Analysis
-
max time kernel
164s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 18:37
Static task
static1
Behavioral task
behavioral1
Sample
3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe
Resource
win10v2004-20220414-en
General
-
Target
3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe
-
Size
731KB
-
MD5
3511986f2471c29eae35457fe4dbc33c
-
SHA1
d6fe1966a12d94e3deba234c7bcd86a6c36f8e0d
-
SHA256
3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0
-
SHA512
1cd0d480ac6400d45fdcb1505145fc2547723fc26b9f9f0115fefff9b990b3b637ca2489facdd6d7422a4b299a215b9d0274512a780fb52f7e7f125bbd2e3996
Malware Config
Signatures
-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Shurk Stealer Payload 2 IoCs
resource yara_rule behavioral2/files/0x00070000000231ea-138.dat shurk_stealer behavioral2/files/0x00070000000231ea-139.dat shurk_stealer -
Executes dropped EXE 2 IoCs
pid Process 4620 xrendenmenderls.sfx.exe 748 xrendenmenderls.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation xrendenmenderls.sfx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings 3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 748 xrendenmenderls.exe 748 xrendenmenderls.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3208 wrote to memory of 4788 3208 3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe 82 PID 3208 wrote to memory of 4788 3208 3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe 82 PID 3208 wrote to memory of 4788 3208 3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe 82 PID 4788 wrote to memory of 2364 4788 WScript.exe 84 PID 4788 wrote to memory of 2364 4788 WScript.exe 84 PID 4788 wrote to memory of 2364 4788 WScript.exe 84 PID 2364 wrote to memory of 4620 2364 cmd.exe 86 PID 2364 wrote to memory of 4620 2364 cmd.exe 86 PID 2364 wrote to memory of 4620 2364 cmd.exe 86 PID 4620 wrote to memory of 748 4620 xrendenmenderls.sfx.exe 88 PID 4620 wrote to memory of 748 4620 xrendenmenderls.sfx.exe 88 PID 4620 wrote to memory of 748 4620 xrendenmenderls.sfx.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe"C:\Users\Admin\AppData\Local\Temp\3354ead05f180c2431766d4736409e8b11a8db5515a847105a7b9817c0f0aac0.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bat.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.sfx.exexrendenmenderls.sfx.exe -pxrendenmenderls.exe -dC:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe"C:\Users\Admin\AppData\Local\Temp\xrendenmenderls.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:748
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65B
MD5ecc629f858e637cd8868cd7604fa3ed3
SHA1d18f244ef678ef01301c09e2fde1131441d42bea
SHA25626c00a6aba4eeaefb1fb18b3530c1d2beff57a486aeb4b874fc607e5fa6d3af1
SHA5120e231e52090360473cc94e253bee36f20c315711a0340b84effecd26cc4d8230c0017cbdabf8a968819836e13f5aa229ea9c0460dd718de44c2b231a688a6869
-
Filesize
89B
MD5dc06d3c7415f4f6b05272426a63e9fd1
SHA12a148ec726cde2a19222c03ebf2cf48e8a5c171f
SHA256101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093
SHA512d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a
-
Filesize
502KB
MD59d0818fd81968412a52a9c75151a24e6
SHA1acc4c5839ca0d6d8bb7a7f13b2c309b9b548ae08
SHA256406edf7bbc401e7115fe8aa68dcb20ccf3c534791741d2a98ef0429d426a49be
SHA5126de21e9f61c974352372589dc8d5345773080bc7d45df913acbde769645691c1789f41ce3989b06064b99a5add0a320224aef1369961780a98439ebf63c373f7
-
Filesize
502KB
MD59d0818fd81968412a52a9c75151a24e6
SHA1acc4c5839ca0d6d8bb7a7f13b2c309b9b548ae08
SHA256406edf7bbc401e7115fe8aa68dcb20ccf3c534791741d2a98ef0429d426a49be
SHA5126de21e9f61c974352372589dc8d5345773080bc7d45df913acbde769645691c1789f41ce3989b06064b99a5add0a320224aef1369961780a98439ebf63c373f7
-
Filesize
567KB
MD5a7ed91e2f8ac378bef41e72590a46a21
SHA176acb795c044b23304501e57771ab1db68c5a60e
SHA25640e0d598724114492d6c6cdf3403959ae0b48125230c35f30f9248476a4d4e8c
SHA512ef54c99d4358a19d5c503c40ff2a2a999f807f79e80342e1ec54962bbf904b5f8b2fcf70cf7e8dc99ec8e5460e93852cc5cfa2b5c8e343e66583ee81f32596bd
-
Filesize
567KB
MD5a7ed91e2f8ac378bef41e72590a46a21
SHA176acb795c044b23304501e57771ab1db68c5a60e
SHA25640e0d598724114492d6c6cdf3403959ae0b48125230c35f30f9248476a4d4e8c
SHA512ef54c99d4358a19d5c503c40ff2a2a999f807f79e80342e1ec54962bbf904b5f8b2fcf70cf7e8dc99ec8e5460e93852cc5cfa2b5c8e343e66583ee81f32596bd