shurk | 27b5f0fdff5f0c145b888f9647ef6358e6cda6affbb53650a63d1824555cb5a3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOSU.exe
Size

86KB
MD5

402c6352fba5ee2006bb018342c72dc0
SHA1

06bc6949524a71ea300169b9b537f74a27699c29
SHA256

27b5f0fdff5f0c145b888f9647ef6358e6cda6affbb53650a63d1824555cb5a3
SHA512

bac367a7c27b94565bce577b9001df7d8d11410a86fe5b04d03cff81f2dcc16823463ef162b57292dbdc62d3daa671c5a5cd5df537a4c8bbba45d25686b3d51f
SSDEEP

384:Z0CBAU8pTNkdSSGC1TdwGNaXbb/UaHgGkE00PIYYN2g9DTUiJFnh:Z0wAbQaGNY0BYzg98izh

Score

10^/10

shurk discovery evasion execution infostealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	NOSU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	NOSU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	NOSU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	NOSU.exe

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4616	powershell.exe
3044	powershell.exe
3264	powershell.exe
4616	powershell.exe
4628	powershell.exe
3044	powershell.exe
1612	powershell.exe
3264	powershell.exe
3688	powershell.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NOSU.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	NOSU.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.cm	NOSU.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Control	NOSU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOSU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4616	powershell.exe
4616	powershell.exe
4628	powershell.exe
4628	powershell.exe
3044	powershell.exe
3044	powershell.exe
1612	powershell.exe
1612	powershell.exe
3264	powershell.exe
3264	powershell.exe
3688	powershell.exe
3688	powershell.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2300	NOSU.exe
2300	NOSU.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	NOSU.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4616	2300	NOSU.exe	83
PID 2300 wrote to memory of 4616	2300	NOSU.exe	83
PID 2300 wrote to memory of 4616	2300	NOSU.exe	83
PID 4616 wrote to memory of 4628	4616	powershell.exe	88
PID 4616 wrote to memory of 4628	4616	powershell.exe	88
PID 4616 wrote to memory of 4628	4616	powershell.exe	88
PID 2300 wrote to memory of 3044	2300	NOSU.exe	89
PID 2300 wrote to memory of 3044	2300	NOSU.exe	89
PID 2300 wrote to memory of 3044	2300	NOSU.exe	89
PID 3044 wrote to memory of 1612	3044	powershell.exe	91
PID 3044 wrote to memory of 1612	3044	powershell.exe	91
PID 3044 wrote to memory of 1612	3044	powershell.exe	91
PID 2300 wrote to memory of 3264	2300	NOSU.exe	96
PID 2300 wrote to memory of 3264	2300	NOSU.exe	96
PID 2300 wrote to memory of 3264	2300	NOSU.exe	96
PID 3264 wrote to memory of 3688	3264	powershell.exe	98
PID 3264 wrote to memory of 3688	3264	powershell.exe	98
PID 3264 wrote to memory of 3688	3264	powershell.exe	98
PID 2300 wrote to memory of 4828	2300	NOSU.exe	100
PID 2300 wrote to memory of 4828	2300	NOSU.exe	100
PID 2300 wrote to memory of 4828	2300	NOSU.exe	100

C:\Users\Admin\AppData\Local\Temp\NOSU.exe
"C:\Users\Admin\AppData\Local\Temp\NOSU.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\Control'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\Control
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "color 4 && echo Unfortunately, your system has been infected with NOSU virus. && echo This type of virus is classified as critical and we do not have the means to remove it at this time. && echo God help you. && pause"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
fc5a436e7f64ba0f9eea5a43f9f87cf6

SHA1
abad49705dcf8d00aff230b49666061ed5bb14ee

SHA256
12b6362045aece744b6a5b22fa3fda536bc018e6c0b13ec31138ad85eaa00cf9

SHA512
195eb6fbd2085d304d9599b80cb90ad00bacec98dab39dac8b46178582c46fbc6643b7cc265decc5bed77e1aee51f333a13aa811628692a8deb85b18a78a411c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
0a33a61634ea4f6fa7eaa821bbe446c7

SHA1
4cfc3bcb5eca32c6989dbc9bb95746447a69cf4d

SHA256
c3112f4327f99fbe8850f39620028296890da165315aa875ecaa768ef263d7fd

SHA512
f80ca8df866d1aae455db63998f28914f83c3c1be400d130f7c39501e3a3852e342b870f9757fa3d69d0386a353c47e5b62fc875c02471c4285524a4c02baca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
48f607d339f6d6c83ac17ffdc0f9bc71

SHA1
70300a734ca59bd927ea5d27567ceb88104871fd

SHA256
8cf673fb53724664df18cd5a4d2cf373229ed6c4f34a749a9972b7f875df166f

SHA512
f9a1231271f9d770b09162828e59ec457fbd4fd844261843664272b08d3be1e550360655011ba9cca448ec84c5e1d4abcb2d2db185223623e0e8b977f95c5e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_243t4mg0.ojw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1612-88-0x00000000707E0000-0x000000007082C000-memory.dmp

Filesize
304KB

Download
memory/2300-136-0x0000000005FE0000-0x0000000006072000-memory.dmp

Filesize
584KB

Download
memory/2300-134-0x0000000005DA0000-0x0000000005E3C000-memory.dmp

Filesize
624KB

Download
memory/2300-135-0x00000000063F0000-0x0000000006994000-memory.dmp

Filesize
5.6MB

Download
memory/2300-137-0x0000000006D20000-0x0000000006D2A000-memory.dmp

Filesize
40KB

Download
memory/2300-2-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/2300-67-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/2300-66-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/2300-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/2300-1-0x0000000000FC0000-0x0000000000FDA000-memory.dmp

Filesize
104KB

Download
memory/3044-77-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/3264-110-0x0000000006520000-0x0000000006874000-memory.dmp

Filesize
3.3MB

Download
memory/3688-121-0x00000000707E0000-0x000000007082C000-memory.dmp

Filesize
304KB

Download
memory/4616-65-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4616-22-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/4616-3-0x0000000002FC0000-0x0000000002FF6000-memory.dmp

Filesize
216KB

Download
memory/4616-5-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4616-4-0x0000000005790000-0x0000000005DB8000-memory.dmp

Filesize
6.2MB

Download
memory/4616-6-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4616-8-0x00000000055A0000-0x00000000055C2000-memory.dmp

Filesize
136KB

Download
memory/4616-7-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4616-10-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/4616-9-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4616-20-0x0000000005F60000-0x00000000062B4000-memory.dmp

Filesize
3.3MB

Download
memory/4616-21-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/4628-52-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/4628-55-0x0000000007A50000-0x0000000007A5E000-memory.dmp

Filesize
56KB

Download
memory/4628-58-0x0000000007B40000-0x0000000007B48000-memory.dmp

Filesize
32KB

Download
memory/4628-61-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4628-36-0x00000000707E0000-0x000000007082C000-memory.dmp

Filesize
304KB

Download
memory/4628-25-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4628-24-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4628-23-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4628-56-0x0000000007A60000-0x0000000007A74000-memory.dmp

Filesize
80KB

Download
memory/4628-57-0x0000000007B60000-0x0000000007B7A000-memory.dmp

Filesize
104KB

Download
memory/4628-54-0x0000000007A20000-0x0000000007A31000-memory.dmp

Filesize
68KB

Download
memory/4628-53-0x0000000007AA0000-0x0000000007B36000-memory.dmp

Filesize
600KB

Download
memory/4628-35-0x0000000007690000-0x00000000076C2000-memory.dmp

Filesize
200KB

Download
memory/4628-51-0x0000000007820000-0x000000000783A000-memory.dmp

Filesize
104KB

Download
memory/4628-50-0x0000000007E60000-0x00000000084DA000-memory.dmp

Filesize
6.5MB

Download
memory/4628-49-0x00000000076D0000-0x0000000007773000-memory.dmp

Filesize
652KB

Download
memory/4628-48-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4628-47-0x0000000007650000-0x000000000766E000-memory.dmp

Filesize
120KB

Download
memory/4628-46-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download