Analysis

  • max time kernel
    164s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 18:37

General

  • Target

    3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe

  • Size

    731KB

  • MD5

    3511986f2471c29eae35457fe4dbc33c

  • SHA1

    d6fe1966a12d94e3deba234c7bcd86a6c36f8e0d

  • SHA256

    3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0

  • SHA512

    1cd0d480ac6400d45fdcb1505145fc2547723fc26b9f9f0115fefff9b990b3b637ca2489facdd6d7422a4b299a215b9d0274512a780fb52f7e7f125bbd2e3996

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

  • Shurk Stealer Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe
    "C:\Users\Admin\AppData\Local\Temp\3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.sfx.exe
          xrendenmenderls.sfx.exe -pxrendenmenderls.exe -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4620
          • C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe
            "C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bat.bat

    Filesize

    65B

    MD5

    ecc629f858e637cd8868cd7604fa3ed3

    SHA1

    d18f244ef678ef01301c09e2fde1131441d42bea

    SHA256

    26c00a6aba4eeaefb1fb18b3530c1d2beff57a486aeb4b874fc607e5fa6d3af1

    SHA512

    0e231e52090360473cc94e253bee36f20c315711a0340b84effecd26cc4d8230c0017cbdabf8a968819836e13f5aa229ea9c0460dd718de44c2b231a688a6869

  • C:\Users\Admin\AppData\Local\Temp\vbs.vbs

    Filesize

    89B

    MD5

    dc06d3c7415f4f6b05272426a63e9fd1

    SHA1

    2a148ec726cde2a19222c03ebf2cf48e8a5c171f

    SHA256

    101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

    SHA512

    d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

  • C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe

    Filesize

    502KB

    MD5

    9d0818fd81968412a52a9c75151a24e6

    SHA1

    acc4c5839ca0d6d8bb7a7f13b2c309b9b548ae08

    SHA256

    406edf7bbc401e7115fe8aa68dcb20ccf3c534791741d2a98ef0429d426a49be

    SHA512

    6de21e9f61c974352372589dc8d5345773080bc7d45df913acbde769645691c1789f41ce3989b06064b99a5add0a320224aef1369961780a98439ebf63c373f7

  • C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe

    Filesize

    502KB

    MD5

    9d0818fd81968412a52a9c75151a24e6

    SHA1

    acc4c5839ca0d6d8bb7a7f13b2c309b9b548ae08

    SHA256

    406edf7bbc401e7115fe8aa68dcb20ccf3c534791741d2a98ef0429d426a49be

    SHA512

    6de21e9f61c974352372589dc8d5345773080bc7d45df913acbde769645691c1789f41ce3989b06064b99a5add0a320224aef1369961780a98439ebf63c373f7

  • C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.sfx.exe

    Filesize

    567KB

    MD5

    a7ed91e2f8ac378bef41e72590a46a21

    SHA1

    76acb795c044b23304501e57771ab1db68c5a60e

    SHA256

    40e0d598724114492d6c6cdf3403959ae0b48125230c35f30f9248476a4d4e8c

    SHA512

    ef54c99d4358a19d5c503c40ff2a2a999f807f79e80342e1ec54962bbf904b5f8b2fcf70cf7e8dc99ec8e5460e93852cc5cfa2b5c8e343e66583ee81f32596bd

  • C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.sfx.exe

    Filesize

    567KB

    MD5

    a7ed91e2f8ac378bef41e72590a46a21

    SHA1

    76acb795c044b23304501e57771ab1db68c5a60e

    SHA256

    40e0d598724114492d6c6cdf3403959ae0b48125230c35f30f9248476a4d4e8c

    SHA512

    ef54c99d4358a19d5c503c40ff2a2a999f807f79e80342e1ec54962bbf904b5f8b2fcf70cf7e8dc99ec8e5460e93852cc5cfa2b5c8e343e66583ee81f32596bd