Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

17/03/2025, 00:44

250317-a3jz7avtcz 10

06/03/2025, 15:21

250306-sre6za1xgz 10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 15:21

General

  • Target

    Sigma.exe

  • Size

    41KB

  • MD5

    9aff73f27f7afc4251dfe1ac8fe52d7d

  • SHA1

    deef8ffa68978c9c8b398e5f7c4c026faf63fa5d

  • SHA256

    546b7e985765d0a21e915869dad863133255bb081e8de5407f7104cd5bdcb77b

  • SHA512

    ee2f3c18744b749dc68003f7e81c800c288060c9e56f74e61c706b3c61c17198b42401da49e524e4e77ae8a5f5847adf387034f12898a9fdeabddfc465b7a3a9

  • SSDEEP

    768:yscaIiIEI/gB1wtduZ0e6WTj8KZKfgm3Eh3/:hc1yYgBEe6WToF7EJ/

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1347218786394050560/25E1MnN6tM_9Plb5-he1mualyMBpKwbwpRNDgFeexEvlMFJngDEgVT6C2DE0Vpotbp-Y

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Mercurialgrabber family
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sigma.exe
    "C:\Users\Admin\AppData\Local\Temp\Sigma.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1228 -s 1336
      2⤵
        PID:2708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1228-0-0x000007FEF5303000-0x000007FEF5304000-memory.dmp

      Filesize

      4KB

    • memory/1228-1-0x00000000008A0000-0x00000000008B0000-memory.dmp

      Filesize

      64KB

    • memory/1228-2-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

      Filesize

      9.9MB

    • memory/1228-3-0x000007FEF5303000-0x000007FEF5304000-memory.dmp

      Filesize

      4KB

    • memory/1228-4-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

      Filesize

      9.9MB

    • memory/1228-5-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

      Filesize

      9.9MB