shurk | 27b5f0fdff5f0c145b888f9647ef6358e6cda6affbb53650a63d1824555cb5a3

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOSU.exe
Size

86KB
MD5

402c6352fba5ee2006bb018342c72dc0
SHA1

06bc6949524a71ea300169b9b537f74a27699c29
SHA256

27b5f0fdff5f0c145b888f9647ef6358e6cda6affbb53650a63d1824555cb5a3
SHA512

bac367a7c27b94565bce577b9001df7d8d11410a86fe5b04d03cff81f2dcc16823463ef162b57292dbdc62d3daa671c5a5cd5df537a4c8bbba45d25686b3d51f
SSDEEP

384:Z0CBAU8pTNkdSSGC1TdwGNaXbb/UaHgGkE00PIYYN2g9DTUiJFnh:Z0wAbQaGNY0BYzg98izh

Score

10^/10

shurk discovery evasion execution infostealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	NOSU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	NOSU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	NOSU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	NOSU.exe

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1712	powershell.exe
2968	powershell.exe
2768	powershell.exe
2540	powershell.exe
1856	powershell.exe
2608	powershell.exe
2968	powershell.exe
2540	powershell.exe
2608	powershell.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NOSU.exe

Disables Task Manager via registry modification
evasion

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.cm	NOSU.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.cm	NOSU.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.cm	NOSU.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\eula.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.cm	NOSU.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Control	NOSU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOSU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2968	powershell.exe
2768	powershell.exe
2540	powershell.exe
1856	powershell.exe
2608	powershell.exe
1712	powershell.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
1840	NOSU.exe
1840	NOSU.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	NOSU.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2968	1840	NOSU.exe	32
PID 1840 wrote to memory of 2968	1840	NOSU.exe	32
PID 1840 wrote to memory of 2968	1840	NOSU.exe	32
PID 1840 wrote to memory of 2968	1840	NOSU.exe	32
PID 2968 wrote to memory of 2768	2968	powershell.exe	34
PID 2968 wrote to memory of 2768	2968	powershell.exe	34
PID 2968 wrote to memory of 2768	2968	powershell.exe	34
PID 2968 wrote to memory of 2768	2968	powershell.exe	34
PID 1840 wrote to memory of 2540	1840	NOSU.exe	35
PID 1840 wrote to memory of 2540	1840	NOSU.exe	35
PID 1840 wrote to memory of 2540	1840	NOSU.exe	35
PID 1840 wrote to memory of 2540	1840	NOSU.exe	35
PID 2540 wrote to memory of 1856	2540	powershell.exe	37
PID 2540 wrote to memory of 1856	2540	powershell.exe	37
PID 2540 wrote to memory of 1856	2540	powershell.exe	37
PID 2540 wrote to memory of 1856	2540	powershell.exe	37
PID 1840 wrote to memory of 2608	1840	NOSU.exe	38
PID 1840 wrote to memory of 2608	1840	NOSU.exe	38
PID 1840 wrote to memory of 2608	1840	NOSU.exe	38
PID 1840 wrote to memory of 2608	1840	NOSU.exe	38
PID 2608 wrote to memory of 1712	2608	powershell.exe	40
PID 2608 wrote to memory of 1712	2608	powershell.exe	40
PID 2608 wrote to memory of 1712	2608	powershell.exe	40
PID 2608 wrote to memory of 1712	2608	powershell.exe	40
PID 1840 wrote to memory of 1964	1840	NOSU.exe	41
PID 1840 wrote to memory of 1964	1840	NOSU.exe	41
PID 1840 wrote to memory of 1964	1840	NOSU.exe	41
PID 1840 wrote to memory of 1964	1840	NOSU.exe	41

C:\Users\Admin\AppData\Local\Temp\NOSU.exe
"C:\Users\Admin\AppData\Local\Temp\NOSU.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\Control'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\Control
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "color 4 && echo Unfortunately, your system has been infected with NOSU virus. && echo This type of virus is classified as critical and we do not have the means to remove it at this time. && echo God help you. && pause"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.cm

Filesize
36KB

MD5
98629fdf433fc01fcdf4518664c62fcc

SHA1
5a3d4a47799c558619f3d7049b45d8776d4d6d4d

SHA256
84dee4a85741a8f9608ac95002fff6eecfbd6f4bf6fc1058827591d9e256a9bf

SHA512
cf4848064179d73523c1623e037df82a6b99fc4b060935cfb9df916be5b179dd8c01f28a5f552bcd4bc9f7dbff7e350bb7dd39add819cfa34ac4dae29053789b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
71bda6cd837414edaa7e3513821e24f4

SHA1
a70ee0078a570f93ad5ecfdc77f10944fe887d97

SHA256
edc0c82936545048d1b7d1db63a654d36b94d099c1668d2998b2041c27bd87fd

SHA512
c4d4200ce7f9973c5f7a8cec7ed33d334ac9ad3f06c5f04ae953ecc6cd03ee3fee8e788da962499af9a76769baad416fb78da94fc921d446915c5447926f340d

Download Submit
memory/1840-1-0x0000000000E90000-0x0000000000EAA000-memory.dmp

Filesize
104KB

Download
memory/1840-2-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/1840-38-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/1840-37-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/1840-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/2968-8-0x0000000071C80000-0x000000007222B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-15-0x0000000071C80000-0x000000007222B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-9-0x0000000071C80000-0x000000007222B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-7-0x0000000071C80000-0x000000007222B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-6-0x0000000071C80000-0x000000007222B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-5-0x0000000071C81000-0x0000000071C82000-memory.dmp

Filesize
4KB

Download