shurk | 086b1059bd646df913f8ed3a5fd3ee6efd6e63b5ee0d9f1a0d98246993832ab4

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOSU.exe
Size

86KB
MD5

19821b42fb6c365e341d751505af9d2c
SHA1

5537fa3e031abe119faa45cef02cc3573829a508
SHA256

086b1059bd646df913f8ed3a5fd3ee6efd6e63b5ee0d9f1a0d98246993832ab4
SHA512

06d6ca44a662118536fda0a8e9f9d7b96b74c0f37c1fabcf6e516cbfc608348ad0e369c302e94f3929b949aa4f0f37e969ad565ae1cd8eb9eaa90654603ee1b2
SSDEEP

384:ee8HUEVwV7gxlz2/uwG0XbO/UaHgGkE002c8Dqs9DTUiJFnh:e/f8G30g8b98izh

Score

10^/10

shurk discovery evasion execution infostealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	NOSU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	NOSU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	NOSU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	NOSU.exe

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2056	powershell.exe
2680	powershell.exe
2540	powershell.exe
2636	powershell.exe
2680	powershell.exe
2556	powershell.exe
2540	powershell.exe
2176	powershell.exe
2056	powershell.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NOSU.exe

Disables Task Manager via registry modification
evasion

Drops file in Program Files directory 56 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.cm	NOSU.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\eula.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.cm	NOSU.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\eula.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.cm	NOSU.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.cm	NOSU.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Control	NOSU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOSU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2056	powershell.exe
2636	powershell.exe
2680	powershell.exe
2556	powershell.exe
2540	powershell.exe
2176	powershell.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
944	NOSU.exe
944	NOSU.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	NOSU.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 2056	944	NOSU.exe	32
PID 944 wrote to memory of 2056	944	NOSU.exe	32
PID 944 wrote to memory of 2056	944	NOSU.exe	32
PID 944 wrote to memory of 2056	944	NOSU.exe	32
PID 2056 wrote to memory of 2636	2056	powershell.exe	34
PID 2056 wrote to memory of 2636	2056	powershell.exe	34
PID 2056 wrote to memory of 2636	2056	powershell.exe	34
PID 2056 wrote to memory of 2636	2056	powershell.exe	34
PID 944 wrote to memory of 2680	944	NOSU.exe	35
PID 944 wrote to memory of 2680	944	NOSU.exe	35
PID 944 wrote to memory of 2680	944	NOSU.exe	35
PID 944 wrote to memory of 2680	944	NOSU.exe	35
PID 2680 wrote to memory of 2556	2680	powershell.exe	37
PID 2680 wrote to memory of 2556	2680	powershell.exe	37
PID 2680 wrote to memory of 2556	2680	powershell.exe	37
PID 2680 wrote to memory of 2556	2680	powershell.exe	37
PID 944 wrote to memory of 2540	944	NOSU.exe	38
PID 944 wrote to memory of 2540	944	NOSU.exe	38
PID 944 wrote to memory of 2540	944	NOSU.exe	38
PID 944 wrote to memory of 2540	944	NOSU.exe	38
PID 2540 wrote to memory of 2176	2540	powershell.exe	40
PID 2540 wrote to memory of 2176	2540	powershell.exe	40
PID 2540 wrote to memory of 2176	2540	powershell.exe	40
PID 2540 wrote to memory of 2176	2540	powershell.exe	40
PID 944 wrote to memory of 2744	944	NOSU.exe	41
PID 944 wrote to memory of 2744	944	NOSU.exe	41
PID 944 wrote to memory of 2744	944	NOSU.exe	41
PID 944 wrote to memory of 2744	944	NOSU.exe	41

C:\Users\Admin\AppData\Local\Temp\NOSU.exe
"C:\Users\Admin\AppData\Local\Temp\NOSU.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\Control'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\Control
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "color 4 && echo Unfortunately, your system has been infected with NOSU virus. && echo This type of virus is classified as critical and we do not have the means to remove it at this time. && echo God help you. && pause"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.cm

Filesize
36KB

MD5
98629fdf433fc01fcdf4518664c62fcc

SHA1
5a3d4a47799c558619f3d7049b45d8776d4d6d4d

SHA256
84dee4a85741a8f9608ac95002fff6eecfbd6f4bf6fc1058827591d9e256a9bf

SHA512
cf4848064179d73523c1623e037df82a6b99fc4b060935cfb9df916be5b179dd8c01f28a5f552bcd4bc9f7dbff7e350bb7dd39add819cfa34ac4dae29053789b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e60a32f4dba00f02d15eaf4769ef4179

SHA1
9c32c4543c6388b58595322bc3ec59f61338f161

SHA256
843be6b49bc2248a8e16e5c1585bb2138f10d27f3b76366e6172523fb8764e8b

SHA512
35551bf7dacd29a727a0a7343a6170a4d8f83da20d9bd180782be10072d3d7959f38641968a1fe08c0906ee491554a29e56abd8d77dd9e8168d49548c71bf3fb

Download Submit
memory/944-0-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/944-1-0x0000000000190000-0x00000000001AA000-memory.dmp

Filesize
104KB

Download
memory/944-2-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/944-36-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/944-37-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2056-5-0x00000000712C1000-0x00000000712C2000-memory.dmp

Filesize
4KB

Download
memory/2056-6-0x00000000712C0000-0x000000007186B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-7-0x00000000712C0000-0x000000007186B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-13-0x00000000712C0000-0x000000007186B000-memory.dmp

Filesize
5.7MB

Download