mercurialgrabber | baf1e179e63392ebdd6e59a1765d9ffe307ca28e22681f855bf2f71a0280d538

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe
Size

17.5MB
MD5

2d2da9e3a1b925524f8f3beded725a51
SHA1

3a854d9eadb761f41fc97cac483a07b2c223fcf2
SHA256

baf1e179e63392ebdd6e59a1765d9ffe307ca28e22681f855bf2f71a0280d538
SHA512

c1ed6de456dafbda4a38071e6021b3387ac69d56eb7e70209ca8085f28a1270161b8d82990731e21538ab03e5d7f95ec79b83839cbbc3e181f25ed8e03a76107
SSDEEP

393216:lqTHLS9CQ+rxdiJjxpQnwZch9BbKy/H3EbN/nww71ekGVhU9nC:87O2rxdi3pQnwZ+/gR/nwwUVh7

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/927257108951486515/GbBnf4EBb2a3JwBZqh5mpUFw3MuJDHB8lxKcjmyg9c1-L8tXje_7OreKQrCr9Qsh7ruT

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
Detects Windows executables referencing non-Windows User-Agents 2 IoCs

Processes:

resource yara_rule

C:\DiscordNuker.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1740-23-0x00000000009F0000-0x0000000000A00000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Detects executables Discord URL observed in first stage droppers 2 IoCs

Processes:

resource yara_rule

C:\DiscordNuker.exe INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1740-23-0x00000000009F0000-0x0000000000A00000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

DiscordNuker.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions DiscordNuker.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

DiscordNuker.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools DiscordNuker.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

DiscordNuker.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DiscordNuker.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe
Executes dropped EXE 2 IoCs

Processes:

DiscordNuker.exeUpdate.exe

pid process

1740 DiscordNuker.exe
3180 Update.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
9 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip4.seeip.org
6 ip-api.com
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

DiscordNuker.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DiscordNuker.exe
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DiscordNuker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

DiscordNuker.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S DiscordNuker.exe

resource	yara_rule
C:\DiscordNuker.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1740-23-0x00000000009F0000-0x0000000000A00000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

resource	yara_rule
C:\DiscordNuker.exe	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral2/memory/1740-23-0x00000000009F0000-0x0000000000A00000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	DiscordNuker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	DiscordNuker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DiscordNuker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe

pid	process
1740	DiscordNuker.exe
3180	Update.exe

flow	ioc
3	raw.githubusercontent.com
9	discord.com

flow	ioc
2	ip4.seeip.org
6	ip-api.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DiscordNuker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DiscordNuker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	DiscordNuker.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DiscordNuker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DiscordNuker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DiscordNuker.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1020 tasklist.exe

pid	process
1020	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

DiscordNuker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	DiscordNuker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	DiscordNuker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	DiscordNuker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	DiscordNuker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DiscordNuker.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1740 DiscordNuker.exe
Token: SeDebugPrivilege 1020 tasklist.exe

description	pid	process
Token: SeDebugPrivilege	1740	DiscordNuker.exe
Token: SeDebugPrivilege	1020	tasklist.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exeUpdate.execmd.exe

description	pid	process	target process
PID 2904 wrote to memory of 1740	2904	2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe	DiscordNuker.exe
PID 2904 wrote to memory of 1740	2904	2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe	DiscordNuker.exe
PID 2904 wrote to memory of 3180	2904	2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe	Update.exe
PID 2904 wrote to memory of 3180	2904	2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe	Update.exe
PID 3180 wrote to memory of 4580	3180	Update.exe	cmd.exe
PID 3180 wrote to memory of 4580	3180	Update.exe	cmd.exe
PID 4580 wrote to memory of 1020	4580	cmd.exe	tasklist.exe
PID 4580 wrote to memory of 1020	4580	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2d2da9e3a1b925524f8f3beded725a51_cova_ryuk.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2904

C:\DiscordNuker.exe
"C:\DiscordNuker.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Update.exe
"C:\Update.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
3⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
1⤵
PID:3836

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DiscordNuker.exe
Filesize
46KB

MD5
8b23371692c0bab493e54d637df160fd

SHA1
957685d2dc2fac7edfaaf19d7d97ac6f729602e0

SHA256
078054366b44f2e630cadb617a66783f7723dec85b1585840ae3c76bedd7fd6b

SHA512
498580a856ae980a792a7e84ab1abc282e0a300e586e3fe0f588d99398ffb61dc67e6910def40121c862438fba797565b57c5773bfc3282e8ce6ccb39036a5dd

Download Submit
memory/1740-23-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/1740-24-0x00007FF939363000-0x00007FF939365000-memory.dmp

Filesize
8KB

Download
memory/1740-25-0x00007FF939360000-0x00007FF939E21000-memory.dmp

Filesize
10.8MB

Download
memory/1740-31-0x00007FF939360000-0x00007FF939E21000-memory.dmp

Filesize
10.8MB

Download
memory/1740-35-0x00007FF939360000-0x00007FF939E21000-memory.dmp

Filesize
10.8MB

Download