Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

juangamepl...go.exe

windows7-x64

10

juangamepl...go.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/10/2024, 21:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    juangameplaysElJuego.exe

  • Size

    520KB

  • MD5

    6dbf6db459134db2891675f7973ccde5

  • SHA1

    e1092f1c38646b911a1e269d575699d0e2dde9b3

  • SHA256

    4475f0f0fb251027fab5c3b02a72d7a7d030ba08892e5ad3be18bfb7674b609a

  • SHA512

    1ac4cb14c109e93c80744ad6ad7792c6ab86412e0432b140a5faf92e0d9adc101d5ee2285b82a12e844e67bdd4d59e36879a26204d8b20989c26c02c945bc648

  • SSDEEP

    6144:AAx92L79F3QYwB78xkstZMmsvTFwY97x7SykrnIPh7hw8ZPGBPk9krThFWC:AAx92bLwB8qsmvTBNDkrnwzFJomUThc

Score
10/10
mercurialgrabberevasionspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1294943124694630481/Vc7t1zcSQrJS099-W4Z8zg6xnPq7IAfeqBkgXXwY4JGCvfxDkvKRbJSNQw9hwsU-FnNW

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\juangameplaysElJuego.exe
    "C:\Users\Admin\AppData\Local\Temp\juangameplaysElJuego.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2272 -s 1400
      2⤵
        PID:2856

    Network

    • flag-us
      DNS
      ip4.seeip.org
      juangameplaysElJuego.exe
      Remote address:
      8.8.8.8:53
      Request
      ip4.seeip.org
      IN A
      Response
      ip4.seeip.org
      IN A
      23.128.64.141
    • flag-us
      DNS
      ip-api.com
      juangameplaysElJuego.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com//json/
      juangameplaysElJuego.exe
      Remote address:
      208.95.112.1:80
      Request
      GET //json/ HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sat, 26 Oct 2024 21:11:04 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 289
      Access-Control-Allow-Origin: *
      X-Ttl: 17
      X-Rl: 42
    • flag-us
      DNS
      discord.com
      juangameplaysElJuego.exe
      Remote address:
      8.8.8.8:53
      Request
      discord.com
      IN A
      Response
      discord.com
      IN A
      162.159.138.232
      discord.com
      IN A
      162.159.136.232
      discord.com
      IN A
      162.159.137.232
      discord.com
      IN A
      162.159.128.233
      discord.com
      IN A
      162.159.135.232
    • 23.128.64.141:443
      ip4.seeip.org
      juangameplaysElJuego.exe
      152 B
       3
    • 208.95.112.1:80
      http://ip-api.com//json/
      http
      juangameplaysElJuego.exe
      296 B
       638 B
       5
      4

      HTTP Request

      GET http://ip-api.com//json/

      HTTP Response

      200
    • 162.159.138.232:443
      discord.com
      tls
      juangameplaysElJuego.exe
      345 B
       219 B
       5
      5
    • 162.159.138.232:443
      discord.com
      tls
      juangameplaysElJuego.exe
      345 B
       219 B
       5
      5
    • 8.8.8.8:53
      ip4.seeip.org
      dns
      juangameplaysElJuego.exe
      59 B
       75 B
       1
      1

      DNS Request

      ip4.seeip.org

      DNS Response

      23.128.64.141

    • 8.8.8.8:53
      ip-api.com
      dns
      juangameplaysElJuego.exe
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      discord.com
      dns
      juangameplaysElJuego.exe
      57 B
       137 B
       1
      1

      DNS Request

      discord.com

      DNS Response

      162.159.138.232
      162.159.136.232
      162.159.137.232
      162.159.128.233
      162.159.135.232

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2272-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2272-1-0x00000000003C0000-0x0000000000446000-memory.dmp

      Filesize

      536KB

      Download

    • memory/2272-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2272-3-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2272-4-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2272-5-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

      Filesize

      9.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.