0c7ae7e72467ca3a226ee0d4a395ed8ac4f88c7e494baa13fdceb56ea2886ee3

Analysis

max time kernel
43s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave.exe
Size

4.1MB
MD5

c2ce7247b063fb5f3e136e82b444a297
SHA1

a38c3b7e4f66cecda9adc17350422f845aecfad8
SHA256

0c7ae7e72467ca3a226ee0d4a395ed8ac4f88c7e494baa13fdceb56ea2886ee3
SHA512

b2f587a43fb4c05c5c8ce90af1dda68f9048a8344ef10de69928e5df0fe498c691af5bf0de9f66fa5c068f0523eb7c331bdf2825cc662ef2b4beb54a639cd93a
SSDEEP

98304:JiSS8sEUwvpuDO0+4dUkAuNRW2s0QZE6B0HkWymCTxVpN8RVfo463RA:JU8sE9xfRkVTWT0oFaEBTTxPAVg4

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3260 powershell.exe
1088 powershell.exe
1580 powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeskuld.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	skuld.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Wave.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Wave.exe
Executes dropped EXE 1 IoCs

Processes:

skuld.exe

pid process

4456 skuld.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Wave.exe

pid	process
4456	skuld.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Wave.exeskuld.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skuld = "C:\\ProgramData\\skuld.exe"	Wave.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	skuld.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

28 discord.com
26 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
19 api.ipify.org
20 api.ipify.org

flow	ioc
28	discord.com
26	discord.com

flow	ioc
15	ip-api.com
19	api.ipify.org
20	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

skuld.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	skuld.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	skuld.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exewmic.exe

pid process

3440 wmic.exe
4764 wmic.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 24 Go-http-client/1.1

pid	process
3440	wmic.exe
4764	wmic.exe

description	flow	ioc
HTTP User-Agent header	24	Go-http-client/1.1

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

skuld.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	skuld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	skuld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	skuld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	skuld.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeskuld.exepowershell.exepowershell.exe

pid	process
3260	powershell.exe
3260	powershell.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
1088	powershell.exe
1088	powershell.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4204	powershell.exe
4456	skuld.exe
4456	skuld.exe
4204	powershell.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe
4456	skuld.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Wave.exepowershell.exeskuld.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	3328	Wave.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	4456	skuld.exe
Token: SeIncreaseQuotaPrivilege	880	wmic.exe
Token: SeSecurityPrivilege	880	wmic.exe
Token: SeTakeOwnershipPrivilege	880	wmic.exe
Token: SeLoadDriverPrivilege	880	wmic.exe
Token: SeSystemProfilePrivilege	880	wmic.exe
Token: SeSystemtimePrivilege	880	wmic.exe
Token: SeProfSingleProcessPrivilege	880	wmic.exe
Token: SeIncBasePriorityPrivilege	880	wmic.exe
Token: SeCreatePagefilePrivilege	880	wmic.exe
Token: SeBackupPrivilege	880	wmic.exe
Token: SeRestorePrivilege	880	wmic.exe
Token: SeShutdownPrivilege	880	wmic.exe
Token: SeDebugPrivilege	880	wmic.exe
Token: SeSystemEnvironmentPrivilege	880	wmic.exe
Token: SeRemoteShutdownPrivilege	880	wmic.exe
Token: SeUndockPrivilege	880	wmic.exe
Token: SeManageVolumePrivilege	880	wmic.exe
Token: 33	880	wmic.exe
Token: 34	880	wmic.exe
Token: 35	880	wmic.exe
Token: 36	880	wmic.exe
Token: SeIncreaseQuotaPrivilege	880	wmic.exe
Token: SeSecurityPrivilege	880	wmic.exe
Token: SeTakeOwnershipPrivilege	880	wmic.exe
Token: SeLoadDriverPrivilege	880	wmic.exe
Token: SeSystemProfilePrivilege	880	wmic.exe
Token: SeSystemtimePrivilege	880	wmic.exe
Token: SeProfSingleProcessPrivilege	880	wmic.exe
Token: SeIncBasePriorityPrivilege	880	wmic.exe
Token: SeCreatePagefilePrivilege	880	wmic.exe
Token: SeBackupPrivilege	880	wmic.exe
Token: SeRestorePrivilege	880	wmic.exe
Token: SeShutdownPrivilege	880	wmic.exe
Token: SeDebugPrivilege	880	wmic.exe
Token: SeSystemEnvironmentPrivilege	880	wmic.exe
Token: SeRemoteShutdownPrivilege	880	wmic.exe
Token: SeUndockPrivilege	880	wmic.exe
Token: SeManageVolumePrivilege	880	wmic.exe
Token: 33	880	wmic.exe
Token: 34	880	wmic.exe
Token: 35	880	wmic.exe
Token: 36	880	wmic.exe
Token: SeIncreaseQuotaPrivilege	3440	wmic.exe
Token: SeSecurityPrivilege	3440	wmic.exe
Token: SeTakeOwnershipPrivilege	3440	wmic.exe
Token: SeLoadDriverPrivilege	3440	wmic.exe
Token: SeSystemProfilePrivilege	3440	wmic.exe
Token: SeSystemtimePrivilege	3440	wmic.exe
Token: SeProfSingleProcessPrivilege	3440	wmic.exe
Token: SeIncBasePriorityPrivilege	3440	wmic.exe
Token: SeCreatePagefilePrivilege	3440	wmic.exe
Token: SeBackupPrivilege	3440	wmic.exe
Token: SeRestorePrivilege	3440	wmic.exe
Token: SeShutdownPrivilege	3440	wmic.exe
Token: SeDebugPrivilege	3440	wmic.exe
Token: SeSystemEnvironmentPrivilege	3440	wmic.exe
Token: SeRemoteShutdownPrivilege	3440	wmic.exe
Token: SeUndockPrivilege	3440	wmic.exe
Token: SeManageVolumePrivilege	3440	wmic.exe
Token: 33	3440	wmic.exe
Token: 34	3440	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

skuld.exe

pid process

4456 skuld.exe

pid	process
4456	skuld.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Wave.exeskuld.exepowershell.execsc.exe

description	pid	process	target process
PID 3328 wrote to memory of 3260	3328	Wave.exe	powershell.exe
PID 3328 wrote to memory of 3260	3328	Wave.exe	powershell.exe
PID 3328 wrote to memory of 4456	3328	Wave.exe	skuld.exe
PID 3328 wrote to memory of 4456	3328	Wave.exe	skuld.exe
PID 4456 wrote to memory of 1640	4456	skuld.exe	attrib.exe
PID 4456 wrote to memory of 1640	4456	skuld.exe	attrib.exe
PID 4456 wrote to memory of 2268	4456	skuld.exe	attrib.exe
PID 4456 wrote to memory of 2268	4456	skuld.exe	attrib.exe
PID 4456 wrote to memory of 880	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 880	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 3440	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 3440	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 1088	4456	skuld.exe	powershell.exe
PID 4456 wrote to memory of 1088	4456	skuld.exe	powershell.exe
PID 4456 wrote to memory of 4284	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 4284	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 1836	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 1836	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 4204	4456	skuld.exe	powershell.exe
PID 4456 wrote to memory of 4204	4456	skuld.exe	powershell.exe
PID 4456 wrote to memory of 4764	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 4764	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 2484	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 2484	4456	skuld.exe	wmic.exe
PID 4456 wrote to memory of 692	4456	skuld.exe	attrib.exe
PID 4456 wrote to memory of 692	4456	skuld.exe	attrib.exe
PID 4456 wrote to memory of 2808	4456	skuld.exe	attrib.exe
PID 4456 wrote to memory of 2808	4456	skuld.exe	attrib.exe
PID 4456 wrote to memory of 2384	4456	skuld.exe	netsh.exe
PID 4456 wrote to memory of 2384	4456	skuld.exe	netsh.exe
PID 4456 wrote to memory of 1580	4456	skuld.exe	powershell.exe
PID 4456 wrote to memory of 1580	4456	skuld.exe	powershell.exe
PID 1580 wrote to memory of 3536	1580	powershell.exe	csc.exe
PID 1580 wrote to memory of 3536	1580	powershell.exe	csc.exe
PID 3536 wrote to memory of 5048	3536	csc.exe	cvtres.exe
PID 3536 wrote to memory of 5048	3536	csc.exe	cvtres.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2268 attrib.exe
692 attrib.exe
2808 attrib.exe
1640 attrib.exe

pid	process
2268	attrib.exe
692	attrib.exe
2808	attrib.exe
1640	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\skuld.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\ProgramData\skuld.exe
"C:\ProgramData\skuld.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\skuld.exe
3⤵
- Views/modifies file attributes
PID:1640

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
3⤵
- Views/modifies file attributes
PID:2268

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\skuld.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
PID:4284

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
3⤵
PID:1836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
3⤵
- Detects videocard installed
PID:4764

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
3⤵
PID:2484

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
3⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:692

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
3⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2808

C:\Windows\system32\netsh.exe
netsh wlan show profiles
3⤵
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\waxv0rnb\waxv0rnb.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EB5.tmp" "c:\Users\Admin\AppData\Local\Temp\waxv0rnb\CSC93D02CDA53F048C897F52046FCAFA8D.TMP"
5⤵
PID:5048

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:8

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\skuld.exe
Filesize
9.5MB

MD5
43fcd3b29eeccf8c7f116dac0966089f

SHA1
ea9e2d9476082ce8222f9c5f106f3f5c10fff8f6

SHA256
229fb73dfa0642ae2b2ee8b32d99b3b20cbebb6087b4581479322a16887b6010

SHA512
01ef822e91a00efe78d9c0c5948205693f86477cc74d8eb5495928931df5b102cf85c63cae7b1e19497547bb2869c5495eeef389f19f3dd21fcd0376cfd2a8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
45514adcd9a8214c4e769d7eafff8518

SHA1
ca1be5f767a21be2aabf376dd286462095cfd56f

SHA256
bb58c2419cca90776019b0202a377a9287e45a266093b0878bf60dae59640c1b

SHA512
3a8c56553f83d8d5f4532f326385d5b311ae0ba0f67967685e8d5f17a7302eec421fc0ab572617987624b623e74d523040068a3ed0bffc26a72e667df0f12da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7EB5.tmp
Filesize
1KB

MD5
b0da5daee3038d1cca19a815052fdca0

SHA1
92d60b83bb553fa0ee67efaaa6b067df80592169

SHA256
1c6e7941d1bf5300aa4cc4383e00cac272167a7dab6796e7c5d222bf9d816b0a

SHA512
bb19c343c3b4b32477d4101ed8711168740cd542d04ce7ae17d02b4407a7fdc7f4fb25aae8dc603fb3e413141c8aea46befc1ea6367fdb68f9946b1ab1a6cb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_asajrgyy.13d.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhS2UOrnGc\Display (1).png
Filesize
413KB

MD5
6b16dbee8a442cc78d99c346d86f2dc7

SHA1
357a064b926ca4181207d3ca0d3be87d2f941c3e

SHA256
d22826b2c9a8316aeca203096c05e2f702af2c522ca970d1a5b22d72c98a704a

SHA512
76eac4d8b055eefc4509a27629519bbbbf9c431d6da3b2bb9fe95c322d86150cf3da69ba6ee252d13e0ed365b444e9fb61e5126e933d7871b92da2910462db6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\waxv0rnb\waxv0rnb.dll
Filesize
4KB

MD5
f24e01571f2ef87fbdbdbd62100fab2e

SHA1
c06296c1ab42c217c0f85a9a6e913820dbcf83e7

SHA256
37a16fa7ab9058e6c1f629bb3b15a01a42bae2a3ac0869513affa5fc5c628f2f

SHA512
e68fa490aff31f5cad0c068b4dd59e0786b4d0b43ea6dca88eda86037cfb43cb32cf79291168338fe11e32d59f22893f879affd846fbe737f36ef0af7b7dba2f

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\waxv0rnb\CSC93D02CDA53F048C897F52046FCAFA8D.TMP
Filesize
652B

MD5
dc31a5dd364fb6ddc86f9c82cdb5fe8f

SHA1
cda02af2c4705fd95ef4acb0b96b775cfa6e5562

SHA256
788d85b1ab7bf3af1ba920000eec4f251497bf4a5a91909a8196ff1c4463c77d

SHA512
21de3d6744a491de5b0000cf7ef58e35178d4d79b861d72788100f7b775b5ba761f15443511a7a4bca496434064414ec1b37b82bf71e404110ff7a43bda016bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\waxv0rnb\waxv0rnb.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\waxv0rnb\waxv0rnb.cmdline
Filesize
607B

MD5
3b13de75bca8ad4bdefe0fb8d30537ca

SHA1
98b12d9815ca93d330d872af2eb3bb862c984849

SHA256
bd3d4a6bb0ff62862c051bc2d9038a5ec69e6a2a30bbd207d27f7d7ee706b15f

SHA512
2344581cb5c1a9ffb2376e7afffcb98bf020c88153642586fe1d01a073a66d75f5ee672863f96dfb3662b803140324f79d615fca506c09dd0b3aa2fb58c88aa8

Download Submit
memory/1580-88-0x00000172C65B0000-0x00000172C65B8000-memory.dmp

Filesize
32KB

Download
memory/3260-3-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

Filesize
10.8MB

Download
memory/3260-11-0x00000216E4EA0000-0x00000216E4EC2000-memory.dmp

Filesize
136KB

Download
memory/3260-4-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

Filesize
10.8MB

Download
memory/3260-5-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

Filesize
10.8MB

Download
memory/3260-18-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

Filesize
10.8MB

Download
memory/3328-1-0x00000000006E0000-0x0000000000AFA000-memory.dmp

Filesize
4.1MB

Download
memory/3328-0-0x00007FF96DF73000-0x00007FF96DF75000-memory.dmp

Filesize
8KB

Download
memory/3328-2-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

Filesize
10.8MB

Download
memory/3328-93-0x00007FF96DF73000-0x00007FF96DF75000-memory.dmp

Filesize
8KB

Download
memory/3328-94-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

Filesize
10.8MB

Download
memory/3328-96-0x00007FF96DF70000-0x00007FF96EA31000-memory.dmp

Filesize
10.8MB

Download