Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 08:45
Behavioral task
behavioral1
Sample
IMAGE.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
IMAGE.exe
Resource
win10v2004-20241007-en
General
-
Target
IMAGE.exe
-
Size
41KB
-
MD5
8cfef23d86d26c7b019c2f509a93bf44
-
SHA1
2464118ba0504ef13b6b2ec9967c0137037af706
-
SHA256
2f08220ac7f1fc004f4df859c0c382258cccd17c3df6365acf6a94c89c48368a
-
SHA512
3b8b1ee1009bbe5c19cb39fe1233fb27a47cbed54ffbf152d775f65f92ccf279759fba65487d27edca75adc95c6e5feda4841713cb85ee0514775063807ef977
-
SSDEEP
768:iscGoAZyCH/gB1wdPuZOeJWTjJKZKfgm3Ehy1:xckTgBseJWT1F7Ew1
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/923874147728232458/ueZK-9vm2atbN4nLZvFSJ_3VaYZFPq7L_XiQMdjB3tIhhJ_eVMiFWiUWekiUfzH_ypmU
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions IMAGE.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools IMAGE.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IMAGE.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 discord.com 5 discord.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 IMAGE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum IMAGE.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S IMAGE.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 IMAGE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString IMAGE.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 IMAGE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation IMAGE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer IMAGE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName IMAGE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2520 IMAGE.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1852 2520 IMAGE.exe 32 PID 2520 wrote to memory of 1852 2520 IMAGE.exe 32 PID 2520 wrote to memory of 1852 2520 IMAGE.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMAGE.exe"C:\Users\Admin\AppData\Local\Temp\IMAGE.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2520 -s 11642⤵PID:1852
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1