Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

output.exe

windows7-x64

10

output.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    10s
  • max time network
    8s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 09:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    output.exe

  • Size

    42KB

  • MD5

    2591418fa1d70a7928d546c1e59d369b

  • SHA1

    44a86e19a00a6ccbb07b573d258cf7d1a87ccf3c

  • SHA256

    e094ebd68882cf62ff5985d8f81c7141efca479d38fce91bac982bd5c3566d35

  • SHA512

    50859efbc32ecc8aade5b277c42ed3a4f9a0aa98088203826af99b348f541566472ca4c8f1b9958862db159be9afa15ca906e55023175834e7ee03749db2e906

  • SSDEEP

    768:DnYBZ6an8z5pDtsmuZ2Lz2Tj3KZKfgm3EhyC:K1n8z5PsOLz2TbF7E4C

Score
10/10
mercurialgrabberevasionstealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1297492884475609118/LwQvKyTkheFA9V6fHwOm4M-8JFByK3cs4_NZKgdLpCNrybSYAf4THUPHAcm96nt5CXYa

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\output.exe
    "C:\Users\Admin\AppData\Local\Temp\output.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:3112

Network

  • flag-us
    DNS
    ip4.seeip.org
    output.exe
    Remote address:
    8.8.8.8:53
    Request
    ip4.seeip.org
    IN A
    Response
    ip4.seeip.org
    IN A
    23.128.64.141
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91a88097ef354c12a4f874539ec19fe8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91a88097ef354c12a4f874539ec19fe8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=3B68038D427467DD36B7169343726689; domain=.bing.com; expires=Fri, 14-Nov-2025 09:41:05 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B20213BCA1914052B692144EBB55B13C Ref B: LON601060107029 Ref C: 2024-10-20T09:41:05Z
    date: Sun, 20 Oct 2024 09:41:05 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91a88097ef354c12a4f874539ec19fe8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91a88097ef354c12a4f874539ec19fe8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3B68038D427467DD36B7169343726689
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=t81Ku9D3hKsxDfOo-Iek2_vCFbR4dNfPOdthEK9s6zU; domain=.bing.com; expires=Fri, 14-Nov-2025 09:41:05 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C69269868B8B48D7A5207F2BFA5D8D58 Ref B: LON601060107029 Ref C: 2024-10-20T09:41:05Z
    date: Sun, 20 Oct 2024 09:41:05 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91a88097ef354c12a4f874539ec19fe8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91a88097ef354c12a4f874539ec19fe8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=3B68038D427467DD36B7169343726689; MSPTC=t81Ku9D3hKsxDfOo-Iek2_vCFbR4dNfPOdthEK9s6zU
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 972157B898064C208242D172F06BA4F4 Ref B: LON601060107029 Ref C: 2024-10-20T09:41:05Z
    date: Sun, 20 Oct 2024 09:41:05 GMT
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • 23.128.64.141:443
    ip4.seeip.org
    output.exe
    208 B
     4
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91a88097ef354c12a4f874539ec19fe8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=
    tls, http2
    2.0kB
     9.4kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91a88097ef354c12a4f874539ec19fe8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91a88097ef354c12a4f874539ec19fe8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91a88097ef354c12a4f874539ec19fe8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    ip4.seeip.org
    dns
    output.exe
    59 B
     75 B
     1
    1

    DNS Request

    ip4.seeip.org

    DNS Response

    23.128.64.141

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3112-0-0x00007FFF96F53000-0x00007FFF96F55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3112-1-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3112-2-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3112-3-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.