Overview

overview

10

Static

static

13624ffe8c...09.exe

windows7_x64

10

13624ffe8c...09.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-03-2022 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309.exe

  • Size

    737KB

  • MD5

    549ff20a80778cb9367e1bf98950ed2c

  • SHA1

    faf24d282d0fe762e9094d77f2c9823490dcc776

  • SHA256

    13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309

  • SHA512

    6e94a4b95b37ead2cac4dea2a23af5f11e02ae450fded489b5af720615e6c4699723105af20979c5c7cc4b11fab2c10717e668bfa09820681d6d77f0eb91f95b

Score
10/10
shurkinfostealerspywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309.exe
    "C:\Users\Admin\AppData\Local\Temp\13624ffe8cd64d5c30602bf57f83245235e251ba2f92d81a7f7c2d1530c5a309.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3660
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Users\Admin\AppData\Local\Temp\SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe
          SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.sfx.exe -pSSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.exe -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4548
          • C:\Users\Admin\AppData\Local\Temp\SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.exe
            "C:\Users\Admin\AppData\Local\Temp\SSFoprOgoFejFkSGjDDsSSSsSFPgoSjAgVN.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1656

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads