Overview

overview

10

Static

static

02dc23d65a...0e.exe

windows7_x64

10

02dc23d65a...0e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    06-03-2022 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02dc23d65a2d31b758defd3f43d5ba64dce3229ff4cdbf9cec5e63915ba4d20e.exe

  • Size

    732KB

  • MD5

    05e7d8ed8b7301e8e4bf2a08aeef2e0a

  • SHA1

    6b51a2ee1e058167de7877c4a6c4a6d2e1bed711

  • SHA256

    02dc23d65a2d31b758defd3f43d5ba64dce3229ff4cdbf9cec5e63915ba4d20e

  • SHA512

    8eb45f9a947e51d8c6f4c76b04962c67df2b3b843975cc86231e0ad00ee3dcd7dcfdfdc97331ccf2900b76e0c619d4d4d8b73ffe17261b3fa297b3836b8be335

Score
10/10
shurkinfostealerspywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02dc23d65a2d31b758defd3f43d5ba64dce3229ff4cdbf9cec5e63915ba4d20e.exe
    "C:\Users\Admin\AppData\Local\Temp\02dc23d65a2d31b758defd3f43d5ba64dce3229ff4cdbf9cec5e63915ba4d20e.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Users\Admin\AppData\Local\Temp\SpdoSPofdsafpASFPpasFkkdsfkokEFGg.sfx.exe
          SpdoSPofdsafpASFPpasFkkdsfkokEFGg.sfx.exe -pSpdoSPofdsafpASFPpasFkkdsfkokEFGg.exe -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4336
          • C:\Users\Admin\AppData\Local\Temp\SpdoSPofdsafpASFPpasFkkdsfkokEFGg.exe
            "C:\Users\Admin\AppData\Local\Temp\SpdoSPofdsafpASFPpasFkkdsfkokEFGg.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3472

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads