Overview

overview

10

Static

static

568d57010d...cb.exe

windows7_x64

10

568d57010d...cb.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    174s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    07-03-2022 08:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    568d57010dccfb07b197bf77fbdc499c37d8addbc411da6e5725ea20714906cb.exe

  • Size

    732KB

  • MD5

    80a78957acf8c76491ec63b609047c13

  • SHA1

    f9baa60988ce6be300184a38903b353d590b6ded

  • SHA256

    568d57010dccfb07b197bf77fbdc499c37d8addbc411da6e5725ea20714906cb

  • SHA512

    3fe59945343eeab85817b03e00a4104458404bd9af7fd467d442ddf8b674365f5b8ddbdca0ca0b1d84a28839b028a9fc6d7efdca664db182544cd6164447cbce

Score
10/10
shurkinfostealerspywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\568d57010dccfb07b197bf77fbdc499c37d8addbc411da6e5725ea20714906cb.exe
    "C:\Users\Admin\AppData\Local\Temp\568d57010dccfb07b197bf77fbdc499c37d8addbc411da6e5725ea20714906cb.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Users\Admin\AppData\Local\Temp\SSSSSSDpDooqaDKoAFpASDFKpklSAFpsSSsSSS.sfx.exe
          SSSSSSDpDooqaDKoAFpASDFKpklSAFpsSSsSSS.sfx.exe -pSSSSSSDpDooqaDKoAFpASDFKpklSAFpsSSsSSS.exe -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3400
          • C:\Users\Admin\AppData\Local\Temp\SSSSSSDpDooqaDKoAFpASDFKpklSAFpsSSsSSS.exe
            "C:\Users\Admin\AppData\Local\Temp\SSSSSSDpDooqaDKoAFpASDFKpklSAFpsSSsSSS.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1292

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads