Overview

overview

10

Static

static

3

NOSU.exe

windows7-x64

10

NOSU.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 12:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NOSU.exe

  • Size

    86KB

  • MD5

    402c6352fba5ee2006bb018342c72dc0

  • SHA1

    06bc6949524a71ea300169b9b537f74a27699c29

  • SHA256

    27b5f0fdff5f0c145b888f9647ef6358e6cda6affbb53650a63d1824555cb5a3

  • SHA512

    bac367a7c27b94565bce577b9001df7d8d11410a86fe5b04d03cff81f2dcc16823463ef162b57292dbdc62d3daa671c5a5cd5df537a4c8bbba45d25686b3d51f

  • SSDEEP

    384:Z0CBAU8pTNkdSSGC1TdwGNaXbb/UaHgGkE00PIYYN2g9DTUiJFnh:Z0wAbQaGNY0BYzg98izh

Score
10/10
shurkdiscoveryevasionexecutioninfostealertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell and hide display window.

    execution
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NOSU.exe
    "C:\Users\Admin\AppData\Local\Temp\NOSU.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4616
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4628
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\Control'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\Control
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1612
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "color 4 && echo Unfortunately, your system has been infected with NOSU virus. && echo This type of virus is classified as critical and we do not have the means to remove it at this time. && echo God help you. && pause"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4828

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    fc5a436e7f64ba0f9eea5a43f9f87cf6

    SHA1

    abad49705dcf8d00aff230b49666061ed5bb14ee

    SHA256

    12b6362045aece744b6a5b22fa3fda536bc018e6c0b13ec31138ad85eaa00cf9

    SHA512

    195eb6fbd2085d304d9599b80cb90ad00bacec98dab39dac8b46178582c46fbc6643b7cc265decc5bed77e1aee51f333a13aa811628692a8deb85b18a78a411c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    0a33a61634ea4f6fa7eaa821bbe446c7

    SHA1

    4cfc3bcb5eca32c6989dbc9bb95746447a69cf4d

    SHA256

    c3112f4327f99fbe8850f39620028296890da165315aa875ecaa768ef263d7fd

    SHA512

    f80ca8df866d1aae455db63998f28914f83c3c1be400d130f7c39501e3a3852e342b870f9757fa3d69d0386a353c47e5b62fc875c02471c4285524a4c02baca4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    48f607d339f6d6c83ac17ffdc0f9bc71

    SHA1

    70300a734ca59bd927ea5d27567ceb88104871fd

    SHA256

    8cf673fb53724664df18cd5a4d2cf373229ed6c4f34a749a9972b7f875df166f

    SHA512

    f9a1231271f9d770b09162828e59ec457fbd4fd844261843664272b08d3be1e550360655011ba9cca448ec84c5e1d4abcb2d2db185223623e0e8b977f95c5e7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_243t4mg0.ojw.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1612-88-0x00000000707E0000-0x000000007082C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2300-136-0x0000000005FE0000-0x0000000006072000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2300-134-0x0000000005DA0000-0x0000000005E3C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2300-135-0x00000000063F0000-0x0000000006994000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2300-137-0x0000000006D20000-0x0000000006D2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2300-2-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2300-67-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2300-66-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-1-0x0000000000FC0000-0x0000000000FDA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3044-77-0x00000000054F0000-0x0000000005844000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3264-110-0x0000000006520000-0x0000000006874000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3688-121-0x00000000707E0000-0x000000007082C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4616-65-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4616-22-0x0000000006620000-0x000000000666C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4616-3-0x0000000002FC0000-0x0000000002FF6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4616-5-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4616-4-0x0000000005790000-0x0000000005DB8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4616-6-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4616-8-0x00000000055A0000-0x00000000055C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4616-7-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4616-10-0x0000000005E30000-0x0000000005E96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4616-9-0x0000000005DC0000-0x0000000005E26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4616-20-0x0000000005F60000-0x00000000062B4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4616-21-0x00000000065E0000-0x00000000065FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4628-52-0x0000000007890000-0x000000000789A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4628-55-0x0000000007A50000-0x0000000007A5E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4628-58-0x0000000007B40000-0x0000000007B48000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4628-61-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4628-36-0x00000000707E0000-0x000000007082C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4628-25-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4628-24-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4628-23-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4628-56-0x0000000007A60000-0x0000000007A74000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4628-57-0x0000000007B60000-0x0000000007B7A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4628-54-0x0000000007A20000-0x0000000007A31000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4628-53-0x0000000007AA0000-0x0000000007B36000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4628-35-0x0000000007690000-0x00000000076C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4628-51-0x0000000007820000-0x000000000783A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4628-50-0x0000000007E60000-0x00000000084DA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4628-49-0x00000000076D0000-0x0000000007773000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4628-48-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4628-47-0x0000000007650000-0x000000000766E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4628-46-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.