Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 13:14
Behavioral task
behavioral1
Sample
FKjdctVS.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FKjdctVS.exe
Resource
win10v2004-20241007-en
General
-
Target
FKjdctVS.exe
-
Size
42KB
-
MD5
e7871defe3ff71566b3600eea0f61eb4
-
SHA1
44692b1477d43c48987daa0a34314b770505ebbf
-
SHA256
b6c68a183d0a85c967cf0e20082da608c7febca84fb66b1c085bef83c4d76894
-
SHA512
6a560fa39c23ea83a2049209f0e53935c321395755cc86b25ea25b29ff1315f1a7ee49da2960f9c1b796748195653a86d28506cb3e551d6530cb09d289f0cb27
-
SSDEEP
768:4cNCbujiewetQDGm8UuZyLxYTjsJKZKfgm3Ehik:XcSQD8ILxYTsF7EQk
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1319288015813873705/C8huyRFXRluYBlR8b0oxd33KZO6CyZgv-Jz8BlN-12x7BXBEBPMZipi5e5oAovfyjlvk
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions FKjdctVS.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools FKjdctVS.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FKjdctVS.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 discord.com 9 discord.com 10 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum FKjdctVS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 FKjdctVS.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S FKjdctVS.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 FKjdctVS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FKjdctVS.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation FKjdctVS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer FKjdctVS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName FKjdctVS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 FKjdctVS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2424 FKjdctVS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2424 wrote to memory of 1436 2424 FKjdctVS.exe 33 PID 2424 wrote to memory of 1436 2424 FKjdctVS.exe 33 PID 2424 wrote to memory of 1436 2424 FKjdctVS.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\FKjdctVS.exe"C:\Users\Admin\AppData\Local\Temp\FKjdctVS.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2424 -s 13962⤵PID:1436
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1