Analysis
-
max time kernel
96s -
max time network
133s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
19-12-2024 13:03
General
-
Target
FKjdctVS.exe
-
Size
42KB
-
MD5
e7871defe3ff71566b3600eea0f61eb4
-
SHA1
44692b1477d43c48987daa0a34314b770505ebbf
-
SHA256
b6c68a183d0a85c967cf0e20082da608c7febca84fb66b1c085bef83c4d76894
-
SHA512
6a560fa39c23ea83a2049209f0e53935c321395755cc86b25ea25b29ff1315f1a7ee49da2960f9c1b796748195653a86d28506cb3e551d6530cb09d289f0cb27
-
SSDEEP
768:4cNCbujiewetQDGm8UuZyLxYTjsJKZKfgm3Ehik:XcSQD8ILxYTsF7EQk
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1319288015813873705/C8huyRFXRluYBlR8b0oxd33KZO6CyZgv-Jz8BlN-12x7BXBEBPMZipi5e5oAovfyjlvk
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FKjdctVS.exe"C:\Users\Admin\AppData\Local\Temp\FKjdctVS.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Options_RunDLL 01⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB