Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/03/2025, 23:24
Behavioral task
behavioral1
Sample
VortexNuker1.42.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
VortexNuker1.42.exe
Resource
win10v2004-20250314-en
General
-
Target
VortexNuker1.42.exe
-
Size
279KB
-
MD5
207f8d8cc0950ff123508360f40d187d
-
SHA1
be3e5514551c68ad5b45b641621fcfd71797da5c
-
SHA256
2876fe40976ecb099dfa01f066afc303bf2031a812d3b150896523ded9a865a8
-
SHA512
d807019a0f164c44c4bffbb72a84255412c7e588b161cc1acbb170d541ac3a6ca8243b29cf8aaded537d90de03e7b283070c242bdb6a59ee1126a29d3c3efc61
-
SSDEEP
3072:PmWL9TbF7EdANMe6rtVn+V6WBvAYioEefM9HZ5n3jTZakMhg+M4aluJrp/6fHC:PmWUjDqzBvA9ve4bn3jNa0+MEJt/D
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1352056092800061442/3CzW1cCaNZTbI4VuvNwVmMh68Q--8Gdw0gWMKHle7Np63DV39kvHq5YBo3g8N66-juC8
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions VortexNuker1.42.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools VortexNuker1.42.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VortexNuker1.42.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 discord.com 9 discord.com 10 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip4.seeip.org 6 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 VortexNuker1.42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum VortexNuker1.42.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S VortexNuker1.42.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 VortexNuker1.42.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString VortexNuker1.42.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 VortexNuker1.42.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation VortexNuker1.42.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer VortexNuker1.42.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName VortexNuker1.42.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2344 VortexNuker1.42.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2800 2344 VortexNuker1.42.exe 33 PID 2344 wrote to memory of 2800 2344 VortexNuker1.42.exe 33 PID 2344 wrote to memory of 2800 2344 VortexNuker1.42.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\VortexNuker1.42.exe"C:\Users\Admin\AppData\Local\Temp\VortexNuker1.42.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2344 -s 14002⤵PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1