568f49149bc2dbd8897e87170e621ffc8a8ee9732717d14bcabd711508d43441

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercurial_grabber-master/Mercurial-Grabber-master/Mercurial-Grabber-master/Mercurial.exe
Size

14.1MB
MD5

f0ef9eb7e6e99322a1d89c9da19554e2
SHA1

24ebcb45b09b54a1ccbb837a621a45f8d2379d51
SHA256

91f7f381cc92cfcb736202c8578f5f77fa5da3f351db54a6a62d8f7210ba857d
SHA512

cfe7a114e16427dcbe44c3868cb072b4840de95d717112b0410c4f242f9ee973d5d14329fe6c113ad4fbcb88346fe9309266fd77b576b84691d5ae034330072d
SSDEEP

196608:PTd/lOqPupb7KX/x1HhtehNJm3AqdKDnO8NpkSgsAGKaR2NemPXBoqCOpvAn:yqPuYXJBu/m3pgDOEkSgsv6vhCl

Score

7^/10

discovery pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2464	MAIN.EXE
2300	MAIN.EXE
1196	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
2836	Mercurial.exe
2464	MAIN.EXE
2300	MAIN.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001caa7-108.dat	upx
behavioral1/memory/2300-110-0x000007FEF55E0000-0x000007FEF5A4E000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000500000001a4b9-13.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mercurial.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2464	2836	Mercurial.exe	30
PID 2836 wrote to memory of 2464	2836	Mercurial.exe	30
PID 2836 wrote to memory of 2464	2836	Mercurial.exe	30
PID 2836 wrote to memory of 2464	2836	Mercurial.exe	30
PID 2464 wrote to memory of 2300	2464	MAIN.EXE	31
PID 2464 wrote to memory of 2300	2464	MAIN.EXE	31
PID 2464 wrote to memory of 2300	2464	MAIN.EXE	31

C:\Users\Admin\AppData\Local\Temp\Mercurial_grabber-master\Mercurial-Grabber-master\Mercurial-Grabber-master\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial_grabber-master\Mercurial-Grabber-master\Mercurial-Grabber-master\Mercurial.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
  "C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\MAIN.EXE
    "C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BAT TO EXE CONVERTER.LNK

Filesize
997B

MD5
555dcdf34d2eb6799a523666082d79f5

SHA1
fb5cfdbf079a0cd0f301e86648280bef05948795

SHA256
3dbfb8c9b04764afe1f2d058a5c98dbbc1c4c87c92a94874706693af3a24424c

SHA512
1e7f6428a442899d5d83009511f141074b63283afe3e6a880d9d7b6622d702aee7a5f4c7d17db6da7f8cb3e23fddcbd0542f03b37f6072f3fca938be50740f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24642\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
\Users\Admin\AppData\Local\Temp\MAIN.EXE

Filesize
13.9MB

MD5
6e856079e627e57f337c71f2ad26aa0d

SHA1
b93746236cda2ae6fdc800757d45bf519c818d96

SHA256
4618d27576c5fba8ac3ee6c193cedbb7dc662fed02e6473205444b52e370dcca

SHA512
8ba189b25f2931fac51758265c630b331be815cf629109c9324a0b6dd4223b4f01fdf31c13d56bc0ccd7d8728d2bb547b34b81fa901afca2c8b3beab167bcbe9

Download Submit
memory/2300-110-0x000007FEF55E0000-0x000007FEF5A4E000-memory.dmp

Filesize
4.4MB

Download