shurk | 3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0

Analysis

max time kernel
141s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe
Size

731KB
MD5

3511986f2471c29eae35457fe4dbc33c
SHA1

d6fe1966a12d94e3deba234c7bcd86a6c36f8e0d
SHA256

3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0
SHA512

1cd0d480ac6400d45fdcb1505145fc2547723fc26b9f9f0115fefff9b990b3b637ca2489facdd6d7422a4b299a215b9d0274512a780fb52f7e7f125bbd2e3996

Score

10^/10

shurk infostealer spyware stealer

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012301-65.dat	shurk_stealer
behavioral1/files/0x0009000000012301-67.dat	shurk_stealer
behavioral1/files/0x0009000000012301-66.dat	shurk_stealer
behavioral1/files/0x0009000000012301-69.dat	shurk_stealer

Executes dropped EXE 2 IoCs

pid	Process
1780	xrendenmenderls.sfx.exe
1820	xrendenmenderls.exe

Loads dropped DLL 4 IoCs

pid	Process
1716	cmd.exe
1780	xrendenmenderls.sfx.exe
1780	xrendenmenderls.sfx.exe
1780	xrendenmenderls.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1820	xrendenmenderls.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 900	1972	3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe	28
PID 1972 wrote to memory of 900	1972	3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe	28
PID 1972 wrote to memory of 900	1972	3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe	28
PID 1972 wrote to memory of 900	1972	3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe	28
PID 900 wrote to memory of 1716	900	WScript.exe	29
PID 900 wrote to memory of 1716	900	WScript.exe	29
PID 900 wrote to memory of 1716	900	WScript.exe	29
PID 900 wrote to memory of 1716	900	WScript.exe	29
PID 1716 wrote to memory of 1780	1716	cmd.exe	31
PID 1716 wrote to memory of 1780	1716	cmd.exe	31
PID 1716 wrote to memory of 1780	1716	cmd.exe	31
PID 1716 wrote to memory of 1780	1716	cmd.exe	31
PID 1780 wrote to memory of 1820	1780	xrendenmenderls.sfx.exe	32
PID 1780 wrote to memory of 1820	1780	xrendenmenderls.sfx.exe	32
PID 1780 wrote to memory of 1820	1780	xrendenmenderls.sfx.exe	32
PID 1780 wrote to memory of 1820	1780	xrendenmenderls.sfx.exe	32

C:\Users\Admin\AppData\Local\Temp\3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe
"C:\Users\Admin\AppData\Local\Temp\3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bat.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.sfx.exe
      xrendenmenderls.sfx.exe -pxrendenmenderls.exe -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
65B

MD5
ecc629f858e637cd8868cd7604fa3ed3

SHA1
d18f244ef678ef01301c09e2fde1131441d42bea

SHA256
26c00a6aba4eeaefb1fb18b3530c1d2beff57a486aeb4b874fc607e5fa6d3af1

SHA512
0e231e52090360473cc94e253bee36f20c315711a0340b84effecd26cc4d8230c0017cbdabf8a968819836e13f5aa229ea9c0460dd718de44c2b231a688a6869

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs

Filesize
89B

MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe

Filesize
502KB

MD5
9d0818fd81968412a52a9c75151a24e6

SHA1
acc4c5839ca0d6d8bb7a7f13b2c309b9b548ae08

SHA256
406edf7bbc401e7115fe8aa68dcb20ccf3c534791741d2a98ef0429d426a49be

SHA512
6de21e9f61c974352372589dc8d5345773080bc7d45df913acbde769645691c1789f41ce3989b06064b99a5add0a320224aef1369961780a98439ebf63c373f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.sfx.exe

Filesize
567KB

MD5
a7ed91e2f8ac378bef41e72590a46a21

SHA1
76acb795c044b23304501e57771ab1db68c5a60e

SHA256
40e0d598724114492d6c6cdf3403959ae0b48125230c35f30f9248476a4d4e8c

SHA512
ef54c99d4358a19d5c503c40ff2a2a999f807f79e80342e1ec54962bbf904b5f8b2fcf70cf7e8dc99ec8e5460e93852cc5cfa2b5c8e343e66583ee81f32596bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.sfx.exe

Filesize
567KB

MD5
a7ed91e2f8ac378bef41e72590a46a21

SHA1
76acb795c044b23304501e57771ab1db68c5a60e

SHA256
40e0d598724114492d6c6cdf3403959ae0b48125230c35f30f9248476a4d4e8c

SHA512
ef54c99d4358a19d5c503c40ff2a2a999f807f79e80342e1ec54962bbf904b5f8b2fcf70cf7e8dc99ec8e5460e93852cc5cfa2b5c8e343e66583ee81f32596bd

Download Submit
\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe

Filesize
502KB

MD5
9d0818fd81968412a52a9c75151a24e6

SHA1
acc4c5839ca0d6d8bb7a7f13b2c309b9b548ae08

SHA256
406edf7bbc401e7115fe8aa68dcb20ccf3c534791741d2a98ef0429d426a49be

SHA512
6de21e9f61c974352372589dc8d5345773080bc7d45df913acbde769645691c1789f41ce3989b06064b99a5add0a320224aef1369961780a98439ebf63c373f7

Download Submit
\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe

Filesize
502KB

MD5
9d0818fd81968412a52a9c75151a24e6

SHA1
acc4c5839ca0d6d8bb7a7f13b2c309b9b548ae08

SHA256
406edf7bbc401e7115fe8aa68dcb20ccf3c534791741d2a98ef0429d426a49be

SHA512
6de21e9f61c974352372589dc8d5345773080bc7d45df913acbde769645691c1789f41ce3989b06064b99a5add0a320224aef1369961780a98439ebf63c373f7

Download Submit
\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe

Filesize
502KB

MD5
9d0818fd81968412a52a9c75151a24e6

SHA1
acc4c5839ca0d6d8bb7a7f13b2c309b9b548ae08

SHA256
406edf7bbc401e7115fe8aa68dcb20ccf3c534791741d2a98ef0429d426a49be

SHA512
6de21e9f61c974352372589dc8d5345773080bc7d45df913acbde769645691c1789f41ce3989b06064b99a5add0a320224aef1369961780a98439ebf63c373f7

Download Submit
\Users\Admin\AppData\Local\Temp\xrendenmenderls.sfx.exe

Filesize
567KB

MD5
a7ed91e2f8ac378bef41e72590a46a21

SHA1
76acb795c044b23304501e57771ab1db68c5a60e

SHA256
40e0d598724114492d6c6cdf3403959ae0b48125230c35f30f9248476a4d4e8c

SHA512
ef54c99d4358a19d5c503c40ff2a2a999f807f79e80342e1ec54962bbf904b5f8b2fcf70cf7e8dc99ec8e5460e93852cc5cfa2b5c8e343e66583ee81f32596bd

Download Submit
memory/1972-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download