mercurialgrabber | 4aa2631ecb6f32df32409c4e034c380a71628dde3592f0401866674c799284f9

Analysis

max time kernel
11s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
06-10-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ItroublveTSC.exe
Size

187KB
MD5

b951b0e0a56ba29d275a330ac705d3d3
SHA1

0ec39a5e9cb56c3d069eb9d00c1ea0eec4691441
SHA256

4aa2631ecb6f32df32409c4e034c380a71628dde3592f0401866674c799284f9
SHA512

01487f245bc8888f5251b52a684b0fcbef8e28a5e8f6322a172cc29bae20729b39392219aa29bf6e6f9ef69ffe354df1007611a953fb2e027d753b6432d8742a
SSDEEP

3072:sly9KLcTrF7EydY8Z1le3RxmmSxvwHqnoaHMHTs/igE2:sly9KyO8i4lvwKnoRzsag

Score

10^/10

mercurialgrabber evasion stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/885234972850548828/LPkFoI9wcrDOX2ATDYCSijKXWP9cJT9-4dGuQphABCK_A1-yftfN29gCyAL-nU2wf0Tw

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ItroublveTSC.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions ItroublveTSC.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ItroublveTSC.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools ItroublveTSC.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ItroublveTSC.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ItroublveTSC.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip4.seeip.org

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	ItroublveTSC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	ItroublveTSC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ItroublveTSC.exe

flow	ioc
1	ip4.seeip.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ItroublveTSC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ItroublveTSC.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	ItroublveTSC.exe

Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

ItroublveTSC.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S ItroublveTSC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	ItroublveTSC.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ItroublveTSC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	ItroublveTSC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	ItroublveTSC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	ItroublveTSC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	ItroublveTSC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ItroublveTSC.exe

description pid process

Token: SeDebugPrivilege 1596 ItroublveTSC.exe

description	pid	process
Token: SeDebugPrivilege	1596	ItroublveTSC.exe

C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe
"C:\Users\Admin\AppData\Local\Temp\ItroublveTSC.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-1-0x00000000003F0000-0x0000000000424000-memory.dmp

Filesize
208KB

Download
memory/1596-0-0x00007FFB83AE3000-0x00007FFB83AE4000-memory.dmp

Filesize
4KB

Download
memory/1596-2-0x00007FFB83AE0000-0x00007FFB844CC000-memory.dmp

Filesize
9.9MB

Download
memory/1596-3-0x00007FFB83AE0000-0x00007FFB844CC000-memory.dmp

Filesize
9.9MB

Download