Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/03/2025, 16:00
Behavioral task
behavioral1
Sample
GrimClient3.5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
GrimClient3.5.exe
Resource
win10v2004-20250313-en
General
-
Target
GrimClient3.5.exe
-
Size
42KB
-
MD5
f8aad0ba44c22a03a92c8a992de6f188
-
SHA1
a8f8ac95ee5a49a473104581ba073118c0f545f7
-
SHA256
ccf8f646ddf20ba1e354c3ad35880e441d78ab292a2fd8b2edd49f3abfbe0422
-
SHA512
7fa3cb08ee2b176ddaeb3bf20bed0a46a583c87a01922851975e1d191999f47a9dfe4421c8eb50c15c5c8b97d80c99d3da59fc97eb7756b84a216d5b61f51820
-
SSDEEP
384:7AfIRHS2LtjR39hxiTRWgxfYTx2s/XZxIh/9oJEFq5nm0GTAsQ4KQsLd/SfgUfAQ:Z7DxURWf4uZvLlGTjQ4KZKfgm3Eht+
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1351222685405024296/pvzGqfhW1MeB2uoiUPX5kRWkfddZIOBcx4zo8SpxDvoTeVdF_InCZ3P760g3QMnaEEnA
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 discord.com 9 discord.com 10 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 6 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 GrimClient3.5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GrimClient3.5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2984 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2448 GrimClient3.5.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2984 AcroRd32.exe 2984 AcroRd32.exe 2984 AcroRd32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2448 wrote to memory of 3036 2448 GrimClient3.5.exe 33 PID 2448 wrote to memory of 3036 2448 GrimClient3.5.exe 33 PID 2448 wrote to memory of 3036 2448 GrimClient3.5.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\GrimClient3.5.exe"C:\Users\Admin\AppData\Local\Temp\GrimClient3.5.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2448 -s 14002⤵PID:3036
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD505957bfeac45c8af8d7df106fe96ad47
SHA1690fb12b52971b86f03874ca88c235e7be39fb28
SHA256697ff00f3087896c6d374ee1b251f9c21e2dba6c9b3509f588a77cdceee55bc4
SHA5127620799fdd2fac9b08a7e735eae8122cd43a4dab526941ccdbb50596b2a2d87ba2f40318e643ad59df637ed644f9919f535adba568af307615c206d9bec7199f