shurk | 4818cac219cb36bbcc6bd7faff8314f3133591336bd9ce17e8f3a8169991e653

Analysis

max time kernel
275s
max time network
278s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-12-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Assembly-CSharp.dll_Decompiler.com.zip
Size

2.0MB
MD5

299d1416a5853b3ef35ea66089ddad89
SHA1

b5a6e6dade62e38d0b95cddb82d07913d59f6e0a
SHA256

4818cac219cb36bbcc6bd7faff8314f3133591336bd9ce17e8f3a8169991e653
SHA512

309e8ac8396db61374bda36e3ad48913a6de347fb5dd64ee80e357370cbea45582d91ec8cecdbbda73ce0f210d0d5c0ada867a9b8e43cce23178c3597414b55a
SSDEEP

24576:WbVFYeKxMWqYhFmMRGVREPhlrmQaTBpd3tDcwr8CGyvD4iXypXfYBtrzd2fhwzdZ:WsXx2yMMRGVqmQap9QwrofiX8AzzvzQu

Score

10^/10

shurk infostealer

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk
Shurk family
shurk

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
324	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1072	7zFM.exe
2116	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1072	7zFM.exe
Token: 35	1072	7zFM.exe
Token: SeSecurityPrivilege	1072	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1072	7zFM.exe
1072	7zFM.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe
2116	OpenWith.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Assembly-CSharp.dll_Decompiler.com.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1072

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\GorillaTag.Reactions\SpawnWorldEffects.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f76af597-76f3-4770-966e-0f2f75812ddc.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GorillaTag.Reactions\SpawnWorldEffects.txt

Filesize
2KB

MD5
8b1d56b576cebe571937654aa96ab390

SHA1
b465350ba0e4bdb533708ee8cb2645e26923ce64

SHA256
e0d10216d7b6fd6dcee657e5dc1d4f7b57be9aac6810fa5263ec51fcf30ed586

SHA512
da287635313a052c73b7ae380b4918da4f7cda05d3d98b34b4a78d182936eb7fc10928c17f1a37d62121b021773426068de3cd3be02ec14ce44eb32934b825fb

Download Submit