Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2025, 19:44
Static task
static1
Behavioral task
behavioral1
Sample
Mercurial.Grabber.v1.03.rar
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Mercurial.Grabber.v1.03.rar
Resource
win10v2004-20250217-en
General
-
Target
Mercurial.Grabber.v1.03.rar
-
Size
2.9MB
-
MD5
635903bad1ada856d701f34d3070ccd9
-
SHA1
3ff98d91b9a3a47bf9f64bdf161efb9c5ac99fb0
-
SHA256
3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6
-
SHA512
fee2c64124c47bcb1251b7b87969a1ff493e24bc196633e3a301565b126f5ed2e2967d4d1426ff5d9be9466c852bacf405229308acf946368e00ca887a4ef015
-
SSDEEP
49152:lYtbFd+FwSjhWaqv7yBSw9i4b1g8lDZxu0TR9TlqdqjxaNOH:qkwSVef4NDW8qEfH
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1345264043610603582/1GMTIjfW57evopQXB1e9KFl1wbD_XDwq93R2eZ0N0xIRynPuF0KyoUCBuj1c122RycgA
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Executes dropped EXE 2 IoCs
pid Process 1484 Mercurial.exe 1924 freak.exe -
Obfuscated with Agile.Net obfuscator 11 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/1484-12-0x0000000005AB0000-0x0000000005ACC000-memory.dmp agile_net behavioral2/memory/1484-13-0x0000000005AE0000-0x0000000005B00000-memory.dmp agile_net behavioral2/memory/1484-15-0x0000000005D50000-0x0000000005D60000-memory.dmp agile_net behavioral2/memory/1484-14-0x0000000005D30000-0x0000000005D50000-memory.dmp agile_net behavioral2/memory/1484-16-0x0000000005D60000-0x0000000005D74000-memory.dmp agile_net behavioral2/memory/1484-18-0x0000000005DF0000-0x0000000005E0E000-memory.dmp agile_net behavioral2/memory/1484-17-0x0000000005D70000-0x0000000005DDE000-memory.dmp agile_net behavioral2/memory/1484-19-0x0000000005E30000-0x0000000005E66000-memory.dmp agile_net behavioral2/memory/1484-20-0x0000000005E70000-0x0000000005E7E000-memory.dmp agile_net behavioral2/memory/1484-21-0x0000000005E90000-0x0000000005E9E000-memory.dmp agile_net behavioral2/memory/1484-22-0x0000000006700000-0x000000000684A000-memory.dmp agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 67 discord.com 66 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 72 ip4.seeip.org -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mercurial.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000_Classes\Local Settings 7zFM.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4228 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4528 7zFM.exe 4528 7zFM.exe 1484 Mercurial.exe 1484 Mercurial.exe 1484 Mercurial.exe 1484 Mercurial.exe 1484 Mercurial.exe 1484 Mercurial.exe 1484 Mercurial.exe 1484 Mercurial.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4528 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 4528 7zFM.exe Token: 35 4528 7zFM.exe Token: SeSecurityPrivilege 4528 7zFM.exe Token: SeSecurityPrivilege 4528 7zFM.exe Token: SeDebugPrivilege 1484 Mercurial.exe Token: SeDebugPrivilege 1924 freak.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4528 7zFM.exe 4528 7zFM.exe 4528 7zFM.exe 1484 Mercurial.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4528 wrote to memory of 4228 4528 7zFM.exe 93 PID 4528 wrote to memory of 4228 4528 7zFM.exe 93 PID 1484 wrote to memory of 3936 1484 Mercurial.exe 114 PID 1484 wrote to memory of 3936 1484 Mercurial.exe 114 PID 1484 wrote to memory of 3936 1484 Mercurial.exe 114 PID 3936 wrote to memory of 3764 3936 csc.exe 116 PID 3936 wrote to memory of 3764 3936 csc.exe 116 PID 3936 wrote to memory of 3764 3936 csc.exe 116
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial.Grabber.v1.03.rar"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0B1D0C98\readme.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4228
-
-
C:\Users\Admin\Desktop\Mercurial.exe"C:\Users\Admin\Desktop\Mercurial.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rlrlxaw3\rlrlxaw3.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES761C.tmp" "c:\Users\Admin\Desktop\CSC5EF76A388CB34A0A91CACCDD9686270.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3764
-
-
-
C:\Users\Admin\Desktop\freak.exe"C:\Users\Admin\Desktop\freak.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD577976ab4f7b14569dd64f212ce6ee64e
SHA1f442ef7a74ac6922628bc8ba03ea08e62f83253e
SHA256044b863e9895e669d45d97d44a4f80f2b9ac5f941635ef3c1e9f39ad12747ecf
SHA51252d4b884b2462449576fe9dac654de500985b53d0262472d88a1bc659b3a5ffe0ed5f0581c50ef006c3b3d7dbf816a80d21e6b6f4c03b595bb108a4360a60723
-
Filesize
1KB
MD544d2043663a5448c30ad8036ed1cf326
SHA14d9bdfd7d7d170e89da0e4e943eddf8c1335eeb9
SHA256e26c1b7f9232f0d62181042b7e47657461c03f9bcecf3132e64e93cc15a63faf
SHA5125845413ba8c4ddaf20ecd3278c30c8cb7219b686eb87d5cc70e13fabf8863b009d4de99640c49a5367129dc8db76a3c7717bd3b936b8bd040aa16437287308c6
-
Filesize
3.2MB
MD5a9477b3e21018b96fc5d2264d4016e65
SHA1493fa8da8bf89ea773aeb282215f78219a5401b7
SHA256890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
SHA51266529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
-
Filesize
41KB
MD5106472dc8d66d24e3551732d683a8a7e
SHA151f58ab684e4ba76ffa6e129d64a429c96fe1e7b
SHA25694ca433bd33ef1d179afa2ffa7cd5e3de228365c80c58462540672a76cb37f95
SHA5120c71a44346da59eb6f5158bec64feed54a885724f64544e071a0ae1dc174ecd861771a3179e40bf1bc6fc8bd676e00d6fc9776455ae34b26a7fbdf33c0090b62
-
Filesize
11KB
MD52a344451e758a6022b5c412605677417
SHA126b28a920733a27562cf53adf10cf1d64b2ee067
SHA256e873843e4749e6c3c62ef357509970a5003d9dd5488955af500f56fb02bcb1db
SHA5129c96c28c06b6d725086d9a86ee5584099da67a619b5964cd5d91199568d9926000ca37ad03890ba574e1851a3ebffe311ff6301ff3444ce92e3a46bf73d93aa5
-
Filesize
5KB
MD58aab1997664a604aca551b20202bfd14
SHA1279cf8f218069cbf4351518ad6df9a783ca34bc5
SHA256029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f
SHA512cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda
-
Filesize
7KB
MD56fdae9afc1f8e77e882f1ba6b5859a4e
SHA133eb96f75ffe9a1c4f94388e7465b997320265a5
SHA256a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d
SHA51297bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9
-
Filesize
8KB
MD56ba707982ee7e5f0ae55ce3fa5ccad17
SHA1d094c98491058ed49861ce82701abe1f38385f18
SHA25619af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797
SHA512d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa
-
Filesize
2KB
MD5fae5458a5b3cee952e25d44d6eb9db85
SHA1060d40137e9cce9f40adbb3b3763d1f020601e42
SHA256240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06
SHA51225f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236
-
Filesize
4KB
MD542f157ad8e79e06a142791d6e98e0365
SHA1a05e8946e04907af3f631a7de1537d7c1bb34443
SHA256e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed
SHA512e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc
-
Filesize
6KB
MD58ec0f0e49ffe092345673ab4d9f45641
SHA1401bd9e2894e9098504f7cc8f8d52f86c3ebe495
SHA25693b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac
SHA51260363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248
-
Filesize
16KB
MD505206d577ce19c1ef8d9341b93cd5520
SHA11ee5c862592045912eb45f9d94376f47b5410d3d
SHA256e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877
SHA5124648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855
-
Filesize
561B
MD57ae06a071e39d392c21f8395ef5a9261
SHA1007e618097c9a099c9f5c3129e5bbf1fc7deb930
SHA25600e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718
SHA5125203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655
-
Filesize
10KB
MD5380d15f61b0e775054eefdce7279510d
SHA147285dc55dafd082edd1851eea8edc2f7a1d0157
SHA256bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717
SHA512d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28
-
Filesize
832B
MD55b6d1c74ad057b559bf7e5f270edd2b0
SHA1d9fd82849757fbdb61f3f82240f4a37eda2fcc02
SHA256659c7c9b6b855a587ca6aa163a84dbaad7dc6e89ac5c44491dabc6824a6186c2
SHA5125bc3cae2cb2436f505b1335e90b095e1774de99e8ef90d1ad6a9b1c9adbbb27567c6364fda720c8327b3b336cd830b771062076b094a2d858e157f6ec2ab28ea
-
Filesize
1KB
MD510a166e07997ed1b22df394c6fb3fb29
SHA1c040a2ec73ce85086df404aef3f9fb8f10815bae
SHA256463d7a9801bde3b810ae271e5605a28156001108ed1e584437ea22bbc75b84f4
SHA51229a102b1ff998fd39d5df8fb5cc55a7df8eceeb460cf8a63b9ff2508c6db2db9f04c41f15414195da5bf7f68d0067aa35b80f08ef5047f9925f0a49a6b36e6c6