Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
24s -
max time network
26s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/03/2025, 23:14
Behavioral task
behavioral1
Sample
Vortex Nuker 1.42.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Vortex Nuker 1.42.exe
Resource
win10v2004-20250314-en
General
-
Target
Vortex Nuker 1.42.exe
-
Size
279KB
-
MD5
207f8d8cc0950ff123508360f40d187d
-
SHA1
be3e5514551c68ad5b45b641621fcfd71797da5c
-
SHA256
2876fe40976ecb099dfa01f066afc303bf2031a812d3b150896523ded9a865a8
-
SHA512
d807019a0f164c44c4bffbb72a84255412c7e588b161cc1acbb170d541ac3a6ca8243b29cf8aaded537d90de03e7b283070c242bdb6a59ee1126a29d3c3efc61
-
SSDEEP
3072:PmWL9TbF7EdANMe6rtVn+V6WBvAYioEefM9HZ5n3jTZakMhg+M4aluJrp/6fHC:PmWUjDqzBvA9ve4bn3jNa0+MEJt/D
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1352056092800061442/3CzW1cCaNZTbI4VuvNwVmMh68Q--8Gdw0gWMKHle7Np63DV39kvHq5YBo3g8N66-juC8
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Vortex Nuker 1.42.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Vortex Nuker 1.42.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Vortex Nuker 1.42.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 discord.com 9 discord.com 10 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Vortex Nuker 1.42.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Vortex Nuker 1.42.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Vortex Nuker 1.42.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Vortex Nuker 1.42.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Vortex Nuker 1.42.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Vortex Nuker 1.42.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Vortex Nuker 1.42.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Vortex Nuker 1.42.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Vortex Nuker 1.42.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2572 Vortex Nuker 1.42.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2572 Vortex Nuker 1.42.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2848 2572 Vortex Nuker 1.42.exe 33 PID 2572 wrote to memory of 2848 2572 Vortex Nuker 1.42.exe 33 PID 2572 wrote to memory of 2848 2572 Vortex Nuker 1.42.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vortex Nuker 1.42.exe"C:\Users\Admin\AppData\Local\Temp\Vortex Nuker 1.42.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2572 -s 13962⤵PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1