0x0000000005C54000-memory.dmp

memory/3144-9-0x0000000005C30000-0x0000000005C40000-memory.dmp

memory/3144-8-0x0000000005C00000-0x0000000005C20000-memory.dmp

memory/3144-7-0x0000000005BE0000-0x0000000005C00000-memory.dmp

memory/3144-16-0x00000000066E0000-0x000000000682A000-memory.dmp

memory/3144-17-0x0000000006890000-0x00000000069A6000-memory.dmp

memory/3144-18-0x0000000005EF0000-0x0000000005F20000-memory.dmp

memory/3144-19-0x0000000009390000-0x0000000009398000-memory.dmp

memory/3144-20-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3144-21-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3144-22-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3144-23-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3144-24-0x00000000743DE000-0x00000000743DF000-memory.dmp