Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/02/2025, 00:07
Behavioral task
behavioral1
Sample
GorillaUnbanner.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
GorillaUnbanner.exe
Resource
win10v2004-20250217-en
General
-
Target
GorillaUnbanner.exe
-
Size
42KB
-
MD5
2f0e33a107758d9752b5d8caafefda2a
-
SHA1
1cdd6766b17aad972cedd7e448f9704161709d08
-
SHA256
8ce381455c6cc7f68574f0e258e4aaa7a8856e439b9650bf2b110e922a73d791
-
SHA512
9f55614d1ce6296ad9212eece2ed5a64710a8566be8e660c830f554c567ebb28f9a0c0c345542fefda71bd7279a02bcec170f7d229893defde4485edfe2b59ea
-
SSDEEP
768:vFFGAUvRHCTuZSLRVTj75KZKfgm3EhYh:WRHCPLRVT35F7EOh
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1341192836023848981/MHmt34PTZZ_P_jTTneScbh_QIw9mlThCTekNBxgsaOnuwkBHwRizs2_F6x5ofxMBehpH
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 discord.com 9 discord.com 10 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 6 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GorillaUnbanner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GorillaUnbanner.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3016 GorillaUnbanner.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2904 3016 GorillaUnbanner.exe 32 PID 3016 wrote to memory of 2904 3016 GorillaUnbanner.exe 32 PID 3016 wrote to memory of 2904 3016 GorillaUnbanner.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\GorillaUnbanner.exe"C:\Users\Admin\AppData\Local\Temp\GorillaUnbanner.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3016 -s 14362⤵PID:2904
-