Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20/03/2025, 21:05

General

  • Target

    Mercurial_grabber-master/Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial.exe

  • Size

    14.1MB

  • MD5

    f0ef9eb7e6e99322a1d89c9da19554e2

  • SHA1

    24ebcb45b09b54a1ccbb837a621a45f8d2379d51

  • SHA256

    91f7f381cc92cfcb736202c8578f5f77fa5da3f351db54a6a62d8f7210ba857d

  • SHA512

    cfe7a114e16427dcbe44c3868cb072b4840de95d717112b0410c4f242f9ee973d5d14329fe6c113ad4fbcb88346fe9309266fd77b576b84691d5ae034330072d

  • SSDEEP

    196608:PTd/lOqPupb7KX/x1HhtehNJm3AqdKDnO8NpkSgsAGKaR2NemPXBoqCOpvAn:yqPuYXJBu/m3pgDOEkSgsv6vhCl

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mercurial_grabber-master\Mercurial-Grabber-master\Mercurial-Grabber-master\Mercurial.exe
    "C:\Users\Admin\AppData\Local\Temp\Mercurial_grabber-master\Mercurial-Grabber-master\Mercurial-Grabber-master\Mercurial.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
      "C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
        "C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BAT TO EXE CONVERTER.LNK

    Filesize

    997B

    MD5

    555dcdf34d2eb6799a523666082d79f5

    SHA1

    fb5cfdbf079a0cd0f301e86648280bef05948795

    SHA256

    3dbfb8c9b04764afe1f2d058a5c98dbbc1c4c87c92a94874706693af3a24424c

    SHA512

    1e7f6428a442899d5d83009511f141074b63283afe3e6a880d9d7b6622d702aee7a5f4c7d17db6da7f8cb3e23fddcbd0542f03b37f6072f3fca938be50740f19

  • C:\Users\Admin\AppData\Local\Temp\_MEI24642\python310.dll

    Filesize

    1.4MB

    MD5

    69d4f13fbaeee9b551c2d9a4a94d4458

    SHA1

    69540d8dfc0ee299a7ff6585018c7db0662aa629

    SHA256

    801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

    SHA512

    8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

  • \Users\Admin\AppData\Local\Temp\MAIN.EXE

    Filesize

    13.9MB

    MD5

    6e856079e627e57f337c71f2ad26aa0d

    SHA1

    b93746236cda2ae6fdc800757d45bf519c818d96

    SHA256

    4618d27576c5fba8ac3ee6c193cedbb7dc662fed02e6473205444b52e370dcca

    SHA512

    8ba189b25f2931fac51758265c630b331be815cf629109c9324a0b6dd4223b4f01fdf31c13d56bc0ccd7d8728d2bb547b34b81fa901afca2c8b3beab167bcbe9

  • memory/2300-110-0x000007FEF55E0000-0x000007FEF5A4E000-memory.dmp

    Filesize

    4.4MB