Overview

overview

10

Static

static

3

f6d2a096d2...87.exe

windows7-x64

f6d2a096d2...87.exe

windows10-2004-x64

Analysis

  • max time kernel
    34s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 21:58

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    f6d2a096d2f84946c85ceba852d97989da318ad6bf12fb439d8db07018859887.exe

  • Size

    2.7MB

  • MD5

    b40871d23e2fa2f277540c332a4440be

  • SHA1

    d2f941a9bc8af6d622cb4ff333724dc381c9b736

  • SHA256

    f6d2a096d2f84946c85ceba852d97989da318ad6bf12fb439d8db07018859887

  • SHA512

    d3e00138c209436d47409da3af259de5c15205ccb28f32f4bb825544fced6814d368042b8986c927ed61fa1de8336f3b20be6efa898b8e0d83f189629b56f5d7

  • SSDEEP

    49152:/IDwxS03F7//+M+cXyxkKYDuayq2G1JdWcl/dXUONFjUE08B+UUPU8:Ayl3F7//+MfKYDuC2yPkO0GBOL

Score
10/10
shurkbootkitdiscoveryevasioninfostealerpersistenceransomwareupx

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 19 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6d2a096d2f84946c85ceba852d97989da318ad6bf12fb439d8db07018859887.exe
    "C:\Users\Admin\AppData\Local\Temp\f6d2a096d2f84946c85ceba852d97989da318ad6bf12fb439d8db07018859887.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2308
    • C:\Windows\SysWOW64\attrib.exe
      attrib +s +a +h +r ¾¯¸æ.exe
      2⤵
      • Sets file to hidden
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:2764
    • C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
      2⤵
      • Disables RegEdit via registry modification
      • System Location Discovery: System Language Discovery
      PID:2112
    • C:\Windows\SysWOW64\regini.exe
      regini www.ini
      2⤵
      • Event Triggered Execution: Image File Execution Options Injection
      PID:2904
    • C:\Windows\SysWOW64\regini.exe
      regini www.ini
      2⤵
        PID:2756
      • C:\Windows\SysWOW64\net.exe
        net user Admin 123456789876544567898765456789yfghjhbvbnmnbv
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user Admin 123456789876544567898765456789yfghjhbvbnmnbv
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3068
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +a +h +r ¾¯¸æ.exe
        2⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2940
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
        2⤵
          PID:2608
        • C:\Windows\SysWOW64\regini.exe
          regini www.ini
          2⤵
            PID:2824
          • C:\Windows\SysWOW64\regini.exe
            regini www.ini
            2⤵
              PID:2016
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x0
            1⤵
              PID:2948
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x1
              1⤵
                PID:1428

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\1.jpg
                Filesize

                40KB

                MD5

                51e9c408acf648c40340cdaf57e7b031

                SHA1

                ae6afe04a08cf9a918f954ebc634028fbf26d977

                SHA256

                39c0572849bdc5ede4fd7894c704d5710e421b56582ff439206790ce05b84368

                SHA512

                e1508f8241c9a53981b441e6eef22dc4a98ab2d083ac471f976d18b5d0a2e3029f8705461a0ea80a8435e59f363d53994a621059ba0f2db4f4118c7db6a2d70e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\www.ini
                Filesize

                101B

                MD5

                df98f458d660ecdf388d0d7098b92879

                SHA1

                4bf6e30eb206475678d13860b72fd89792e177cd

                SHA256

                ce80722c95f952938a53b800a0633bf85625c06ad7d6cc9c9c3a8d5ee1f4d979

                SHA512

                0ce2c057b5ae123d8d98f6032b80ea273573223976a60fb86a29ffeff4234598d828da6d28476f12e9938887d2c11fbb1fd3b18290efdc102b210c9146803778

                Download Submit

              • \Users\Admin\AppData\Local\Temp\ExtraDll.dll
                Filesize

                97KB

                MD5

                c35425ad1f0c32225d307310deccc335

                SHA1

                b2e347b244e40ffa113dffaffd1895777e3ac30a

                SHA256

                48773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7

                SHA512

                47b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae

                Download Submit

              • memory/2308-4-0x0000000074720000-0x000000007475C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/2308-9-0x0000000074720000-0x000000007475C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/2308-10-0x0000000074720000-0x000000007475C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/2308-28-0x0000000074720000-0x000000007475C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/2308-29-0x0000000074720000-0x000000007475C000-memory.dmp

                Filesize

                240KB

                Download