Malware Analysis Report

2024-11-30 15:46

Sample ID 241119-njtxyavnes
Target Mercurial.Grabber.v1.03.rar
SHA256 371edb664c31555dac5e695b0f7286115dd94b380c188948bde2f167f030a7d3
Tags
discovery mercurialgrabber execution evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

371edb664c31555dac5e695b0f7286115dd94b380c188948bde2f167f030a7d3

Threat Level: Known bad

The file Mercurial.Grabber.v1.03.rar was found to be: Known bad.

Malicious Activity Summary

discovery mercurialgrabber execution evasion spyware stealer

Mercurialgrabber family

Mercurial Grabber Stealer

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Reads user/profile data of web browsers

Maps connected drives based on registry

Looks up external IP address via web service

Command and Scripting Interpreter: JavaScript

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies Internet Explorer settings

Enumerates system info in registry

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 11:26

Signatures

Mercurialgrabber family

mercurialgrabber

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

138s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20240903-en

Max time kernel

120s

Max time network

128s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Program.cs"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.cs\ = "cs_auto_file" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\cs_auto_file C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\cs_auto_file\ C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.cs C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\cs_auto_file\shell\Read C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\cs_auto_file\shell C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\cs_auto_file\shell\Read\command C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\cs_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Program.cs"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Program.cs"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b7781e4d1d76db3ef51e86fbc0578ae0
SHA1 849cf33ff6a60849fedacdc17177241834f90df2
SHA256 c5746f97b28799109c11e01f77c1c348b7561c0a5e49a2370e0918a72828fe86
SHA512 8f516b5f7089017c45a13cb034c0b6c40079af86beeb8743810524c434b60a02f2d4acd4c1a23a15aaef3c89da69323f1fedc842eb79fc0841d75e7d51ebb69c

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20241010-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.Designer.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.Designer.vbs"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:29

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

136s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.Designer.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.Designer.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\App.config"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\config_auto_file\ C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.config C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\config_auto_file\shell\Read C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\config_auto_file\shell\Read\command C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\config_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\config_auto_file C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.config\ = "config_auto_file" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\config_auto_file\shell C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\App.config"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\App.config"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c0eebf8d1b2be88f9e59cfc835b6f7c2
SHA1 a5e177a0be68bcd74015b60a1492bdf8add2df18
SHA256 d6705b17c9e58c5457f6c9835c61a1ed7861b4e6c23875a2017d31824fc62a5a
SHA512 418aafcb94a519ee865f22326c4e99b27cb7ce7e27323e2a41dfa177faae34256bf6d2d23e2a58bee7ba50b3091cd87bc7d29b1b39fe07af366e548905543f7c

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

145s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\FodyWeavers.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\FodyWeavers.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/4840-0-0x00007FFD35050000-0x00007FFD35060000-memory.dmp

memory/4840-1-0x00007FFD7506D000-0x00007FFD7506E000-memory.dmp

memory/4840-2-0x00007FFD74FD0000-0x00007FFD751C5000-memory.dmp

memory/4840-3-0x00007FFD74FD0000-0x00007FFD751C5000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.Designer.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.Designer.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

149s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Program.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Program.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20240903-en

Max time kernel

120s

Max time network

127s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.settings"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.settings"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.settings

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.settings"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 5810d7374485e4fa4bf973cb723f2e60
SHA1 ad1ae0bee0de966127ab09a85f85eacdac6fd5b3
SHA256 4819790cb9cf46bd1ba08ad480c8760a27682c589081ec7ae73c6da1464e84bb
SHA512 8e8693c5bd2aee357de1838086a6c1bf0287ff97ad94952e0492b9b74d8e5f552f8d775341519fca501551e44c08e8e0b1fe5ab060845e8e81e34611a67aa4d1

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

144s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\licenses.licx"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\licenses.licx"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20240903-en

Max time kernel

122s

Max time network

128s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.Designer.cs"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\cs_auto_file C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.cs C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.cs\ = "cs_auto_file" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\cs_auto_file\shell\Read C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\cs_auto_file\shell C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\cs_auto_file\shell\Read\command C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\cs_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\cs_auto_file\ C:\Windows\system32\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.Designer.cs"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.Designer.cs"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 7a3175437077b6a3b2c6d1f77cf667d4
SHA1 86bc4962cc97d28944b25c7187a3f3c0c9c2dff0
SHA256 53a20e77c3a0f020fda085a65bce2bc2e45e996cd52d88e8d0316594d84ac905
SHA512 17fa410fb345dd2ac3b46c904740969984c804de14d40c2fab45c2c9c7b1cc3ca6301f1d1d9071f64fc98140d7d5c0d56cc8134abca12ee1b4e99b75951f7dbc

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

152s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Mercurial.csproj"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Mercurial.csproj"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.vbs"

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:29

Platform

win7-20240708-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.Designer.cs"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.cs C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.cs\ = "cs_auto_file" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cs_auto_file\shell\Read\command C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cs_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cs_auto_file C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cs_auto_file\ C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cs_auto_file\shell\Read C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cs_auto_file\shell C:\Windows\system32\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.Designer.cs"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.Designer.cs"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 53927c1b84c1a0acec41256d8bde2bd9
SHA1 d07eb838dcf9e6c30273b84889c03606c097d808
SHA256 f92d4750b3ea168c48ecc7842023bf16976e40a36acca8f199bbfeb9e284d607
SHA512 ca5e9b92f3dc17725dee68e5c3b300a4386f73f68d80f68a6e3d510edbde8d273dd0fa6f815d83bb3967d76ea7feaecf4d3668104d176ba87d655243795f83b7

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20240903-en

Max time kernel

119s

Max time network

125s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\licenses.licx"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\licenses.licx"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\licenses.licx

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\licenses.licx"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 fabec182246ae630fe10c32fb46b2487
SHA1 c181a20e5d8e9b6541425331000ca79049b29680
SHA256 26b910ff070c2b98dcae4d2e57c57e1b9b3b18b64de8c79c731727399a6bf13c
SHA512 967aa02fe500109b531fd0df832d09ccf96c4f84469cd5778a53097684e168eb5134a0df768845a039c894fa89c875b7b25e7cd34d6397067d7b84ddc09c9236

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20241010-en

Max time kernel

64s

Max time network

19s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.js"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20241010-en

Max time kernel

118s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Mercurial.csproj"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\csproj_auto_file C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.csproj\ = "csproj_auto_file" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\csproj_auto_file\shell\Read C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\csproj_auto_file\shell\Read\command C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\csproj_auto_file\ C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\.csproj C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\csproj_auto_file\shell C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\csproj_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Mercurial.csproj"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Mercurial.csproj"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d815db885ea3ff02a84c864212d31943
SHA1 e34463398628e9753ca243228948395ad72e74e3
SHA256 b3fbb4b44eb8cecf3d960dc847231b4c744941848bdea3aa43363366b3f93752
SHA512 32e58a59eb54ec920eeba8a393d72321205cc6a567deaab9389e8b3e38fffff8ea199a49e4c10fe0728df01443c777e9c5ffe3e5060838fd8c84e647fa87f666

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:29

Platform

win7-20241023-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\AssemblyInfo.cs"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\.cs C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\cs_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\cs_auto_file C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\cs_auto_file\ C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\.cs\ = "cs_auto_file" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\cs_auto_file\shell\Read C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\cs_auto_file\shell C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\cs_auto_file\shell\Read\command C:\Windows\system32\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\AssemblyInfo.cs"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\AssemblyInfo.cs"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 3d8c32119f6dad680a4e08619ab0152c
SHA1 1d439aea7f40c053794f4f61e3f6b7b25476989e
SHA256 94e2d9be57089a158939993adcaa61ea30933e298fe181591e643dc41e98f603
SHA512 0256a4b6169744c3de42462bef9c8da4d56c680cf47b902ee14181404c5ac88f3679807cf9fa9b4bd8194971eee83535497ea1a067f02a826723f37a8ea5f981

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:29

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

134s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.Designer.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.Designer.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip4.seeip.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe

"C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ptb.discord.com udp
US 162.159.135.232:443 ptb.discord.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 162.159.135.232:443 ptb.discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/2272-0-0x00007FFE57F93000-0x00007FFE57F95000-memory.dmp

memory/2272-1-0x0000000000500000-0x000000000052A000-memory.dmp

memory/2272-2-0x00007FFE57F90000-0x00007FFE58A51000-memory.dmp

memory/2272-3-0x00007FFE57F93000-0x00007FFE57F95000-memory.dmp

memory/2272-4-0x00007FFE57F90000-0x00007FFE58A51000-memory.dmp

memory/2272-8-0x000000001C0B0000-0x000000001C21A000-memory.dmp

memory/2272-9-0x00007FFE57F90000-0x00007FFE58A51000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

148s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\AssemblyInfo.cs"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\AssemblyInfo.cs"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

137s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\AesGcm.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\AesGcm.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20240729-en

Max time kernel

90s

Max time network

17s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Browser.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Browser.js"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Form1.vbs"

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:29

Platform

win7-20241023-en

Max time kernel

121s

Max time network

123s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\AesGcm.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\AesGcm.js"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win7-20240903-en

Max time kernel

122s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\FodyWeavers.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438177449" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000a2a5931da6cfe4fd78507e92840d0c4454826c69a45b3b45ce0ec5acb0d8d620000000000e8000000002000020000000177adc50f83915883394a5bc13ac6b4e75d2de0c484119e81daf1066685f3777900000006d130988c48cc814ab2755157c0012fb33b901df670a6f6ddc75871c673911d1b28eee94b91af5f8ee4bb39a7d8c06bccdfdb9297ba2950ace3acaf65f8bd804aa1db5097b4442364c99b5288644cda5b46a379255260a42fbcad05118794a4ddde9b64bae6606641e5c88658c752761f7b6565c1c43d2d9421731db019b120c47c048759dbfa68d3a1f4d58cde8b1b140000000a94348325df6dbe61aa288119552745894299d50d95fde350a0392d850af3bc193a0bddb9e35fe9f158de40b2c29dbd76795415ca9cd8d68f40bf970de7dd417 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000bb82249b575c590e4ac1500dbaeb05e30ab9e7be42c01968f894fd74365b6c2f000000000e8000000002000020000000ce0a5aa2f9081d388cbc6f24811635e3e06d500b123c8d3c4011099c60c8c75320000000182ab66584216fdb8edd2c9a5c34d92a10804b382a641d7c0e86a1387fb2d46b400000009133d05486a38c7492ba60b35dbea2d8095153a0040ead903976dd1f064dd56ed5df37a9f4e632a84061ec00c14bd70b9bf401739282a427d7e12de7cfec2977 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 004689ee753adb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19E6DD81-A669-11EF-854E-7ED3796B1EC0} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 876 wrote to memory of 2336 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 876 wrote to memory of 2336 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 876 wrote to memory of 2336 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 876 wrote to memory of 2336 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2336 wrote to memory of 2356 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2336 wrote to memory of 2356 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2336 wrote to memory of 2356 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2336 wrote to memory of 2356 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2864 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2864 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2864 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2864 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\FodyWeavers.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabF45E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF53E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acba6e15210444109bf22e9ceb8d21fe
SHA1 0a91caa9deebd72874869c031ef8b784335388b8
SHA256 00d08f096afb643dcfd7ad9fd2197a9c1870113aee88b72b5ff7ebaf4a89c0cf
SHA512 a5afb2a2481ecdc9483a5753153677b2ee1928475c22b96e100c7eb0c6aa837e829755feba3e05f9b41f9891b87b78c36af0a38a235ce18425a809f858cc3b0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79f5f9cc4ee0a17e723c220c5ca1c50b
SHA1 238e4b534b2613ce8fe91e274390c0309165306e
SHA256 a86e466d358011d605fd5044762dacbd4b4550fb54fe2b78424b03a69415ee8a
SHA512 4fee43d75d4a3ff19d4d819cf9586a3195c1b2d173a25c43c14fec497dcfc6546636bcece28e3abde299d90e9003c09b7f9a8d51ce8286a63082891c1a6c0763

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6241652f62710843e43a90d966f6868
SHA1 012a32dfb9103b002667d170d75b824cd7cba3ab
SHA256 4bde331050cb95cd26d589bf65fe4ce6f1ff720f63a75a7ce8fe1742ebfa78da
SHA512 b117f2b04092d31d6d5fdc0657e42bed94f7ef4b52ec98796697fdbf99fed4efd03b53cbfb9426fd84542e76f2ca730b06aa36df163f246abb48cf2d0a416cc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b915b6ebfc716c0cf8bb2c20c7c64f4f
SHA1 bcfccfd1c347467f31b81a3ac1a918d217147846
SHA256 a2307277dd2386bbe735f9e0e7e760a33191539d0ea03410f218453aa4c2d6f0
SHA512 03014a0f6d4309667d564313ffae0cf388a27e06583f49b939cd21b763b1c337632298195da5290dc4364800b812be62bd828a924fe08df307784f11c412567c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 895100c1dc8df2e034cee211cadb5753
SHA1 82c19e02712b78163c20a407e688851ac94bfdb6
SHA256 65e045377726410837f2be52306cbdeea7555bca8acd533be09d841243c3da14
SHA512 ac86024b94f6ccb12ae9c6632f3af2b9ae8c17c0490ad9f7a17ecf47405a4019d4005f7b48a7886f609a01865aeb75a00dac69e31a22c86921fd590f24c78ff2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eadd1a9f86486b30abe751309aaf0d26
SHA1 fb519efa758f7787b3acc08e7f3eabf379a0849f
SHA256 a66c269846acf0525a174b82184da9f3acf5e62f9e32a1db0ebbe3251e8099ab
SHA512 635bfb49fa22be918282836d9242a7b6dbce528c40de0a7525ca2cbe83c6029902ce7ea657e2edc8b29116bad0da6b87a827289948eeaa437b862a053a51ac22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90906c4e7bcd5bc88d7e005fee1417af
SHA1 d21304c355dc06a3ee2f72504bc6e841aa8c9ef0
SHA256 b7b60c319640e83bb8b94abaf32d0dbd514c31f5a8619baa987bbc2bb20af1c1
SHA512 14b088366f4eda3a64b4b3287227784841a112b74ba91a61cb82e0f79ff8fe209f577b40f2ed75755c2db238c89c4244468a03a33b6586b51fa5f0e79efe31b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4dd2517bbf148fa49507b56e981ecd9
SHA1 57307dd7109da565c244b349feaf7580fca4b90c
SHA256 af36b21aeb17a708947daab9f29e143b2c7835350285cfd674cc7e3222455479
SHA512 77978d5582ccaf026ccfaf7015b534daa7c4dc5ee983f338c5618def4efea2781988acf3c6fcb538323a52c8d6be7f25b9dfa51979efa4724813b35b8ba35726

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9bf3f91d96b512f8f223929dcbdbc18
SHA1 746a832b18844543a023f914dd2b6e8d11fba359
SHA256 d821a0ae27f1a246c155d2701e05d25deda07cae7013e43d35c1b02176367591
SHA512 57383d0936b90d84fb4258ef7ddff119e30d2bf3c942c56a0091296c1b936b7cc884c972c5fe17d1bd132f1045cb5c24bc74be9f0f9fdd672033c0925a64b62e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23361b10cbc8bcef8c153b2ea5955f07
SHA1 5d2e517aa1e550d9992c0040ae6f610c14adea92
SHA256 03d09158aeb0d5a13f7d1d504afc069100f1dee63f6ee03beade69c52d27ee72
SHA512 c28ad5a425f0a4e50c528d64833e68526ceb2f52fe3de25f85b60260af3a37b1561de244fce4e20602958752fa039c6a06dbbb27e6647175bc5f6cd1a6db8a71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b29c6a75f42808543d7fbf048420446
SHA1 232b8a9038f67e944f61107e11613c8103e82233
SHA256 d71cfd9b8bfb9a24b189c04fb02b141aadbdb76f026197b498130152bbab8f49
SHA512 b8cb4f628cbb52a7508381b925be64a38d0937627445b0b4525620823cd41ca275c97b556697aad632f47d267d17cf6dbbdf7154ffdf322f43068f13d32d83ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 424ddbc3dd180f55645f52d3f8b1ff74
SHA1 610e79c1aeef725e80dbc54a7b068c21b3d73bf0
SHA256 de526550b2dc8e30b2347dd22ae8cab50b7a65fd2727e773d15403c562ff8108
SHA512 2a1a4f4d775444bd0d78b543ea9dd1367faa9124a1167956f20452345760aec51a6d59c3a623efe9ed2d6fa1ec3fe837aa3f36e75f117ebbdf98487454fe386b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f1b676565de2562b042b89902079d73
SHA1 2a6f0cc436415bbac7164e98a7a6a3a5c2e212ba
SHA256 c17833bcb310433d51591491798115ba24b3c9b7ba07561998586fe3e158f36d
SHA512 8d08ec03474ab51acfe9029f22a121cc09cff57c4f9de79d28b60ac207e711dbd016c5816b9e46f5d52db28f168e1a6272340b5ca8b5682f9a5b2166d3475923

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4315866d980c6bde93e204767fe41651
SHA1 06fa18f41f4866b7e17a9c846e9d4033d9ac8731
SHA256 a9fa22300ba2c425708573b2991db9a11280f6f056a703143d7f0c6831b4fc2d
SHA512 45a409b387b9270786f8d8de8a412b367e439aa2156dccecf209d963c0e5e020a29a6c470a6b14a7c12ce5006a375920ae73434d5c65aa728b5c3e46b551e768

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 349a16b16e318d64f33c6888426a492d
SHA1 a7a453095b155ea46b4c81268f69acdc731c65ad
SHA256 59b491984e708001072e535d8d4b4bbc89e6065e10a57bbf4b33429ba38fb090
SHA512 86fdf8d435321201273da35a448c0cd568540e6cafaa25d815ba9d839a2834dafcfe26998e06ca115099bedb30739f08d307b5003995fe87b58de5bfa8ec3af3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c2c1e48da98c28b8bd32af5319d8797
SHA1 227ef72e5c7a121c60c150ef11d012bde589e7c6
SHA256 81ff3c417bc95f3a6fd3508fe0a642ccd4e980d75ab71fc1a9e4b6b6405bfbf1
SHA512 ff53ddd03b1dcb6c9df18a1e29b577e1902704d1f3ea33c3b7f44a8f2362d3bb85ad932078318dd7b591b673db3333c4db2a7e5f4d33c799779d3ef758c8d9cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73961f1ec00249d888fc73038f0efdec
SHA1 e6e83ed98b6e1fce7f32f4be477b61b344786fd4
SHA256 5d912853ef5c0a0ab2ea23cf1c0cdf84c05cc6236e7172c706c49a3f6a0549a9
SHA512 0b801f88ad2c6c9b7b39f6a3e259e0f1505011ae7d266e8ab4c5c04d6e4df854d62a404d0782fcc2d1e84daeca02d8f54d30731320fe247138ddc758707b47f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7146510d4de72e865cef02c149d22a0
SHA1 e46252830e60243da7c3aa4a3613d0a5b5321d00
SHA256 8f8a0dac29d1137ac81ac3f22243285e4560f0db1c8ae2fc9d7f90f86b9417e7
SHA512 1b7a08a2b616edf2c65ae03e01215e766de47dfecc7506d220aed670a11eac72e314dcb59a8c3e6d2ede896f82bf264ed680ef3a0377289bf22533003ab8114d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80c48057972a8baf7bb449cc6f20009e
SHA1 e918362a6062e187671682a8d57bc8003b2a22cb
SHA256 154419240c2296e5fd8f2bb7c7e952fd873d5b3072392d318fd3f3a78c1a911a
SHA512 c6a2cde358282784a9eedbf764faf7e09cb9132276940236c1e3397f8f9a27af07dbbf052592115ac58b2c534c4b5b8f6502a6d5422d1950395bd15a93dc71f3

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:29

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

142s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Resources.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

154s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.settings"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Properties\Settings.settings"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:28

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

147s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Browser.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\Resources\Browser.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:26

Platform

win7-20241010-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe

"C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp

Files

memory/2376-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

memory/2376-1-0x0000000000020000-0x000000000004A000-memory.dmp

memory/2376-2-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2376-3-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

memory/2376-4-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-19 11:26

Reported

2024-11-19 11:29

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

141s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\App.config"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Mercurial Grabber.v1.03\Mercurial\App.config"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A