Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 15:21
Behavioral task
behavioral1
Sample
Sigma.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Sigma.exe
Resource
win10v2004-20250217-en
General
-
Target
Sigma.exe
-
Size
41KB
-
MD5
9aff73f27f7afc4251dfe1ac8fe52d7d
-
SHA1
deef8ffa68978c9c8b398e5f7c4c026faf63fa5d
-
SHA256
546b7e985765d0a21e915869dad863133255bb081e8de5407f7104cd5bdcb77b
-
SHA512
ee2f3c18744b749dc68003f7e81c800c288060c9e56f74e61c706b3c61c17198b42401da49e524e4e77ae8a5f5847adf387034f12898a9fdeabddfc465b7a3a9
-
SSDEEP
768:yscaIiIEI/gB1wtduZ0e6WTj8KZKfgm3Eh3/:hc1yYgBEe6WToF7EJ/
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1347218786394050560/25E1MnN6tM_9Plb5-he1mualyMBpKwbwpRNDgFeexEvlMFJngDEgVT6C2DE0Vpotbp-Y
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 discord.com 9 discord.com 10 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 6 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Sigma.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sigma.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1228 Sigma.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1228 wrote to memory of 2708 1228 Sigma.exe 32 PID 1228 wrote to memory of 2708 1228 Sigma.exe 32 PID 1228 wrote to memory of 2708 1228 Sigma.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sigma.exe"C:\Users\Admin\AppData\Local\Temp\Sigma.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1228 -s 13362⤵PID:2708
-