Overview

overview

10

Static

static

10

main.exe

windows7-x64

1

main.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.exe

  • Size

    14.2MB

  • MD5

    2d48e14160b815234bfcc517f6500231

  • SHA1

    381c3152ca6ad548ea2bd8a83423e6e4bfe5508b

  • SHA256

    9756e20697023876ef8e570658d2b35bed2548bf05c124b2f96f6203dae243c7

  • SHA512

    9c2c38a399c8d985ee058814bf87dad90347aed7faf2c9597f011da63fd7f6f6d405e689cf3be3c108f675bf4589ff078a8ecb2dba1bafc15aaa1ce9458e31b8

  • SSDEEP

    196608:IMhP4WgzpUmKAU/o4z3wVSIPLFFrL0AGtWT6U:IyP2mo40HLvL7Gty

Score
10/10
skuldpersistencestealer

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1253813102223298560/O-L6iguyX5rluzD2U1_iyLQ7zm9faaFnF1M8hhYXbMbx7q6jl_GsrV427yX8oo062mN0

Signatures

  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\main.exe
      2⤵
      • Views/modifies file attributes
      PID:1996
    • C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3120
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      2⤵
      • Views/modifies file attributes
      PID:4188
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:5088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      Filesize

      14.2MB

      MD5

      2d48e14160b815234bfcc517f6500231

      SHA1

      381c3152ca6ad548ea2bd8a83423e6e4bfe5508b

      SHA256

      9756e20697023876ef8e570658d2b35bed2548bf05c124b2f96f6203dae243c7

      SHA512

      9c2c38a399c8d985ee058814bf87dad90347aed7faf2c9597f011da63fd7f6f6d405e689cf3be3c108f675bf4589ff078a8ecb2dba1bafc15aaa1ce9458e31b8

      Download Submit