Overview

overview

10

Static

static

30015a22e8...09.exe

windows7_x64

10

30015a22e8...09.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    160s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09.exe

  • Size

    731KB

  • MD5

    28874004a01799ba8395ce196e6cb0e0

  • SHA1

    7837f1be070ce7a7f857a2eb225818780fd4a420

  • SHA256

    30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09

  • SHA512

    7bbfb6c523433b329b765a355f62d2df20c44ffd1cb4472a5674050867c77b45bc086102e25c3e3b6112a2477a9cb1ac0a10fb0b4fa186438557919c0438856b

Score
10/10
shurkinfostealerspywarestealer

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09.exe
    "C:\Users\Admin\AppData\Local\Temp\30015a22e816fa1337c99c54088c7f08712167e2ec14162496fb4da298f51b09.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4288
        • C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.sfx.exe
          xellonewyoousrbeen.sfx.exe -pxellonewyoousrbeen.exe -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:424
          • C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.exe
            "C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    71B

    MD5

    844274e64901102c45cd598a44d1d508

    SHA1

    07494226d0b4a605efc70591f2f5f71f3b287290

    SHA256

    2c0e210ec3bc7d33ee34deba20b867af0c356d2197120f38bdfc900fa11774a0

    SHA512

    6139d853208d61dff115334f1535994809c1f79f280efbc42146bf39f39ca7c97fd8346c9a004d59c186f1c524341ad02b516465f2fc52b5fcdee766978834d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbs.vbs
    Filesize

    89B

    MD5

    dc06d3c7415f4f6b05272426a63e9fd1

    SHA1

    2a148ec726cde2a19222c03ebf2cf48e8a5c171f

    SHA256

    101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

    SHA512

    d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.exe
    Filesize

    502KB

    MD5

    20a45d03d0efda64d3a550e13bdf659a

    SHA1

    239d865f85e2219706f6ae0525004755b8c6384c

    SHA256

    007a9b733ce579e9edb273813a12c269dd0807a335fffb4e584bab95115dd07e

    SHA512

    e24c1687a462b78a5431273b51fdcb96800f71f855fada47e822527acbf025f98a825648f79cc801e79b408078da59b00bd384d45070fd6664027e1eb46fdd2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.exe
    Filesize

    502KB

    MD5

    20a45d03d0efda64d3a550e13bdf659a

    SHA1

    239d865f85e2219706f6ae0525004755b8c6384c

    SHA256

    007a9b733ce579e9edb273813a12c269dd0807a335fffb4e584bab95115dd07e

    SHA512

    e24c1687a462b78a5431273b51fdcb96800f71f855fada47e822527acbf025f98a825648f79cc801e79b408078da59b00bd384d45070fd6664027e1eb46fdd2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.sfx.exe
    Filesize

    567KB

    MD5

    c4ebee4e09dc7b5e8fe89ec368d8b13b

    SHA1

    3230b20e94cc8be564d16c12a6a9db6d2b0ad13d

    SHA256

    c5e5c5e17d79791742fa5be8c120eee740da1579c4083c10afeb63c2181ae161

    SHA512

    e4785e273f88677a2ba39af3cf755a13523881ccfbb3ad1c31da1437f19853b4f50b9bdc15891bb1029e69e92b05ed57f6d50368ffc1b02143402cac990f5c3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xellonewyoousrbeen.sfx.exe
    Filesize

    567KB

    MD5

    c4ebee4e09dc7b5e8fe89ec368d8b13b

    SHA1

    3230b20e94cc8be564d16c12a6a9db6d2b0ad13d

    SHA256

    c5e5c5e17d79791742fa5be8c120eee740da1579c4083c10afeb63c2181ae161

    SHA512

    e4785e273f88677a2ba39af3cf755a13523881ccfbb3ad1c31da1437f19853b4f50b9bdc15891bb1029e69e92b05ed57f6d50368ffc1b02143402cac990f5c3b

    Download Submit