Malware Analysis Report

2024-11-30 15:46

Sample ID 241119-nhd54avnct
Target Mercurial.Grabber.v1.03.rar
SHA256 371edb664c31555dac5e695b0f7286115dd94b380c188948bde2f167f030a7d3
Tags
mercurialgrabber execution evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

371edb664c31555dac5e695b0f7286115dd94b380c188948bde2f167f030a7d3

Threat Level: Known bad

The file Mercurial.Grabber.v1.03.rar was found to be: Known bad.

Malicious Activity Summary

mercurialgrabber execution evasion spyware stealer

Mercurial Grabber Stealer

Mercurialgrabber family

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Reads user/profile data of web browsers

Maps connected drives based on registry

Looks up external IP address via web service

Command and Scripting Interpreter: JavaScript

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 11:23

Signatures

Mercurialgrabber family

mercurialgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

212s

Max time network

281s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.vbs"

Network

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

213s

Max time network

280s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Webhook.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Webhook.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

214s

Max time network

282s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial.Grabber.v1.03.rar"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial.Grabber.v1.03.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

212s

Max time network

284s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe

"C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 ptb.discord.com tcp
US 162.159.135.232:443 ptb.discord.com tcp

Files

memory/3112-0-0x00007FF8B5053000-0x00007FF8B5055000-memory.dmp

memory/3112-1-0x0000000000D20000-0x0000000000D4A000-memory.dmp

memory/3112-2-0x00007FF8B5050000-0x00007FF8B5B12000-memory.dmp

memory/3112-3-0x00007FF8B5053000-0x00007FF8B5055000-memory.dmp

memory/3112-4-0x00007FF8B5050000-0x00007FF8B5B12000-memory.dmp

memory/3112-5-0x000000001C300000-0x000000001C342000-memory.dmp

memory/3112-6-0x000000001C2B0000-0x000000001C2BA000-memory.dmp

memory/3112-7-0x000000001C6E0000-0x000000001C7E4000-memory.dmp

memory/3112-11-0x00007FF8B5050000-0x00007FF8B5B12000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

213s

Max time network

279s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\App.config"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\App.config"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

212s

Max time network

289s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.Designer.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.Designer.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241023-de

Max time kernel

90s

Max time network

208s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.vbs"

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

93s

Max time network

203s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\licenses.licx"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\licenses.licx"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

211s

Max time network

281s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\AesGcm.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\AesGcm.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

213s

Max time network

287s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Common.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Common.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

299s

Max time network

206s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Grabber.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Grabber.js"

Network

Country Destination Domain Proto
N/A 20.189.173.9:443 tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:34

Platform

win11-20241007-de

Max time kernel

92s

Max time network

203s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\packages.config"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\packages.config"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

91s

Max time network

205s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.js"

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

300s

Max time network

203s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.settings"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.settings"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 20.44.10.122:443 tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

147s

Max time network

278s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\User.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\User.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

212s

Max time network

279s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\SQLite.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\SQLite.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

91s

Max time network

205s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.Designer.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.Designer.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

90s

Max time network

207s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Program.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Program.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

214s

Max time network

283s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Browser.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Browser.js"

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

214s

Max time network

288s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Mercurial.csproj"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Mercurial.csproj"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:34

Platform

win11-20241007-de

Max time kernel

215s

Max time network

289s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\logo.ico"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\logo.ico"

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

147s

Max time network

278s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\FodyWeavers.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31144651" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "731639456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\FodyWeavers.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\FodyWeavers.xml

Network

Files

memory/340-0-0x00007FF909B70000-0x00007FF909B80000-memory.dmp

memory/340-4-0x00007FF909B70000-0x00007FF909B80000-memory.dmp

memory/340-2-0x00007FF909B70000-0x00007FF909B80000-memory.dmp

memory/340-1-0x00007FF909B70000-0x00007FF909B80000-memory.dmp

memory/340-3-0x00007FF949B83000-0x00007FF949B84000-memory.dmp

memory/340-5-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-8-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-9-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-7-0x00007FF909B70000-0x00007FF909B80000-memory.dmp

memory/340-10-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-6-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-12-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-11-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-14-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-17-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-16-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-15-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-13-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-19-0x00007FF909B70000-0x00007FF909B80000-memory.dmp

memory/340-23-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-22-0x00007FF949AE0000-0x00007FF949CE9000-memory.dmp

memory/340-21-0x00007FF909B70000-0x00007FF909B80000-memory.dmp

memory/340-20-0x00007FF909B70000-0x00007FF909B80000-memory.dmp

memory/340-18-0x00007FF909B70000-0x00007FF909B80000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

214s

Max time network

282s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\AssemblyInfo.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\AssemblyInfo.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

91s

Max time network

208s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.Designer.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.Designer.vbs"

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241023-de

Max time kernel

91s

Max time network

208s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Machine.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Machine.js"

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:29

Platform

win11-20241007-de

Max time kernel

212s

Max time network

281s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Program.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Program.js"

Network

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-19 11:23

Reported

2024-11-19 11:34

Platform

win11-20241007-de

Max time kernel

213s

Max time network

289s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Testing.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Testing.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A