Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

17/03/2025, 16:00

250317-tf3cssxms8 10

17/03/2025, 15:57

250317-td9dbstwgs 10

Analysis

  • max time kernel
    124s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2025, 16:00

General

  • Target

    GrimClient3.5.exe

  • Size

    42KB

  • MD5

    f8aad0ba44c22a03a92c8a992de6f188

  • SHA1

    a8f8ac95ee5a49a473104581ba073118c0f545f7

  • SHA256

    ccf8f646ddf20ba1e354c3ad35880e441d78ab292a2fd8b2edd49f3abfbe0422

  • SHA512

    7fa3cb08ee2b176ddaeb3bf20bed0a46a583c87a01922851975e1d191999f47a9dfe4421c8eb50c15c5c8b97d80c99d3da59fc97eb7756b84a216d5b61f51820

  • SSDEEP

    384:7AfIRHS2LtjR39hxiTRWgxfYTx2s/XZxIh/9oJEFq5nm0GTAsQ4KQsLd/SfgUfAQ:Z7DxURWf4uZvLlGTjQ4KZKfgm3Eht+

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/1351222685405024296/pvzGqfhW1MeB2uoiUPX5kRWkfddZIOBcx4zo8SpxDvoTeVdF_InCZ3P760g3QMnaEEnA

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Mercurialgrabber family
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GrimClient3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\GrimClient3.5.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2448 -s 1400
      2⤵
        PID:3036
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

      Filesize

      3KB

      MD5

      05957bfeac45c8af8d7df106fe96ad47

      SHA1

      690fb12b52971b86f03874ca88c235e7be39fb28

      SHA256

      697ff00f3087896c6d374ee1b251f9c21e2dba6c9b3509f588a77cdceee55bc4

      SHA512

      7620799fdd2fac9b08a7e735eae8122cd43a4dab526941ccdbb50596b2a2d87ba2f40318e643ad59df637ed644f9919f535adba568af307615c206d9bec7199f

    • memory/2448-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

      Filesize

      4KB

    • memory/2448-1-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

      Filesize

      64KB

    • memory/2448-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

      Filesize

      9.9MB

    • memory/2448-3-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

      Filesize

      4KB

    • memory/2448-4-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

      Filesize

      9.9MB