Overview

overview

10

Static

static

10

skeet/skeet.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    25s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250207-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07/02/2025, 11:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    skeet/skeet.exe

  • Size

    41KB

  • MD5

    da76f361f0e88dbb3b4a17de18a05681

  • SHA1

    9f3e38b99620a8381fc3a262f0f49a88ffee3dbf

  • SHA256

    8ec7c1dd4c94af0de4d6e04f237dc501d9e2a23f55835ad33b480583f0053603

  • SHA512

    ddc6b4204def36c64b3e5d1e378437ec553305d9fdf3f2891ef1c02c23de257d8774a6a07d7df4f6d0bd55acdd8687d4b51c3257b508f09da9384449736e9144

  • SSDEEP

    768:+scaIiIEaL/gB1w1guZBeyWTjh0KZKfgm3Ehto:Nc1yargB0eyWT90F7Ero

Score
10/10
mercurialgrabberdiscoveryspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1337096942567555163/_OuVbk2ZGBIMjuPwPIIiqP2viOEm896TkaBwPFoXA86ZAlOqEm5VwC-5y_ndd9wVye4c

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\skeet\skeet.exe
    "C:\Users\Admin\AppData\Local\Temp\skeet\skeet.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1112
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2696
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3100
    • C:\Windows\System32\7wbow6.exe
      "C:\Windows\System32\7wbow6.exe"
      1⤵
        PID:1572
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3288
      • C:\Windows\System32\7wbow6.exe
        "C:\Windows\System32\7wbow6.exe"
        1⤵
          PID:2184
        • C:\Windows\System32\7wbow6.exe
          "C:\Windows\System32\7wbow6.exe"
          1⤵
            PID:3988
          • C:\Windows\System32\7wbow6.exe
            "C:\Windows\System32\7wbow6.exe"
            1⤵
              PID:4840
            • C:\Windows\System32\7wbow6.exe
              "C:\Windows\System32\7wbow6.exe"
              1⤵
                PID:3164

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1112-1-0x00000000005A0000-0x00000000005B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1112-0-0x00007FFA46943000-0x00007FFA46945000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1112-2-0x00007FFA46940000-0x00007FFA47402000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1112-19-0x00007FFA46940000-0x00007FFA47402000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1112-17-0x00007FFA46940000-0x00007FFA47402000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1112-16-0x00007FFA46943000-0x00007FFA46945000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2696-13-0x000002DA5C1F0000-0x000002DA5C1F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2696-14-0x000002DA5C1F0000-0x000002DA5C1F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2696-15-0x000002DA5C1F0000-0x000002DA5C1F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2696-12-0x000002DA5C1F0000-0x000002DA5C1F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2696-11-0x000002DA5C1F0000-0x000002DA5C1F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2696-10-0x000002DA5C1F0000-0x000002DA5C1F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2696-9-0x000002DA5C1F0000-0x000002DA5C1F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2696-5-0x000002DA5C1F0000-0x000002DA5C1F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2696-4-0x000002DA5C1F0000-0x000002DA5C1F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2696-3-0x000002DA5C1F0000-0x000002DA5C1F1000-memory.dmp

                Filesize

                4KB

                Download