Overview

overview

10

Static

static

7c588bad30...3a.exe

windows7_x64

10

7c588bad30...3a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a.exe

  • Size

    731KB

  • MD5

    f7447783a2122d8716e204dcd863245f

  • SHA1

    0b8b6bc7caf1366700be7ff189563858869267a7

  • SHA256

    7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a

  • SHA512

    4cf0ef5615c40bc9d41a41b46b7490a4b22e958990f9ebb4a11b4528ea4491192a65efd1cd23649402bcbe0b5d0e90e2a43c7045cd971c436f150e252e4ca453

Score
10/10
shurkinfostealerspywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a.exe
    "C:\Users\Admin\AppData\Local\Temp\7c588bad30254ad265fe472b453699875ff7345ece5f21e3b12135a3712daa3a.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2088
        • C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.sfx.exe
          xgxmmsoondersleg.sfx.exe -pxgxmmsoondersleg.exe -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3800
          • C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.exe
            "C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1856

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    67B

    MD5

    1a8e561b0828f1fe5a03edfe13310422

    SHA1

    4660dbeadc2f48caa86ab215ee0d0ba25eb56dd4

    SHA256

    e73edd2e35c984702c3c5221f3ebec10753a0ee4976ce6b4831ec1c25e1c81ba

    SHA512

    555738a5ee3ac433871583dd0dbdcd7239248570c90511dac90f2b811e305ba368368c3161e50b198e207c05157f9c6de44a3bbfcff4cf0cc71258ebd6c3cdfa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbs.vbs
    Filesize

    89B

    MD5

    dc06d3c7415f4f6b05272426a63e9fd1

    SHA1

    2a148ec726cde2a19222c03ebf2cf48e8a5c171f

    SHA256

    101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

    SHA512

    d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.exe
    Filesize

    502KB

    MD5

    6795b8fa91bb7b8b189237849f54a739

    SHA1

    63e5067d150dd9974a0dcf2b3ac4001e3a895941

    SHA256

    0bc14dae2f50eded59bf438ffeb1d63784e78d1eb440f9c7420cb134c864da39

    SHA512

    48d5e840308fbe9498439f0e267fd070d086dffe6a24c3bef1b3a4ed0cfbf796ebe57453bb0547a80dfd2bd0a7deb0cffa03a583e61a7f71208f780de52832cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.exe
    Filesize

    502KB

    MD5

    6795b8fa91bb7b8b189237849f54a739

    SHA1

    63e5067d150dd9974a0dcf2b3ac4001e3a895941

    SHA256

    0bc14dae2f50eded59bf438ffeb1d63784e78d1eb440f9c7420cb134c864da39

    SHA512

    48d5e840308fbe9498439f0e267fd070d086dffe6a24c3bef1b3a4ed0cfbf796ebe57453bb0547a80dfd2bd0a7deb0cffa03a583e61a7f71208f780de52832cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.sfx.exe
    Filesize

    568KB

    MD5

    b6e3c4f4de63c41e0a3f809c7ceb7d2c

    SHA1

    71c9601cd4fce4bcd3ebd0783e465dcf4ee6d3dc

    SHA256

    9871cad6ed15c3897c608d07b9ec00355b040b8250dd6898a61a9344007bf21a

    SHA512

    4babbf8ea55c97c6287c436816295be25f8bf1cb9622694645b2b7da54aa2dcdb6fabe1ae92a197353bf69c0b12433139c81b2c99c1f55862a55dbc384a45e6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xgxmmsoondersleg.sfx.exe
    Filesize

    568KB

    MD5

    b6e3c4f4de63c41e0a3f809c7ceb7d2c

    SHA1

    71c9601cd4fce4bcd3ebd0783e465dcf4ee6d3dc

    SHA256

    9871cad6ed15c3897c608d07b9ec00355b040b8250dd6898a61a9344007bf21a

    SHA512

    4babbf8ea55c97c6287c436816295be25f8bf1cb9622694645b2b7da54aa2dcdb6fabe1ae92a197353bf69c0b12433139c81b2c99c1f55862a55dbc384a45e6c

    Download Submit