shurk | b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31

Analysis

max time kernel
208s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31.exe
Size

25.9MB
MD5

767db863164ec054813a61fc1c469b60
SHA1

cf1f5541ea6fcd245d725b89e4e2309b895ab4f7
SHA256

b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31
SHA512

c723996862f4368555af5cd3435ffc7207e9b7f945369ff543b1de5e527a26bed0cd18389ca64bb95085426b9d7f7d2753b8995de2bcfd02b882ac3f4a4f16ed
SSDEEP

786432:zfzDs7aZXBWhs6cets5XOjehnRLy3f3xfDcgH:zffYavetwmehntyJff

Score

10^/10

shurk infostealer vmprotect

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 6 IoCs

resource	yara_rule
behavioral2/memory/1120-152-0x0000000000000000-mapping.dmp	shurk_stealer
behavioral2/memory/1120-153-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral2/memory/1120-154-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral2/memory/1120-155-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral2/memory/1120-156-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral2/memory/1120-157-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1244	start.exe
4020	Changer.exe
3084	allSkinsData.exe
2392	InventoryChangerLoader.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000800000002316d-145.dat	vmprotect
behavioral2/files/0x000800000002316d-144.dat	vmprotect
behavioral2/memory/2392-147-0x00000238AD0F0000-0x00000238AED3A000-memory.dmp	vmprotect
behavioral2/files/0x000600000002316e-163.dat	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Changer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3084 set thread context of 1120	3084	allSkinsData.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1120	AddInProcess32.exe
1120	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	allSkinsData.exe
Token: SeDebugPrivilege	2392	InventoryChangerLoader.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1244	1532	b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31.exe	83
PID 1532 wrote to memory of 1244	1532	b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31.exe	83
PID 1532 wrote to memory of 1244	1532	b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31.exe	83
PID 1244 wrote to memory of 1204	1244	start.exe	86
PID 1244 wrote to memory of 1204	1244	start.exe	86
PID 1204 wrote to memory of 4020	1204	cmd.exe	87
PID 1204 wrote to memory of 4020	1204	cmd.exe	87
PID 1204 wrote to memory of 4020	1204	cmd.exe	87
PID 4020 wrote to memory of 3084	4020	Changer.exe	88
PID 4020 wrote to memory of 3084	4020	Changer.exe	88
PID 4020 wrote to memory of 3084	4020	Changer.exe	88
PID 4020 wrote to memory of 2392	4020	Changer.exe	89
PID 4020 wrote to memory of 2392	4020	Changer.exe	89
PID 3084 wrote to memory of 884	3084	allSkinsData.exe	90
PID 3084 wrote to memory of 884	3084	allSkinsData.exe	90
PID 3084 wrote to memory of 884	3084	allSkinsData.exe	90
PID 3084 wrote to memory of 1120	3084	allSkinsData.exe	91
PID 3084 wrote to memory of 1120	3084	allSkinsData.exe	91
PID 3084 wrote to memory of 1120	3084	allSkinsData.exe	91
PID 3084 wrote to memory of 1120	3084	allSkinsData.exe	91
PID 3084 wrote to memory of 1120	3084	allSkinsData.exe	91
PID 3084 wrote to memory of 1120	3084	allSkinsData.exe	91
PID 3084 wrote to memory of 1120	3084	allSkinsData.exe	91
PID 3084 wrote to memory of 1120	3084	allSkinsData.exe	91
PID 3084 wrote to memory of 1120	3084	allSkinsData.exe	91
PID 3084 wrote to memory of 1120	3084	allSkinsData.exe	91

C:\Users\Admin\AppData\Local\Temp\b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31.exe
"C:\Users\Admin\AppData\Local\Temp\b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1532
- C:\ProgramData\start.exe
  "C:\ProgramData\start.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\220A.tmp\220B.tmp\220C.bat C:\ProgramData\start.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\ProgramData\Changer.exe
      Changer.exe -pskxLL0100xKKsjXJ19289 -dc:/ProgramData
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4020
    - - C:\ProgramData\allSkinsData.exe
        
        "C:\ProgramData\allSkinsData.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        6⤵
        
        PID:884
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1120
    - - C:\ProgramData\InventoryChangerLoader.exe
        
        "C:\ProgramData\InventoryChangerLoader.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Changer.exe

Filesize
25.6MB

MD5
432498138f372d6f58fb1ce3838eaab9

SHA1
74e5cd939cf140d9ed37ee901d68b2a51e49aa33

SHA256
47d02c42b8460c5c7031a32add3cb69ac6950f8f8f613e93a2e956721f42bdd7

SHA512
98fbcf36196d41289579aa6383593d85080bfd2e3095c75dcd645aa59a911e3a6ac3f638fa9e0b5649b2d16ed9db29e0f2c3bf9c640838792e63c4ffb14372a0

Download Submit
C:\ProgramData\Changer.exe

Filesize
25.6MB

MD5
432498138f372d6f58fb1ce3838eaab9

SHA1
74e5cd939cf140d9ed37ee901d68b2a51e49aa33

SHA256
47d02c42b8460c5c7031a32add3cb69ac6950f8f8f613e93a2e956721f42bdd7

SHA512
98fbcf36196d41289579aa6383593d85080bfd2e3095c75dcd645aa59a911e3a6ac3f638fa9e0b5649b2d16ed9db29e0f2c3bf9c640838792e63c4ffb14372a0

Download Submit
C:\ProgramData\InventoryChangerLoader.exe

Filesize
14.2MB

MD5
3dd6cc2610355bbd373e371bf73a00e8

SHA1
2fbaaa9fbbcffe14ce59ff76d3dc362bfb8b3acf

SHA256
0b1673433abfcb1257ff9db3c6f4d84cd3637ba9351fdabd889209798da2b228

SHA512
eb44ac42d55fddfc1a93f82c8cbf577c7fdef65b2938e0cbcf58630c92cb7b073916906d096970a3a3271a0fcf20fd32c3c9c10788f12820d79a2d28abeafba6

Download Submit
C:\ProgramData\InventoryChangerLoader.exe

Filesize
14.2MB

MD5
3dd6cc2610355bbd373e371bf73a00e8

SHA1
2fbaaa9fbbcffe14ce59ff76d3dc362bfb8b3acf

SHA256
0b1673433abfcb1257ff9db3c6f4d84cd3637ba9351fdabd889209798da2b228

SHA512
eb44ac42d55fddfc1a93f82c8cbf577c7fdef65b2938e0cbcf58630c92cb7b073916906d096970a3a3271a0fcf20fd32c3c9c10788f12820d79a2d28abeafba6

Download Submit
C:\ProgramData\LoaderKernel.dll

Filesize
11.0MB

MD5
614b24c47864eb18905841b8f5bfbdf8

SHA1
13223912fe99576f360b9f97864390accc62ce42

SHA256
692fdc37b881f8dc702a7817cc3af83011a5453f2e49ff206749e2503da45db1

SHA512
e561e44b471240913237dca0a820dd7a546ea74e44c3f78e472583ac352299391a74a4dc21e6f1b03af48ae6e549f68c8387cf7742fc156b46956b72b6f17e35

Download Submit
C:\ProgramData\allSkinsData.exe

Filesize
1.4MB

MD5
9e964d0100dde88172f64ecef8e49299

SHA1
e65910e0c60e1c728f59a2004ba2f0d44eb56da9

SHA256
22fc083a0dc3b0b7f2275a8097e3a7c60fa6ebdd00ad80a90dcfc03f90e50644

SHA512
63c56cdec6bfe0f02bc495cf4636cbb5524affc0af7f3b7802cd90aa59d8eba57eaeb55c6fe0f312e4d61d069c9f3ff0207dca14a60f71dad0f6874464868b49

Download Submit
C:\ProgramData\allSkinsData.exe

Filesize
1.4MB

MD5
9e964d0100dde88172f64ecef8e49299

SHA1
e65910e0c60e1c728f59a2004ba2f0d44eb56da9

SHA256
22fc083a0dc3b0b7f2275a8097e3a7c60fa6ebdd00ad80a90dcfc03f90e50644

SHA512
63c56cdec6bfe0f02bc495cf4636cbb5524affc0af7f3b7802cd90aa59d8eba57eaeb55c6fe0f312e4d61d069c9f3ff0207dca14a60f71dad0f6874464868b49

Download Submit
C:\ProgramData\start.exe

Filesize
88KB

MD5
9590a44fb19cef257378efe5697e8b0b

SHA1
7c6bec1a118adcb4fc2dad41512b94b2577a5a48

SHA256
1270bb6be5ccb0754ac42b7362e93de56e10cae6e6ddaa60a77faf63696c5853

SHA512
421f80702314165eb1e68dc0698533b9f6b91bdaa2ea8488f6812e84731599d4cb8b80469c962681ea58d20dd46ef34e7efbb1f7badfb0bd3e68cd876d3c2247

Download Submit
C:\ProgramData\start.exe

Filesize
88KB

MD5
9590a44fb19cef257378efe5697e8b0b

SHA1
7c6bec1a118adcb4fc2dad41512b94b2577a5a48

SHA256
1270bb6be5ccb0754ac42b7362e93de56e10cae6e6ddaa60a77faf63696c5853

SHA512
421f80702314165eb1e68dc0698533b9f6b91bdaa2ea8488f6812e84731599d4cb8b80469c962681ea58d20dd46ef34e7efbb1f7badfb0bd3e68cd876d3c2247

Download Submit
C:\Users\Admin\AppData\Local\Temp\220A.tmp\220B.tmp\220C.bat

Filesize
74B

MD5
ad1338af912f600aacea8967b518c5cf

SHA1
e1a44e009c1f925bce69d423949d1e27670b21f2

SHA256
3407436e93523047a207cc6ae8d4eb17cc578b7687e41601b0347e7e42d3ba26

SHA512
68147c07bef9aa52bd88375e96cb07984f851cfd31a08e85eb6fa818bc10a6d38c392b4afe02ec25317f5d2d54873ded12dff6a6faf0a24b769db736e3190875

Download Submit
memory/1120-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1120-156-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1120-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1120-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1120-153-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-151-0x00007FFA1A5A0000-0x00007FFA1B061000-memory.dmp

Filesize
10.8MB

Download
memory/2392-164-0x00000238D2520000-0x00000238D2532000-memory.dmp

Filesize
72KB

Download
memory/2392-147-0x00000238AD0F0000-0x00000238AED3A000-memory.dmp

Filesize
28.3MB

Download
memory/2392-146-0x00007FFA1A5A0000-0x00007FFA1B061000-memory.dmp

Filesize
10.8MB

Download
memory/2392-162-0x00000238CB7B0000-0x00000238CB7BE000-memory.dmp

Filesize
56KB

Download
memory/2392-165-0x00000238D2500000-0x00000238D250A000-memory.dmp

Filesize
40KB

Download
memory/2392-158-0x00000238CB6A0000-0x00000238CB75A000-memory.dmp

Filesize
744KB

Download
memory/2392-159-0x00000238CFDD0000-0x00000238CFDF2000-memory.dmp

Filesize
136KB

Download
memory/2392-160-0x00000238CFE00000-0x00000238CFE08000-memory.dmp

Filesize
32KB

Download
memory/2392-161-0x00000238CB7E0000-0x00000238CB818000-memory.dmp

Filesize
224KB

Download
memory/3084-148-0x0000000000520000-0x0000000000694000-memory.dmp

Filesize
1.5MB

Download