Analysis
-
max time kernel
123s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-12-2021 13:57
Static task
static1
Behavioral task
behavioral1
Sample
74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe
Resource
win7-en-20211208
General
-
Target
74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe
-
Size
1.8MB
-
MD5
6c6e76d71006c755fc2fee38fc08e109
-
SHA1
2b77a52e4c1cae8ba6cf952a6d9b664e729231ea
-
SHA256
74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216
-
SHA512
ec3a9d2716fb1bb0fb3cdd55464fa91bce0abbf24ab539f90dbc3bb723781b98c64ce423c2fbba1666be49d192c75fce9033288a6ce80726fc2a6b2e77bda21b
Malware Config
Signatures
-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Shurk Stealer Payload 3 IoCs
resource yara_rule behavioral2/memory/436-120-0x0000000000400000-0x0000000000820000-memory.dmp shurk_stealer behavioral2/memory/436-121-0x0000000000400000-0x0000000000820000-memory.dmp shurk_stealer behavioral2/memory/436-131-0x0000000000400000-0x0000000000820000-memory.dmp shurk_stealer -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 436 74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe 436 74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe"C:\Users\Admin\AppData\Local\Temp\74092ed53b8950bef5b21cd6c91a217ce470c566ba5cc3035e4ee7ef1ca8d216.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:436