shurk | 0cc485ab5c00ba95759d821215475fa2ef7d6e682cb53b97a3a7c90dd0d42c3b

General

Target

0cc485ab5c00ba95759d821215475fa2ef7d6e682cb53b97a3a7c90dd0d42c3b.exe
Size

732KB
MD5

32f6f764b86b1a3ad33e2c1b66f691c6
SHA1

7baadaa212daf9fa2ef6646410cf28a8301b9db4
SHA256

0cc485ab5c00ba95759d821215475fa2ef7d6e682cb53b97a3a7c90dd0d42c3b
SHA512

64ff433c41803196e88dd4de4825edac36a99a936600db350ac360c96f40532c8544006d6d4cf84c7d09158cf35d5e68995a9f828945fb000fee99081a23281f

Score

10^/10

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000020530-138.dat	shurk_stealer
behavioral2/files/0x0006000000020530-139.dat	shurk_stealer

Executes dropped EXE 2 IoCs

pid	Process
4904	SopDPdfDSAaSDfgokaDSOpdSFoogFlgkdSMkOSkkFLskeF.sfx.exe
4436	SopDPdfDSAaSDfgokaDSOpdSFoogFlgkdSMkOSkkFLskeF.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	0cc485ab5c00ba95759d821215475fa2ef7d6e682cb53b97a3a7c90dd0d42c3b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	SopDPdfDSAaSDfgokaDSOpdSFoogFlgkdSMkOSkkFLskeF.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings	0cc485ab5c00ba95759d821215475fa2ef7d6e682cb53b97a3a7c90dd0d42c3b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4436	SopDPdfDSAaSDfgokaDSOpdSFoogFlgkdSMkOSkkFLskeF.exe
4436	SopDPdfDSAaSDfgokaDSOpdSFoogFlgkdSMkOSkkFLskeF.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3692	1488	0cc485ab5c00ba95759d821215475fa2ef7d6e682cb53b97a3a7c90dd0d42c3b.exe	81
PID 1488 wrote to memory of 3692	1488	0cc485ab5c00ba95759d821215475fa2ef7d6e682cb53b97a3a7c90dd0d42c3b.exe	81
PID 1488 wrote to memory of 3692	1488	0cc485ab5c00ba95759d821215475fa2ef7d6e682cb53b97a3a7c90dd0d42c3b.exe	81
PID 3692 wrote to memory of 2196	3692	WScript.exe	82
PID 3692 wrote to memory of 2196	3692	WScript.exe	82
PID 3692 wrote to memory of 2196	3692	WScript.exe	82
PID 2196 wrote to memory of 4904	2196	cmd.exe	84
PID 2196 wrote to memory of 4904	2196	cmd.exe	84
PID 2196 wrote to memory of 4904	2196	cmd.exe	84
PID 4904 wrote to memory of 4436	4904	SopDPdfDSAaSDfgokaDSOpdSFoogFlgkdSMkOSkkFLskeF.sfx.exe	86
PID 4904 wrote to memory of 4436	4904	SopDPdfDSAaSDfgokaDSOpdSFoogFlgkdSMkOSkkFLskeF.sfx.exe	86
PID 4904 wrote to memory of 4436	4904	SopDPdfDSAaSDfgokaDSOpdSFoogFlgkdSMkOSkkFLskeF.sfx.exe	86