Analysis
-
max time kernel
84s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
02/03/2025, 03:25
General
-
Target
https://www.mediafire.com/file/ixmk6a4gc5na0fs/Executor_by_hubguy.zip/file
Malware Config
Extracted
mercurialgrabber
https://dcwh.my/post?uniqueid=7b57f570
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 6 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 6 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 12 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 27 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 38 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/ixmk6a4gc5na0fs/Executor_by_hubguy.zip/file1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff39d546f8,0x7fff39d54708,0x7fff39d547182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6092 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,4499884300841013170,7392332502743845630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\INSTRUCTIONS.txt1⤵
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"C:\Users\Admin\Downloads\Executor by hubguy\Executor by hubguy\Bootstrapper.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58b5cfebecbfd715cf1c2e86aaba6753c
SHA1c2d783bdd82fcfb68e8d566bcd34ead327ed7c13
SHA2566fca1fe2a780fb27f0493353a73b9ae02e9671b51a50b07566a322abe3b25cbf
SHA512b6ba779a8bb083a12f7f100c4c338d5902f2e2762654f70fb578dae4c0dccba1c7eec4cb0b5cbc1d8567fbb02624a077fe9f60573dbd12b78da4e5ae618a751f
-
Filesize
152B
MD5a690d53f0215760186aa07b114ac4561
SHA1601015b3d5837e99e481db0dcdb0ea33fa80cefc
SHA2568ee92ce70ce780b9af998d760d7226892a37c4a7ca5bddfaaaa5da016dbedd93
SHA512935db7966c0c541b2894b83af14586dfffe138a2a18dc60bfd9d076fb724410841b5536261a090ce57525f8a7dc25e4bc3b133fce61569beebf4efb126607a7f
-
Filesize
840B
MD5bba345e1764a55eef47a730ba6a331bf
SHA13bdf4cb644a3e343b6aa1ac11d2008412c0753d7
SHA256616b77578dd88cac31ce278c1c19fbcc4308b63903c480db9765f783c8b4e3fb
SHA5122fe0e199e9a5a15f405c61ba5491311d72fc89db7df2e0b8a879b4d92e84ba4c121885a73a152302a96169f5fd03ad85ff510f6d99eaf07c7f1690b6803f9b93
-
Filesize
3KB
MD517913423d4c7b14d6b944d1a9c138e63
SHA1896b1008b4431f99ec190ccfa6338363ef1bf964
SHA25640427ab52e8367381f9cfa73eea96eebb33bc56968eba017dd9b7c91ac215f6f
SHA5125d5c2d4a3ed595e245ad6d831ec783c904b6f62503a7e568a19f2a0a39c751ff607853ec8030791b6487c6ee9fb1648b58314d73a2b3e33b32ac2e4aa5dfa3ff
-
Filesize
5KB
MD5c94249f2e7055b474dc010c5f5d97202
SHA11281d2e5658fc8feb0f713c28addc4897e78434b
SHA2561e7bd0fc441056cca993b8ce123437b91dfbaab55e23c28a19933c6eb861bb4e
SHA5120af79e407db4457b60b5390aaccfbde203f7a5feb42e948dcef60b4afc8635d9651d183e671a27d37dcfca541a8e255933b0ea531ffb48a1fb696a23a8b3c667
-
Filesize
7KB
MD50af243ec2fcaedbcea5add9ce21c2ce0
SHA1f75b46eb31e03d14a795f1dfc9527ce532c2194d
SHA2563f589a2a14af4966b7bb9c6744c7ed4b45b7cf6bd2a0305822280de58a526753
SHA51210d1c33b453001b0fff7bef9b1fda27f08a54692e8a831b42f512b30fd502335820a29f6b885cb8d2166548fea0cf84508e051d4d66619a88fc21f4dd029af24
-
Filesize
24KB
MD59ac7d64ba533facf33c12b2972d57175
SHA10ebaf3c94cc3e9b9b02d7547a09bb717a947fdb3
SHA2563a40027ca447bdbc4a277cc817c600cb359e26ff350c7bacf4c87e8b35f556a2
SHA51296c4f83e1963bc4f6367b8916a97c8185cdbd9e33dcc89a541f1688103296226c017c84e3e41fbaff1ed197563871183f620562a02f1f0bcdee117247a878e91
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD52057652d9c97da3cddaaf146b43dd99b
SHA12afd4aa5e13c1951bd8f6b84b3778742160b2567
SHA2562c5b3e52e0ef7020d57265f4fad75023d8a070f77515dfba30e12beee2e6456d
SHA51277f4d2480e708991ab2e410272b3f612055bc9559e7c881b21b88f2a77b9943e81cf8af5c34f0b54c733680204cf577b4cf8273f66b044a9d12bbe0e316f9549
-
Filesize
10KB
MD57228807ee8f2e8efdcddc2954724f148
SHA1b4cad0ba2f58d531c93db42f8e1207c10eb5f130
SHA256d873c83653a7ff679f45b29b92a96d83407938218c79dd195ac15a17e1a17f08
SHA5122c420178882da54e1a406f9e4321051c2c58577a5e85e1aa34e294e45a3362744d6bcd54168fa46e2d537599cb90de4cc0c7525275ad0bdf81832950f9e8c653
-
Filesize
20KB
MD57878443b620a278a050dbe62c8261cb9
SHA12edfaf71bbfc38656b0ceac176891ec4eee8df67
SHA256243825d65df708eb8e6d3f32b6cbaf3d67b36a6f26fdaca9b0df3b6aadabd2d8
SHA512a8eb0f11478b60967a6c85953f8c5967af081c78c10791c12fa92e1d242724f44edd83be0bfdd07238de5fb7511c380df3a102a39590de215bb15994ede62dd6
-
Filesize
64KB