shurk | 266ec9b6c8f07ba35e7f7c1223583a6b78770f2647b8fdd1af7b1a5af18d4f9d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOSU.exe
Size

86KB
MD5

d5aebbb30b6b622ab2f6c0f9956395f2
SHA1

b89cd9e3a2d5baa995c1bffbf183ba3fe48e47a1
SHA256

266ec9b6c8f07ba35e7f7c1223583a6b78770f2647b8fdd1af7b1a5af18d4f9d
SHA512

a1579b6f40c539d233368fd41b1af1226c63c596d19492f7adb0ac26319bac82e4adb8b0fc30c2dd20562a253d195311ab600d25b095a321deaa7fe25b9140ef
SSDEEP

384:G0CpAU8pTNkdSSGC1TdwGNaXbb/UaHgGkE00PIYTNxg9DTUiJFnh:G04AbQaGNY0BY/g98izh

Score

10^/10

shurk discovery evasion execution infostealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	NOSU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	NOSU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	NOSU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	NOSU.exe

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2824	powershell.exe
2608	powershell.exe
2364	powershell.exe
2212	powershell.exe
2364	powershell.exe
2984	powershell.exe
2824	powershell.exe
860	powershell.exe
2608	powershell.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NOSU.exe

Disables Task Manager via registry modification
evasion

Drops file in Program Files directory 56 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.cm	NOSU.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.cm	NOSU.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\eula.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\eula.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.cm	NOSU.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.cm	NOSU.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.cm	NOSU.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Control	NOSU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOSU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2364	powershell.exe
2984	powershell.exe
2824	powershell.exe
860	powershell.exe
2608	powershell.exe
2212	powershell.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2084	NOSU.exe
2084	NOSU.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	NOSU.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2364	2084	NOSU.exe	31
PID 2084 wrote to memory of 2364	2084	NOSU.exe	31
PID 2084 wrote to memory of 2364	2084	NOSU.exe	31
PID 2084 wrote to memory of 2364	2084	NOSU.exe	31
PID 2364 wrote to memory of 2984	2364	powershell.exe	33
PID 2364 wrote to memory of 2984	2364	powershell.exe	33
PID 2364 wrote to memory of 2984	2364	powershell.exe	33
PID 2364 wrote to memory of 2984	2364	powershell.exe	33
PID 2084 wrote to memory of 2824	2084	NOSU.exe	34
PID 2084 wrote to memory of 2824	2084	NOSU.exe	34
PID 2084 wrote to memory of 2824	2084	NOSU.exe	34
PID 2084 wrote to memory of 2824	2084	NOSU.exe	34
PID 2824 wrote to memory of 860	2824	powershell.exe	36
PID 2824 wrote to memory of 860	2824	powershell.exe	36
PID 2824 wrote to memory of 860	2824	powershell.exe	36
PID 2824 wrote to memory of 860	2824	powershell.exe	36
PID 2084 wrote to memory of 2608	2084	NOSU.exe	37
PID 2084 wrote to memory of 2608	2084	NOSU.exe	37
PID 2084 wrote to memory of 2608	2084	NOSU.exe	37
PID 2084 wrote to memory of 2608	2084	NOSU.exe	37
PID 2608 wrote to memory of 2212	2608	powershell.exe	39
PID 2608 wrote to memory of 2212	2608	powershell.exe	39
PID 2608 wrote to memory of 2212	2608	powershell.exe	39
PID 2608 wrote to memory of 2212	2608	powershell.exe	39
PID 2084 wrote to memory of 2784	2084	NOSU.exe	40
PID 2084 wrote to memory of 2784	2084	NOSU.exe	40
PID 2084 wrote to memory of 2784	2084	NOSU.exe	40
PID 2084 wrote to memory of 2784	2084	NOSU.exe	40

C:\Users\Admin\AppData\Local\Temp\NOSU.exe
"C:\Users\Admin\AppData\Local\Temp\NOSU.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\Control'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows\Control
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command powershell -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "color 4 && echo Unfortunately, your system has been infected with NOSU virus. && echo This type of virus is classified as critical and we do not have the means to remove it at this time. && echo God help you. && pause"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.cm

Filesize
36KB

MD5
98629fdf433fc01fcdf4518664c62fcc

SHA1
5a3d4a47799c558619f3d7049b45d8776d4d6d4d

SHA256
84dee4a85741a8f9608ac95002fff6eecfbd6f4bf6fc1058827591d9e256a9bf

SHA512
cf4848064179d73523c1623e037df82a6b99fc4b060935cfb9df916be5b179dd8c01f28a5f552bcd4bc9f7dbff7e350bb7dd39add819cfa34ac4dae29053789b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7afca9a1f317cda5cac56e7639749c92

SHA1
89ad73c26d0b0f32c3241e10a2b68fafdb14c9e9

SHA256
3ce0183685446869d516e771dc6b024ea1ac764a386de12c6fedea6c814cbbb7

SHA512
3e27d06d5d71333121c69a48849165ec1eeb989af439fa9fa270500744c6254c3a90ffb1934c28d530d716ac3c573720c572026a0cf14a159c47fb02e7c95e23

Download Submit
memory/2084-0-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/2084-1-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/2084-2-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-35-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/2084-36-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2364-5-0x0000000071431000-0x0000000071432000-memory.dmp

Filesize
4KB

Download
memory/2364-6-0x0000000071430000-0x00000000719DB000-memory.dmp

Filesize
5.7MB

Download
memory/2364-7-0x0000000071430000-0x00000000719DB000-memory.dmp

Filesize
5.7MB

Download
memory/2364-8-0x0000000071430000-0x00000000719DB000-memory.dmp

Filesize
5.7MB

Download
memory/2364-14-0x0000000071430000-0x00000000719DB000-memory.dmp

Filesize
5.7MB

Download