Overview

overview

7

Static

static

3

Mercurial....03.rar

windows7-x64

7

Mercurial....03.rar

windows10-2004-x64

1

Mercurial.exe

windows7-x64

7

Mercurial.exe

windows10-2004-x64

7

readme.txt

windows7-x64

1

readme.txt

windows10-2004-x64

1

Resubmissions

26/03/2025, 23:57

250326-3zm7naxkw7 7

Analysis

  • max time kernel
    129s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2025, 23:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mercurial.Grabber.v1.03.rar

  • Size

    2.9MB

  • MD5

    635903bad1ada856d701f34d3070ccd9

  • SHA1

    3ff98d91b9a3a47bf9f64bdf161efb9c5ac99fb0

  • SHA256

    3759744039346620e9613f40f90e8f318e5f54ad49c070e2bd23b667f7e65bf6

  • SHA512

    fee2c64124c47bcb1251b7b87969a1ff493e24bc196633e3a301565b126f5ed2e2967d4d1426ff5d9be9466c852bacf405229308acf946368e00ca887a4ef015

  • SSDEEP

    49152:lYtbFd+FwSjhWaqv7yBSw9i4b1g8lDZxu0TR9TlqdqjxaNOH:qkwSVef4NDW8qEfH

Score
7/10
agilenetdiscovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Obfuscated with Agile.Net obfuscator 11 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mercurial.Grabber.v1.03.rar"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Users\Admin\AppData\Local\Temp\7zO898E31C6\Mercurial.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO898E31C6\Mercurial.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO898E31C6\Mercurial.exe
    Filesize

    3.2MB

    MD5

    a9477b3e21018b96fc5d2264d4016e65

    SHA1

    493fa8da8bf89ea773aeb282215f78219a5401b7

    SHA256

    890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

    SHA512

    66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

    Download Submit

  • memory/2044-12-0x0000000001330000-0x000000000166A000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/2044-13-0x0000000000A20000-0x0000000000A3C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2044-14-0x0000000000A40000-0x0000000000A60000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2044-15-0x0000000000BC0000-0x0000000000BE0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2044-16-0x0000000000A60000-0x0000000000A70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2044-17-0x0000000000BF0000-0x0000000000C04000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2044-18-0x0000000000C00000-0x0000000000C6E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2044-19-0x0000000001050000-0x000000000106E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2044-20-0x00000000010E0000-0x0000000001116000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2044-21-0x0000000001090000-0x000000000109E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2044-22-0x0000000001120000-0x000000000112E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2044-23-0x0000000005090000-0x00000000051DA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2044-24-0x0000000005450000-0x0000000005566000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2044-25-0x0000000001140000-0x0000000001170000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2044-26-0x00000000051E0000-0x00000000051E8000-memory.dmp

    Filesize

    32KB

    Download