Overview

overview

10

Static

static

10

Urm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    9s
  • max time network
    8s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Urm.exe

  • Size

    41KB

  • MD5

    83f52e0aebc4f6f8bafbfa855e826dcc

  • SHA1

    37b64811517ee85fc8d3f64f67ddd1ee7372f811

  • SHA256

    99c7c262aa5b81a8694ae3e6449972f84edc48165f17e59e7d56bd6b2c9875e6

  • SHA512

    00dbdee6de08cae2e96ec758a6ac9075a52ce4c8f8149dfdd8afb2963835ebac883747fcadcd6f77c4737cfa827bfddf1de87dbbeca738d0f7c24476f1297d6e

  • SSDEEP

    768:rN8C37hX/XSNluZVLrpTjeKZKfgm3Ehq3:6LyLrpTqF7E43

Score
10/10
mercurialgrabberstealer

Malware Config

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Urm.exe
    "C:\Users\Admin\AppData\Local\Temp\Urm.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4540
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4076-15-0x00000279A0030000-0x00000279A0031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4076-3-0x00000279A0030000-0x00000279A0031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4076-5-0x00000279A0030000-0x00000279A0031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4076-4-0x00000279A0030000-0x00000279A0031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4076-14-0x00000279A0030000-0x00000279A0031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4076-13-0x00000279A0030000-0x00000279A0031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4076-12-0x00000279A0030000-0x00000279A0031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4076-11-0x00000279A0030000-0x00000279A0031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4076-10-0x00000279A0030000-0x00000279A0031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4076-9-0x00000279A0030000-0x00000279A0031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4540-1-0x0000000000C60000-0x0000000000C70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4540-2-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4540-0-0x00007FFF12E83000-0x00007FFF12E85000-memory.dmp

    Filesize

    8KB

    Download