shurk | 7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a

Analysis

max time kernel
139s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a.exe
Size

731KB
MD5

f7447783a2122d8716e204dcd863245f
SHA1

0b8b6bc7caf1366700be7ff189563858869267a7
SHA256

7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a
SHA512

4cf0ef5615c40bc9d41a41b46b7490a4b22e958990f9ebb4a11b4528ea4491192a65efd1cd23649402bcbe0b5d0e90e2a43c7045cd971c436f150e252e4ca453

Score

10^/10

shurk infostealer spyware stealer

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000900000001230e-65.dat	shurk_stealer
behavioral1/files/0x000900000001230e-66.dat	shurk_stealer
behavioral1/files/0x000900000001230e-67.dat	shurk_stealer
behavioral1/files/0x000900000001230e-69.dat	shurk_stealer

Executes dropped EXE 2 IoCs

pid	Process
1692	xgxmmsoondersleg.sfx.exe
1660	xgxmmsoondersleg.exe

Loads dropped DLL 4 IoCs

pid	Process
1388	cmd.exe
1692	xgxmmsoondersleg.sfx.exe
1692	xgxmmsoondersleg.sfx.exe
1692	xgxmmsoondersleg.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1660	xgxmmsoondersleg.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2008	1280	7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a.exe	27
PID 1280 wrote to memory of 2008	1280	7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a.exe	27
PID 1280 wrote to memory of 2008	1280	7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a.exe	27
PID 1280 wrote to memory of 2008	1280	7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a.exe	27
PID 2008 wrote to memory of 1388	2008	WScript.exe	28
PID 2008 wrote to memory of 1388	2008	WScript.exe	28
PID 2008 wrote to memory of 1388	2008	WScript.exe	28
PID 2008 wrote to memory of 1388	2008	WScript.exe	28
PID 1388 wrote to memory of 1692	1388	cmd.exe	30
PID 1388 wrote to memory of 1692	1388	cmd.exe	30
PID 1388 wrote to memory of 1692	1388	cmd.exe	30
PID 1388 wrote to memory of 1692	1388	cmd.exe	30
PID 1692 wrote to memory of 1660	1692	xgxmmsoondersleg.sfx.exe	31
PID 1692 wrote to memory of 1660	1692	xgxmmsoondersleg.sfx.exe	31
PID 1692 wrote to memory of 1660	1692	xgxmmsoondersleg.sfx.exe	31
PID 1692 wrote to memory of 1660	1692	xgxmmsoondersleg.sfx.exe	31

C:\Users\Admin\AppData\Local\Temp\7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a.exe
"C:\Users\Admin\AppData\Local\Temp\7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bat.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.sfx.exe
      xgxmmsoondersleg.sfx.exe -pxgxmmsoondersleg.exe -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
67B

MD5
1a8e561b0828f1fe5a03edfe13310422

SHA1
4660dbeadc2f48caa86ab215ee0d0ba25eb56dd4

SHA256
e73edd2e35c984702c3c5221f3ebec10753a0ee4976ce6b4831ec1c25e1c81ba

SHA512
555738a5ee3ac433871583dd0dbdcd7239248570c90511dac90f2b811e305ba368368c3161e50b198e207c05157f9c6de44a3bbfcff4cf0cc71258ebd6c3cdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

Filesize
89B

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.exe

Filesize
502KB

MD5
6795b8fa91bb7b8b189237849f54a739

SHA1
63e5067d150dd9974a0dcf2b3ac4001e3a895941

SHA256
0bc14dae2f50eded59bf438ffeb1d63784e78d1eb440f9c7420cb134c864da39

SHA512
48d5e840308fbe9498439f0e267fd070d086dffe6a24c3bef1b3a4ed0cfbf796ebe57453bb0547a80dfd2bd0a7deb0cffa03a583e61a7f71208f780de52832cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.sfx.exe

Filesize
568KB

MD5
b6e3c4f4de63c41e0a3f809c7ceb7d2c

SHA1
71c9601cd4fce4bcd3ebd0783e465dcf4ee6d3dc

SHA256
9871cad6ed15c3897c608d07b9ec00355b040b8250dd6898a61a9344007bf21a

SHA512
4babbf8ea55c97c6287c436816295be25f8bf1cb9622694645b2b7da54aa2dcdb6fabe1ae92a197353bf69c0b12433139c81b2c99c1f55862a55dbc384a45e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.sfx.exe

Filesize
568KB

MD5
b6e3c4f4de63c41e0a3f809c7ceb7d2c

SHA1
71c9601cd4fce4bcd3ebd0783e465dcf4ee6d3dc

SHA256
9871cad6ed15c3897c608d07b9ec00355b040b8250dd6898a61a9344007bf21a

SHA512
4babbf8ea55c97c6287c436816295be25f8bf1cb9622694645b2b7da54aa2dcdb6fabe1ae92a197353bf69c0b12433139c81b2c99c1f55862a55dbc384a45e6c

Download Submit
\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.exe

Filesize
502KB

MD5
6795b8fa91bb7b8b189237849f54a739

SHA1
63e5067d150dd9974a0dcf2b3ac4001e3a895941

SHA256
0bc14dae2f50eded59bf438ffeb1d63784e78d1eb440f9c7420cb134c864da39

SHA512
48d5e840308fbe9498439f0e267fd070d086dffe6a24c3bef1b3a4ed0cfbf796ebe57453bb0547a80dfd2bd0a7deb0cffa03a583e61a7f71208f780de52832cc

Download Submit
\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.exe

Filesize
502KB

MD5
6795b8fa91bb7b8b189237849f54a739

SHA1
63e5067d150dd9974a0dcf2b3ac4001e3a895941

SHA256
0bc14dae2f50eded59bf438ffeb1d63784e78d1eb440f9c7420cb134c864da39

SHA512
48d5e840308fbe9498439f0e267fd070d086dffe6a24c3bef1b3a4ed0cfbf796ebe57453bb0547a80dfd2bd0a7deb0cffa03a583e61a7f71208f780de52832cc

Download Submit
\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.exe

Filesize
502KB

MD5
6795b8fa91bb7b8b189237849f54a739

SHA1
63e5067d150dd9974a0dcf2b3ac4001e3a895941

SHA256
0bc14dae2f50eded59bf438ffeb1d63784e78d1eb440f9c7420cb134c864da39

SHA512
48d5e840308fbe9498439f0e267fd070d086dffe6a24c3bef1b3a4ed0cfbf796ebe57453bb0547a80dfd2bd0a7deb0cffa03a583e61a7f71208f780de52832cc

Download Submit
\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.sfx.exe

Filesize
568KB

MD5
b6e3c4f4de63c41e0a3f809c7ceb7d2c

SHA1
71c9601cd4fce4bcd3ebd0783e465dcf4ee6d3dc

SHA256
9871cad6ed15c3897c608d07b9ec00355b040b8250dd6898a61a9344007bf21a

SHA512
4babbf8ea55c97c6287c436816295be25f8bf1cb9622694645b2b7da54aa2dcdb6fabe1ae92a197353bf69c0b12433139c81b2c99c1f55862a55dbc384a45e6c

Download Submit
memory/1280-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download