shurk | 74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-12-2021 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe
Size

1.8MB
MD5

6c6e76d71006c755fc2fee38fc08e109
SHA1

2b77a52e4c1cae8ba6cf952a6d9b664e729231ea
SHA256

74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216
SHA512

ec3a9d2716fb1bb0fb3cdd55464fa91bce0abbf24ab539f90dbc3bb723781b98c64ce423c2fbba1666be49d192c75fce9033288a6ce80726fc2a6b2e77bda21b

Score

10^/10

shurk evasion infostealer spyware stealer trojan

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1576-56-0x0000000000400000-0x0000000000820000-memory.dmp	shurk_stealer
behavioral1/memory/1576-57-0x0000000000400000-0x0000000000820000-memory.dmp	shurk_stealer
behavioral1/memory/1576-106-0x0000000000400000-0x0000000000820000-memory.dmp	shurk_stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1576	74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe

C:\Users\Admin\AppData\Local\Temp\74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe
"C:\Users\Admin\AppData\Local\Temp\74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1576-55-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1576-56-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/1576-57-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/1576-59-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1576-58-0x0000000000340000-0x00000000003A0000-memory.dmp

Filesize
384KB

Download
memory/1576-60-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1576-62-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1576-61-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1576-63-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1576-64-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1576-65-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1576-66-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1576-68-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-67-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/1576-70-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-69-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-71-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-73-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1576-72-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1576-75-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1576-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1576-76-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1576-77-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1576-79-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-78-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-81-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/1576-80-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1576-83-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1576-82-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1576-86-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1576-87-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-85-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1576-84-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1576-89-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-88-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-91-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-90-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1576-92-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1576-93-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1576-95-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1576-94-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1576-96-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1576-98-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1576-97-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1576-99-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1576-100-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1576-101-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1576-102-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1576-103-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1576-104-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1576-105-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1576-106-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download