Resubmissions
26-09-2024 09:59
240926-lz6wbszhqj 10Analysis
-
max time kernel
26s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
26-09-2024 09:59
General
-
Target
https://github.com/draven-office/discord-old-account-genrator
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/917748860682657832/sSsKt4ikHoi9zkepKqNjrrQK503_MnWsxInF6XnFlC2W3mmbZI320rx6s-R3dnG3i8W3
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 11 IoCs
-
Modifies registry class 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/draven-office/discord-old-account-genrator"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/draven-office/discord-old-account-genrator2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7001334a-ea4c-49de-9d39-18c5595a4dd8} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29a519fe-e7a8-44c0-afef-e7c33b6071c7} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3128 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3296 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b74e7635-ae62-45ae-8fe7-0f3c559bd173} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2776 -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3612 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59388807-2b49-4e8f-8cf2-2e375302499a} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4200 -prefMapHandle 4196 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86414a24-2de0-4ea3-b4b0-9cbea77ed08a} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1ecc217-b4be-43a1-bd50-59a2fbcd25e6} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a836067e-79fe-48e2-93e1-a5cce5a58e90} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5844 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8835e1b-48d2-451b-9bab-38430cf18201} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\discord-old-account-genrator-main\discord old account genrator.exe"C:\Users\Admin\Desktop\discord-old-account-genrator-main\discord old account genrator.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\Desktop\discord-old-account-genrator-main\._cache_discord old account genrator.exe"C:\Users\Admin\Desktop\discord-old-account-genrator-main\._cache_discord old account genrator.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\Desktop\discord-old-account-genrator-main\._cache_Synaptics.exe"C:\Users\Admin\Desktop\discord-old-account-genrator-main\._cache_Synaptics.exe" InjUpdate3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\discord-old-account-genrator-main\discord old account genrator.exe"C:\Users\Admin\Desktop\discord-old-account-genrator-main\discord old account genrator.exe"1⤵
-
C:\Users\Admin\Desktop\discord-old-account-genrator-main\._cache_discord old account genrator.exe"C:\Users\Admin\Desktop\discord-old-account-genrator-main\._cache_discord old account genrator.exe"2⤵
-
-
C:\Users\Admin\Desktop\discord-old-account-genrator-main\discord old account genrator.exe"C:\Users\Admin\Desktop\discord-old-account-genrator-main\discord old account genrator.exe"1⤵
-
C:\Users\Admin\Desktop\discord-old-account-genrator-main\._cache_discord old account genrator.exe"C:\Users\Admin\Desktop\discord-old-account-genrator-main\._cache_discord old account genrator.exe"2⤵
-
-
C:\Users\Admin\Desktop\discord-old-account-genrator-main\discord old account genrator.exe"C:\Users\Admin\Desktop\discord-old-account-genrator-main\discord old account genrator.exe"1⤵
-
C:\Users\Admin\Desktop\discord-old-account-genrator-main\._cache_discord old account genrator.exe"C:\Users\Admin\Desktop\discord-old-account-genrator-main\._cache_discord old account genrator.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
814KB
MD5a7885d5a280d874597fa46ce44150902
SHA1f9e5676fffb7ed9712edea377001f8afe873fcbd
SHA2568687c478dfa4c98ff859800174c5d53f8fb7d57669e520d7b94c7898bbddd2e9
SHA5123032a182c8579d370d7b05b264d7b583096278ae20ac9c9c81fbc87e3309a931f56d9601464ffac5ee85d20e4c117e76540c5ba076580cfd6cd2d238a6fc776d
-
Filesize
28KB
MD5fd7cc082d4072cb694a6de5a1a350fb1
SHA11ff64fcf1b6e08dbb2a23c9f299264f8a43b1c1f
SHA256a393214faf912abd2760bb22a03151b78984fba717ad4220fa68efd23d5f5e95
SHA51283659ea144be3299a17d9f045d5968f2e22e520e563e3b6995ee13c8a2175e2bb3ea69d8f84ce6443c3b9f040ad56ab595a27819e079016e3f3b1ea06e450ee5
-
Filesize
21KB
MD50f2b414d4851020c855f402891006c45
SHA1dc1701a5651e9c1a9d96b79470d5b7e9e0194f2c
SHA256b8f0dc5a1887da0bd54cb4cf60a136af4d2c252c92928dd843982a0087f57d4f
SHA512e6bdadc966371dd21cc1e90378ec46041afb82547e8de7c692650cdedfce900f07ca236ec4d8c15dcf6bf6b828f75ce51d87c5f7d39560462665851583b21751
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
6KB
MD51fe63de8ca06f665263b748f2164ae03
SHA15dfc6c4655a210cb388a5c0ea7c46ae297a35481
SHA256dc4bee49d8f0d26758dc46b81509fcd34289a052902176cef55b480f11bff37e
SHA512cabf44291565404a2c2b44083bcb35fc0610a9527dc86448e54b6fd02d1d4fbd3bbf04225ad3a1f4dc36a2ec904aaca7a6a0b062bb2fe51d16306f6880f1483c
-
Filesize
5KB
MD506cbbcfc8e979b4032b646ed347e9eb6
SHA151de9ee233e52cdb6d56c56f4b9ef7cd8566a950
SHA2566336263ef4fc3ce98d7235bf2c56a74be53b4a811796b185e84f04da2aa608e0
SHA51293866d9ef79f79d6041fc8b4e95e2736cf26b1f4d5b58db182e1da1e0cb9bc950ffd4b4376a64695e236b40911c48578683f6aac7ffcb9a2bd075d79140c4056
-
Filesize
5KB
MD5b30d74161993800f8f00e9b870eb37c5
SHA16d5ae22e7db1c97e66ab5dac311c3ed9e3f8de4c
SHA2563284923752967300404ffb1279b303e314bed8bc0ed32e0c6e3be4e4b0c8b8f2
SHA512757ebb98b04125d82530307899cf9d2416bd1cd235f49b0d773efc10255873f9851a69810b79dd1f39bbeb52a46f67386648b4de4a8c286dc9c720bf1964592c
-
Filesize
982B
MD5ec041fcc2e99ca8b2381b25100e16ea1
SHA17ee96196afb701ad8d8c70ebcb8ee848026178fe
SHA25652adf206150b68c3b355cc43be797c35737658d784a3cb5d0f8c34c91bfaafd8
SHA5128d3703a46a7f96c2a0a05e7b0524c9b7c19bb57f130ab8cbd084baf16f85d8f6be0d2413745e86eb5895cd5c2a2f636d41db92a2fa9c7a091fd65e0b0d5d1cef
-
Filesize
25KB
MD59e79c3bf3e89d9d56cfaffed62ee5e39
SHA15efd93240888e5ad389abee2bc0b8b9f1366719e
SHA256ab4634d791c9bb28572e7c1071b19c74283521e7585d292a9183c598837f7223
SHA512ab57090ebcc6911d743f60cc142385a5cc3d89ceecfd08df90dd2f57b5b34f68df8f5997288ccce065f34b97847b7442ecc17e237bb2deafac6ba5a5a40ab8c7
-
Filesize
671B
MD506fbccd145dbcbc0306a8564969a4d22
SHA19c3ce906100bcc6927aa2941e906994e4ecda419
SHA25623d7f5d22b245d9c9d3d497705b6f09458207349c83b479d4ef9a5a9e3a24120
SHA512c2a994acca859ba5d5dd3417c5f2ec204c1d4e285437d119270d3f56448c8b6f948800f6ac453cc11d77290ada194e8f518d9bc131644837d25c17ac4f82163d
-
Filesize
11KB
MD535e27ad9d8dfa14a72b556fadf27fc44
SHA1083de43eb38f6f05a07f1f604876a19567d4ee18
SHA2566b74c05a6f9b5b16af1537e39316ed7d16d75bed60807e9d97202165852b2c2d
SHA512507a4d33615d22f00fee8eb78ef208690a6e1457380ca44cb244d8745fcd4c7cd60b2f8e0d29a88c325830aead62207b92e6c7fc02b8e51ec533e9739c43cd95
-
Filesize
11KB
MD5c29d43be0394ba0dc7381424bd6479a4
SHA1c8438ba3721f0562ca79b6b9570e0e661bf8be8f
SHA256155ac69c9e95f336bf97373c5ae343dd34e75ffafab485ca4a5623fd27ddee67
SHA5124af31aa8c75e0655a2e691c6b1e288448ad5d6c2a7d98accb1ac8f5178d468bc34c6648b57c4f71d7c98540cf13f0edc7a1ca46780d561345a616fa0e9110bb4
-
Filesize
61KB
MD543c467f6fd42d77d1c27b2b2eded962c
SHA1321f7ea7ebe2e232aad0d108c24d7f462fef2b70
SHA256cc2f9757e42d736363e5d85c68359af2db73721e800e9775b79a6082ad40fe95
SHA512175b7849121359084883775bb83360eda0feca86cabc84875bfe01892f43679396a29d4575d54449730d6c8815f0a032f9d4a99f1829cd84dcebc482537e015d
-
Filesize
410KB
MD521cf7789abdcbff04229aa2d0469bfed
SHA18532148e576f617b843df821eab5a75ab7c314e1
SHA256c8e03e7b6d28aae5a1cea068149bd665a65e0556b266bfe00e199f221f703b6e
SHA5126723ff2df5eb7c2bd7ba50f9b4e87f207497be1e756b483f437ed8322f88a3a52133b6109e568f5eb7451895d1b7cf1363da7ea8e56d3db0f652f335472da6e1
-
Filesize
840KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
840KB
-
Filesize
840KB
-
Filesize
840KB