Overview

overview

10

Static

static

90650bd59d...9c.exe

windows7_x64

10

90650bd59d...9c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220331-en
  • submitted
    06-04-2022 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90650bd59d65af3b3cc34b318b68dd9c.exe

  • Size

    434KB

  • MD5

    90650bd59d65af3b3cc34b318b68dd9c

  • SHA1

    a4042d9bb65c98c6476f03f4bca45b568c3f0317

  • SHA256

    cd197cd5e1dfc36ee9b6c148fdf19ae215faa6c3707045909c41b3ac8d28e673

  • SHA512

    98120dc5907acd56d6f0948df1b1061d75f99aef21ac7120f66f904c59974758d75643fe507de4c605918810dd40527401deeb4434c3fdccce63f87320c464d2

Score
10/10
shurkinfostealerspywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer Payload 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90650bd59d65af3b3cc34b318b68dd9c.exe
    "C:\Users\Admin\AppData\Local\Temp\90650bd59d65af3b3cc34b318b68dd9c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\ProgramData\newq.exe
      "C:\ProgramData\newq.exe"
      2⤵
      • Executes dropped EXE
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1312

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\newq.exe
    Filesize

    7.4MB

    MD5

    f543e8be3bdb1500f4c1fec95e8adc65

    SHA1

    c6814f27d0a89ac4fd3afd859fb0c8eb329ef12d

    SHA256

    834515f39e92aebf57fa605e96cbe5348801c53fa355caee2565b4ea2fbb6d97

    SHA512

    7c6575b79e69d17ab61aaf9cae23bc5ce0e7eabc30d0279ab8eee92de9d79893c29987f8519ac83c739410ec2ab89f5d2658582cb119b599fb0cd9be8300085a

    Download Submit

  • \ProgramData\newq.exe
    Filesize

    7.4MB

    MD5

    f543e8be3bdb1500f4c1fec95e8adc65

    SHA1

    c6814f27d0a89ac4fd3afd859fb0c8eb329ef12d

    SHA256

    834515f39e92aebf57fa605e96cbe5348801c53fa355caee2565b4ea2fbb6d97

    SHA512

    7c6575b79e69d17ab61aaf9cae23bc5ce0e7eabc30d0279ab8eee92de9d79893c29987f8519ac83c739410ec2ab89f5d2658582cb119b599fb0cd9be8300085a

    Download Submit

  • \ProgramData\newq.exe
    Filesize

    7.4MB

    MD5

    f543e8be3bdb1500f4c1fec95e8adc65

    SHA1

    c6814f27d0a89ac4fd3afd859fb0c8eb329ef12d

    SHA256

    834515f39e92aebf57fa605e96cbe5348801c53fa355caee2565b4ea2fbb6d97

    SHA512

    7c6575b79e69d17ab61aaf9cae23bc5ce0e7eabc30d0279ab8eee92de9d79893c29987f8519ac83c739410ec2ab89f5d2658582cb119b599fb0cd9be8300085a

    Download Submit

  • memory/1316-54-0x0000000001010000-0x0000000001082000-memory.dmp

    Filesize

    456KB

    Download

  • memory/1316-55-0x0000000000240000-0x00000000002E4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/1316-56-0x000000001B0E0000-0x000000001B0E2000-memory.dmp

    Filesize

    8KB

    Download