Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
16-07-2023 16:24
General
-
Target
https://cdn.discordapp.com/attachments/1128717806037381271/1129729857631309824/HIFIXLauncher.zip
Malware Config
Signatures
-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Shurk Stealer payload 4 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1128717806037381271/1129729857631309824/HIFIXLauncher.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff044846f8,0x7fff04484708,0x7fff044847182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4808 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,14121055813915512240,17705316162202790256,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4652 /prefetch:22⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\HIFIXLauncher\Launcher.exe"C:\Users\Admin\Desktop\HIFIXLauncher\Launcher.exe"1⤵
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Desktop\HIFIXLauncher\Launcher.exe"C:\Users\Admin\Desktop\HIFIXLauncher\Launcher.exe"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b950ebe404eda736e529f1b0a975e8db
SHA14d2c020f1aa70e2bcb666a2dd144d1f3588430b8
SHA256bcc60276d7110e8d002f24d66ebb043c5761e2a4b6ae7854983cef4beacd9bf4
SHA5126ba228e5b6464c9602db81de8e1189302d0b2aed78a8b06248ccd9f095ede8621fc9d0faed0a7d079b8c7f4d1164b2895c4d0ef99c93cb95bbe210033e40295a
-
Filesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5a01a731f9a75ce5e1e469227bb2a55df
SHA176acaefe929a041bec67333c83e55dd2269d3deb
SHA25617bdc35c95af70f51657f8aad63e5de0273e4dcec2bbef85181022b8d6c95ea2
SHA5129442154d5b62f78668884984e362646effcc004d12b05b016ff04dd70082254dc78ce11ee5f9ea8ae3b3005130fb33515f3ca2c27ec920749cf4771e8d70fd1c
-
Filesize
5KB
MD5f143c7f2d166bc7044a7a03ce796b418
SHA1a2d8f775fb6d1e0021e6378dda84773e40909aee
SHA2565075dbd2276d3a0cbdafa536033e30f6c30bce0e14ba96753b689d3997767bbf
SHA51295a7411cbd6d7996cf8914b2a592c3331c6681db939ab4c4a5aad89bcc186c9f16ff42f392871e1d6746f0cf7ca570b6b990007ba9495ec4d8263873a83f6c02
-
Filesize
5KB
MD5202f7e28a4ed5bc92e3b51d697643e06
SHA16e2c0c08a14c5de08b7ee14e6bdd53a998480dc2
SHA256cb3876f3eef5364f4d9bab482fa618283489df473e9e3e65356b367e7605608a
SHA512d44c902160646ea3b8aeb1acc49f85d6804933d24b132286566a867193f3b708be2b93c17654510f605868c8324f703f6a7376133c8ee8ada7b28b050910b984
-
Filesize
24KB
MD5ca36933e6dea7aa507a272121b34fdbb
SHA13b4741ca0308b345de5ecf6c3565b1dbacb0fb86
SHA256fd14449eb781c58e6e7196a384caf25cba0c59ebdba3b10f8ca0ecfd0c076b5d
SHA5125a9b186ecf085765caee97a2910008dda926ce412001042e165184083a52fb5fb70f05ca781cd2f7740ecbd938895c77c5aa0f9eb8d812b92f412f336212720e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD52959a6cd8286fe77e5e85dc10151a572
SHA1cb7052fc7191b622dc1533b2d62e541f91bf1ae1
SHA256b075f8ad383d9c57ea09439a8965c88ccdab2ee68f06a25dd4bcdcca0c6c58a7
SHA5129a876c89aaacc940e047e65f7c8918037b1d0dc54d3de2b404474946eae7926c9983680c5db4a6cd31a171c2ddcd34f52f3156b94377eb98cbd0bae771eb0103
-
Filesize
12KB
MD596a7cba4da1f92e4105de844d0f83301
SHA10c3ee5dff318ec3cd0d4b5cffd86b0e16261ea9b
SHA2561d47afa23d9e608277e8b481bc81391de0fd27254aa79596c5fa02daf1c8364a
SHA512d87958cfba840ffb0bc618a1d61633dedeebaa6cca60b63ec1aa815a707d59462bad6e0520124b4c340a2275327349682c19180cfa045f9c36f372ba92ef109f
-
Filesize
12KB
MD5ef846fb8b1f9ccda584702d5f7a32c14
SHA15c485ae97860d6e194c9fde3bafeae153b963414
SHA256146717383da9b80108263aecdb7bd614e6fa1c7b27e142285a11faf70f142a4c
SHA512cf9cfc71afaa35ee96cd65c16f14a30d1be6c1735c56c3d7ca203483d4403cdf20abf01e5884ff725f3341ab538d3545ca608d6ec667485097452519597ff59e
-
Filesize
13B
MD55aa23de51344b611b1dc3abc5ae4b97e
SHA110195865e2b04878252d7be02156f1259e565381
SHA2564d4474a3010ac3ff751994cd74ea637ecb36b3c3bb52590ba63398f51014cd55
SHA512b48bd7409ea518783b0b088034a5139b9e33198d6291d5192ff165b3d99f438e5eabadb44d917e542af0640202ca4bd2bbf3cd1a4c077d9f484836132728b2c7
-
Filesize
134.7MB
MD533bdbf3c2cf68698ab799dffdf1d97f7
SHA13c28abb5bc3067cf96c4e8ab136f21dd0cc9d42a
SHA2567d252f3d02c4b5196c6aed2bdf732e46d96573e0ed53022f487ab11a246ba3c1
SHA512407149f4facfc18897e6dcb361f2884bea3b429dad06d3eb24b35f0627883b484a5ba5ed9633b75e25e275546e5d88658f132499802adcdf2788de8690ed7162
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.5MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
6.5MB
-
Filesize
8.4MB
-
Filesize
6.5MB