Overview

overview

10

Static

static

90650bd59d...9c.exe

windows7_x64

10

90650bd59d...9c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    99s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    06-04-2022 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90650bd59d65af3b3cc34b318b68dd9c.exe

  • Size

    434KB

  • MD5

    90650bd59d65af3b3cc34b318b68dd9c

  • SHA1

    a4042d9bb65c98c6476f03f4bca45b568c3f0317

  • SHA256

    cd197cd5e1dfc36ee9b6c148fdf19ae215faa6c3707045909c41b3ac8d28e673

  • SHA512

    98120dc5907acd56d6f0948df1b1061d75f99aef21ac7120f66f904c59974758d75643fe507de4c605918810dd40527401deeb4434c3fdccce63f87320c464d2

Score
10/10
shurkinfostealerspywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90650bd59d65af3b3cc34b318b68dd9c.exe
    "C:\Users\Admin\AppData\Local\Temp\90650bd59d65af3b3cc34b318b68dd9c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\ProgramData\newq.exe
      "C:\ProgramData\newq.exe"
      2⤵
      • Executes dropped EXE
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1096

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\newq.exe
    Filesize

    7.4MB

    MD5

    f543e8be3bdb1500f4c1fec95e8adc65

    SHA1

    c6814f27d0a89ac4fd3afd859fb0c8eb329ef12d

    SHA256

    834515f39e92aebf57fa605e96cbe5348801c53fa355caee2565b4ea2fbb6d97

    SHA512

    7c6575b79e69d17ab61aaf9cae23bc5ce0e7eabc30d0279ab8eee92de9d79893c29987f8519ac83c739410ec2ab89f5d2658582cb119b599fb0cd9be8300085a

    Download Submit

  • C:\ProgramData\newq.exe
    Filesize

    7.4MB

    MD5

    f543e8be3bdb1500f4c1fec95e8adc65

    SHA1

    c6814f27d0a89ac4fd3afd859fb0c8eb329ef12d

    SHA256

    834515f39e92aebf57fa605e96cbe5348801c53fa355caee2565b4ea2fbb6d97

    SHA512

    7c6575b79e69d17ab61aaf9cae23bc5ce0e7eabc30d0279ab8eee92de9d79893c29987f8519ac83c739410ec2ab89f5d2658582cb119b599fb0cd9be8300085a

    Download Submit

  • memory/3320-134-0x0000000000D30000-0x0000000000DA2000-memory.dmp

    Filesize

    456KB

    Download

  • memory/3320-135-0x00007FF95FB30000-0x00007FF9605F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3320-136-0x000000001B9F0000-0x000000001B9F2000-memory.dmp

    Filesize

    8KB

    Download