Overview

overview

10

Static

static

794c23dd8f...bf.exe

windows7_x64

10

794c23dd8f...bf.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-03-2022 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    794c23dd8f2c86e3fb263e9e3f615551ef3a1183e7dc99e9eeea3faee47453bf.exe

  • Size

    731KB

  • MD5

    b9e1489d3bf19c77c3460a06169adc61

  • SHA1

    686257133c5e52b71a864646faeb6e4b21e651e3

  • SHA256

    794c23dd8f2c86e3fb263e9e3f615551ef3a1183e7dc99e9eeea3faee47453bf

  • SHA512

    de38d10d56a6ab283bd19008dbc35873ffc8d6651be07cb36706a519b5d200586e202a5e2e741ccbfcf8d5a56ba7baa596bc8776e57d31f142512f0f52baa6dc

Score
10/10
shurkinfostealerspywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\794c23dd8f2c86e3fb263e9e3f615551ef3a1183e7dc99e9eeea3faee47453bf.exe
    "C:\Users\Admin\AppData\Local\Temp\794c23dd8f2c86e3fb263e9e3f615551ef3a1183e7dc99e9eeea3faee47453bf.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4104
        • C:\Users\Admin\AppData\Local\Temp\SpAldWoqkAJqoAsdFGBxS.sfx.exe
          SpAldWoqkAJqoAsdFGBxS.sfx.exe -pSpAldWoqkAJqoAsdFGBxS.exe -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:408
          • C:\Users\Admin\AppData\Local\Temp\SpAldWoqkAJqoAsdFGBxS.exe
            "C:\Users\Admin\AppData\Local\Temp\SpAldWoqkAJqoAsdFGBxS.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1292

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads