Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-10-2024 09:42
Behavioral task
behavioral1
Sample
output.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
output.exe
Resource
win10v2004-20241007-en
General
-
Target
output.exe
-
Size
42KB
-
MD5
2591418fa1d70a7928d546c1e59d369b
-
SHA1
44a86e19a00a6ccbb07b573d258cf7d1a87ccf3c
-
SHA256
e094ebd68882cf62ff5985d8f81c7141efca479d38fce91bac982bd5c3566d35
-
SHA512
50859efbc32ecc8aade5b277c42ed3a4f9a0aa98088203826af99b348f541566472ca4c8f1b9958862db159be9afa15ca906e55023175834e7ee03749db2e906
-
SSDEEP
768:DnYBZ6an8z5pDtsmuZ2Lz2Tj3KZKfgm3EhyC:K1n8z5PsOLz2TbF7E4C
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1297492884475609118/LwQvKyTkheFA9V6fHwOm4M-8JFByK3cs4_NZKgdLpCNrybSYAf4THUPHAcm96nt5CXYa
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions output.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools output.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion output.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 9 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum output.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 output.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S output.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString output.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName output.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2928 output.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2856 2928 output.exe 33 PID 2928 wrote to memory of 2856 2928 output.exe 33 PID 2928 wrote to memory of 2856 2928 output.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\output.exe"C:\Users\Admin\AppData\Local\Temp\output.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2928 -s 14002⤵PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1