Analysis
-
max time kernel
574s -
max time network
441s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
03-07-2024 14:06
General
-
Target
Mercurial.exe
-
Size
3.2MB
-
MD5
a9477b3e21018b96fc5d2264d4016e65
-
SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7
-
SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
-
SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
-
SSDEEP
98304:5kjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:lzJpjS346t1bIfuq07
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 11 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC75.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC82FA30AE706B4A979BC6FCF66CF8E8C.TMP"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1c01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESAC75.tmpFilesize
1KB
MD50d69ceca17b4a8b28c2db2787a85097f
SHA196f1cf3462c355bcabd678b6c4f8dabef5c5addb
SHA25659c4d55c4e4d0561a8f0019106361f23ebe41f6b4efc18728bd11e8662e1b738
SHA5127645c6a9a8a7d45bc2c7930913b32fb7ee03443e933e78567b5acfd7322a40b8523a07d11537f265f7d54d966e321e6971634d238c7e133174a52cc53a8ddf9d
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC82FA30AE706B4A979BC6FCF66CF8E8C.TMPFilesize
1KB
MD54a8b69d1b2c8695736b8c2273da513dc
SHA16519bfd357318ebc69831e8c9a12626c5a34dc2e
SHA256d9edfacf147f183b116c4ba680fe1087d13f04fa7dc92ca7e9bc9f2fdbca24b6
SHA512e4bf306c4ff1b6be85fa7824ba7e9c50906e965553fcbcb9debd966220b0328134d99ceedc6d563296332056c243dd310e8fe36e2fee2c3864f7aa67fde225e5
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.0.csFilesize
11KB
MD5fe788e9683826bd7b99f877e61c22b2a
SHA1b14f0fe0a303513c6737b867b0b4ce0a968aac5d
SHA256294963e93c058543c1241ab503ebd25a1bcccc30699f7c0274938ca3c88e3150
SHA512d8e35616918e252112d2eedee014cba9bd58de12cbbdca11bf5ec7df5147124d6ac9be0cd2f960f288c7db33244399ed695f108d71ca444b5bd07e6a0a6b84ec
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.1.csFilesize
5KB
MD58aab1997664a604aca551b20202bfd14
SHA1279cf8f218069cbf4351518ad6df9a783ca34bc5
SHA256029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f
SHA512cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.2.csFilesize
7KB
MD56fdae9afc1f8e77e882f1ba6b5859a4e
SHA133eb96f75ffe9a1c4f94388e7465b997320265a5
SHA256a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d
SHA51297bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.3.csFilesize
8KB
MD56ba707982ee7e5f0ae55ce3fa5ccad17
SHA1d094c98491058ed49861ce82701abe1f38385f18
SHA25619af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797
SHA512d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.4.csFilesize
2KB
MD5fae5458a5b3cee952e25d44d6eb9db85
SHA1060d40137e9cce9f40adbb3b3763d1f020601e42
SHA256240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06
SHA51225f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.5.csFilesize
4KB
MD542f157ad8e79e06a142791d6e98e0365
SHA1a05e8946e04907af3f631a7de1537d7c1bb34443
SHA256e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed
SHA512e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.6.csFilesize
6KB
MD58ec0f0e49ffe092345673ab4d9f45641
SHA1401bd9e2894e9098504f7cc8f8d52f86c3ebe495
SHA25693b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac
SHA51260363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.7.csFilesize
16KB
MD505206d577ce19c1ef8d9341b93cd5520
SHA11ee5c862592045912eb45f9d94376f47b5410d3d
SHA256e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877
SHA5124648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.8.csFilesize
561B
MD57ae06a071e39d392c21f8395ef5a9261
SHA1007e618097c9a099c9f5c3129e5bbf1fc7deb930
SHA25600e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718
SHA5125203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.9.csFilesize
10KB
MD5380d15f61b0e775054eefdce7279510d
SHA147285dc55dafd082edd1851eea8edc2f7a1d0157
SHA256bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717
SHA512d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvkkmar\hpvkkmar.cmdlineFilesize
831B
MD57280fa793e5ceefb97da62dbe43f1cf5
SHA1d0008220ee6cfb251f286dd2bf601cf5fdfdcec8
SHA256b5c7e27bf679a1fe1e3c1bc5dab160bbd9bca5fb7d82ef092b0f7bde7482c3f6
SHA5121ed6fd775ef9f629c6d8fc4f498270a62dd39e68a160187e470b2f34f673c5bf8b99b4ecb9e797115fca576f177c4ebe1998b6f404662fa5025cbed6dee50c8e
-
memory/1752-10-0x00000000023D0000-0x0000000002406000-memory.dmpFilesize
216KB
-
memory/1752-12-0x0000000000AA0000-0x0000000000AAE000-memory.dmpFilesize
56KB
-
memory/1752-14-0x0000000005460000-0x0000000005576000-memory.dmpFilesize
1.1MB
-
memory/1752-16-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-17-0x0000000004F40000-0x0000000004F48000-memory.dmpFilesize
32KB
-
memory/1752-18-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-19-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-20-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-21-0x000000007422E000-0x000000007422F000-memory.dmpFilesize
4KB
-
memory/1752-22-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-23-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-24-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-25-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-26-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-13-0x0000000005310000-0x000000000545A000-memory.dmpFilesize
1.3MB
-
memory/1752-15-0x0000000002520000-0x0000000002550000-memory.dmpFilesize
192KB
-
memory/1752-11-0x0000000000A90000-0x0000000000A9E000-memory.dmpFilesize
56KB
-
memory/1752-0-0x000000007422E000-0x000000007422F000-memory.dmpFilesize
4KB
-
memory/1752-9-0x0000000000A10000-0x0000000000A2E000-memory.dmpFilesize
120KB
-
memory/1752-8-0x00000000024B0000-0x000000000251E000-memory.dmpFilesize
440KB
-
memory/1752-7-0x00000000009B0000-0x00000000009C4000-memory.dmpFilesize
80KB
-
memory/1752-6-0x0000000000640000-0x0000000000650000-memory.dmpFilesize
64KB
-
memory/1752-5-0x0000000000980000-0x00000000009A0000-memory.dmpFilesize
128KB
-
memory/1752-4-0x0000000000620000-0x0000000000640000-memory.dmpFilesize
128KB
-
memory/1752-3-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-2-0x00000000003D0000-0x00000000003EC000-memory.dmpFilesize
112KB
-
memory/1752-1-0x0000000000BB0000-0x0000000000EEA000-memory.dmpFilesize
3.2MB
-
memory/1752-57-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB
-
memory/1752-58-0x0000000074220000-0x000000007490E000-memory.dmpFilesize
6.9MB