Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/03/2025, 01:55
Behavioral task
behavioral1
Sample
Mercurial.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Mercurial.exe
Resource
win10v2004-20250314-en
General
-
Target
Mercurial.exe
-
Size
146KB
-
MD5
0bf1054dd4f0ad45f4d5426996dc65bf
-
SHA1
64b5fa861128640392dd69a8d224bb467ef68545
-
SHA256
56550fecb5b916eac9280f2e20b0a6ea06041e18f88fb39531df029080bdbc7b
-
SHA512
d6145e94762ff963ec83f716166c63f8d0e692f3f02ae94732b142c5b177826608906933b1490b0558a381702c7c4eb9877b27583f9cd3e5d294a2df0e66e62e
-
SSDEEP
768:vscWcQ20/ave0QSwJuZheVWTj9KZKfgm3Eh2x2egFH4MkaL5PEs:Ec9eVWTBF7E8xUH4QL5cs
Malware Config
Extracted
mercurialgrabber
https://ptb.discord.com/api/webhooks/895223301373300776/4LFPS81olSXc9Stl05N1nV_de5bp6BZLZwfYl5WydodJ9w8AtEOpBRJrAJDKDvxbtGHz
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Mercurial.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Mercurial.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mercurial.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com 4 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Mercurial.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Mercurial.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Mercurial.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Mercurial.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Mercurial.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Mercurial.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Mercurial.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Mercurial.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Mercurial.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3064 Mercurial.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2692 3064 Mercurial.exe 33 PID 3064 wrote to memory of 2692 3064 Mercurial.exe 33 PID 3064 wrote to memory of 2692 3064 Mercurial.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3064 -s 13282⤵PID:2692
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1