Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 02:05
Behavioral task
behavioral1
Sample
Blueness.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Blueness.exe
Resource
win10v2004-20241007-en
General
-
Target
Blueness.exe
-
Size
41KB
-
MD5
b21ac4a352ff7497ceb505a2bcfa675b
-
SHA1
b7f7c37e3698007d669996d55fe69816e40053a3
-
SHA256
bef85bf8492824353c84665db8cbadf6d778e9105a580bb7dd0cf9137578c422
-
SHA512
80f3418c05aeea581fddc0636846141841605352aeac000dd94190632b86b99c9a537a8aac74e27c417ecd11a3f9a628b4ecfd39f0c6994b527c6e8b34457159
-
SSDEEP
384:yAaUZDRC2PZeXg25upQ1X+P2eYevLpCIb2uEy5y8Tcjs/XZxIh/0gJEFq5nmXQsU:NgPzetQIxo8CuZ0LaTCKZKfgm3Ehbr
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/861182160127918150/IeKGPUb8uRkJyZG3-A_U2CxLcPPUzrC0ck9yhlV2_vvu5pqPvyVmoHbHH0moBP3VhtWY
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 10 discord.com 11 discord.com 12 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 8 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Blueness.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Blueness.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2052 Blueness.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2708 2052 Blueness.exe 31 PID 2052 wrote to memory of 2708 2052 Blueness.exe 31 PID 2052 wrote to memory of 2708 2052 Blueness.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Blueness.exe"C:\Users\Admin\AppData\Local\Temp\Blueness.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2052 -s 14282⤵PID:2708
-