skuld | f20c519a5f2a470fa4fb325736b7a63f95a7ff3f40362992fb24993ad721b137

Analysis

max time kernel
600s
max time network
362s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22/06/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

14.3MB
MD5

e517e8e89b0217b712c2723bce9672a0
SHA1

240b45da252b8ba7555c0a89de3a0e3a9351e5fc
SHA256

f20c519a5f2a470fa4fb325736b7a63f95a7ff3f40362992fb24993ad721b137
SHA512

48fb2fd308b278e47ff247f7eb025c2da805f040ff587edefca16570bc8ba876b5d6adc383c47b62e5fd33c255ae2edf1941cc98bc56fa609d74bc087bd942d9
SSDEEP

196608:jMhP4WgzpUmKAUTo4z3wVSIPLFFrL0AGtWT6U9:jyP2Oo40HLvL7Gty9

Score

10^/10

skuld evasion persistence stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1254198620102594621/No6jloWQ57wzq3vilj1sf51CnodPLo51Rm4myHwx_3QsP6yctAWQozLZQ-NPJTX5tFpl

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Executes dropped EXE 6 IoCs

pid	Process
2144	main.exe
2556	icsys.icn.exe
2600	explorer.exe
2436	spoolsv.exe
2448	svchost.exe
2412	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
3028	main.exe
3028	main.exe
2504	Process not Found
3028	main.exe
2556	icsys.icn.exe
2600	explorer.exe
2436	spoolsv.exe
2448	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	main.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1228	schtasks.exe
1760	schtasks.exe
240	schtasks.exe
2816	schtasks.exe
2352	schtasks.exe
1304	schtasks.exe
888	schtasks.exe
2900	schtasks.exe
1452	schtasks.exe
1376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
3028	main.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe
2448	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2600	explorer.exe
2448	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3028	main.exe
3028	main.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2600	explorer.exe
2600	explorer.exe
2436	spoolsv.exe
2436	spoolsv.exe
2448	svchost.exe
2448	svchost.exe
2412	spoolsv.exe
2412	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2144	3028	main.exe	28
PID 3028 wrote to memory of 2144	3028	main.exe	28
PID 3028 wrote to memory of 2144	3028	main.exe	28
PID 3028 wrote to memory of 2144	3028	main.exe	28
PID 3028 wrote to memory of 2556	3028	main.exe	30
PID 3028 wrote to memory of 2556	3028	main.exe	30
PID 3028 wrote to memory of 2556	3028	main.exe	30
PID 3028 wrote to memory of 2556	3028	main.exe	30
PID 2556 wrote to memory of 2600	2556	icsys.icn.exe	31
PID 2556 wrote to memory of 2600	2556	icsys.icn.exe	31
PID 2556 wrote to memory of 2600	2556	icsys.icn.exe	31
PID 2556 wrote to memory of 2600	2556	icsys.icn.exe	31
PID 2600 wrote to memory of 2436	2600	explorer.exe	32
PID 2600 wrote to memory of 2436	2600	explorer.exe	32
PID 2600 wrote to memory of 2436	2600	explorer.exe	32
PID 2600 wrote to memory of 2436	2600	explorer.exe	32
PID 2436 wrote to memory of 2448	2436	spoolsv.exe	33
PID 2436 wrote to memory of 2448	2436	spoolsv.exe	33
PID 2436 wrote to memory of 2448	2436	spoolsv.exe	33
PID 2436 wrote to memory of 2448	2436	spoolsv.exe	33
PID 2448 wrote to memory of 2412	2448	svchost.exe	34
PID 2448 wrote to memory of 2412	2448	svchost.exe	34
PID 2448 wrote to memory of 2412	2448	svchost.exe	34
PID 2448 wrote to memory of 2412	2448	svchost.exe	34
PID 2600 wrote to memory of 3032	2600	explorer.exe	35
PID 2600 wrote to memory of 3032	2600	explorer.exe	35
PID 2600 wrote to memory of 3032	2600	explorer.exe	35
PID 2600 wrote to memory of 3032	2600	explorer.exe	35
PID 2448 wrote to memory of 240	2448	svchost.exe	36
PID 2448 wrote to memory of 240	2448	svchost.exe	36
PID 2448 wrote to memory of 240	2448	svchost.exe	36
PID 2448 wrote to memory of 240	2448	svchost.exe	36
PID 2448 wrote to memory of 1228	2448	svchost.exe	42
PID 2448 wrote to memory of 1228	2448	svchost.exe	42
PID 2448 wrote to memory of 1228	2448	svchost.exe	42
PID 2448 wrote to memory of 1228	2448	svchost.exe	42
PID 2448 wrote to memory of 2816	2448	svchost.exe	44
PID 2448 wrote to memory of 2816	2448	svchost.exe	44
PID 2448 wrote to memory of 2816	2448	svchost.exe	44
PID 2448 wrote to memory of 2816	2448	svchost.exe	44
PID 2448 wrote to memory of 2352	2448	svchost.exe	46
PID 2448 wrote to memory of 2352	2448	svchost.exe	46
PID 2448 wrote to memory of 2352	2448	svchost.exe	46
PID 2448 wrote to memory of 2352	2448	svchost.exe	46
PID 2448 wrote to memory of 1304	2448	svchost.exe	48
PID 2448 wrote to memory of 1304	2448	svchost.exe	48
PID 2448 wrote to memory of 1304	2448	svchost.exe	48
PID 2448 wrote to memory of 1304	2448	svchost.exe	48
PID 2448 wrote to memory of 888	2448	svchost.exe	50
PID 2448 wrote to memory of 888	2448	svchost.exe	50
PID 2448 wrote to memory of 888	2448	svchost.exe	50
PID 2448 wrote to memory of 888	2448	svchost.exe	50
PID 2448 wrote to memory of 1760	2448	svchost.exe	52
PID 2448 wrote to memory of 1760	2448	svchost.exe	52
PID 2448 wrote to memory of 1760	2448	svchost.exe	52
PID 2448 wrote to memory of 1760	2448	svchost.exe	52
PID 2448 wrote to memory of 2900	2448	svchost.exe	54
PID 2448 wrote to memory of 2900	2448	svchost.exe	54
PID 2448 wrote to memory of 2900	2448	svchost.exe	54
PID 2448 wrote to memory of 2900	2448	svchost.exe	54
PID 2448 wrote to memory of 1452	2448	svchost.exe	56
PID 2448 wrote to memory of 1452	2448	svchost.exe	56
PID 2448 wrote to memory of 1452	2448	svchost.exe	56
PID 2448 wrote to memory of 1452	2448	svchost.exe	56

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028
- \??\c:\users\admin\appdata\local\temp\main.exe
  c:\users\admin\appdata\local\temp\main.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2436
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2412
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:25 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:240
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:26 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1228
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:27 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2816
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:28 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2352
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:29 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1304
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:30 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:888
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:31 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1760
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:32 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2900
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:33 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1452
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:34 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1376
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\main.exe

Filesize
14.2MB

MD5
79eb03e5760482cf9bf4a781de9aefd0

SHA1
cd27d46f8c5a134696d62b1521f71158f124b35a

SHA256
ffdac036f40a0d3bac9efa13a7d086dfce3a2a6ab3c5354fb37f56b822647885

SHA512
ee2067f5609223e029eebb7ccca96033d8cfad62321bf35baad133df79500edd376949800b073549a3ce09917e1f58d593b2fc933cd7fe23a000b253de34fe7d

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
51d376eb445696b3cb56dde6d56baaa9

SHA1
d04b7f77ec6c731b8dbdfc1ae33ab49058c72694

SHA256
04787faa4de422ed490498c1cc7fa021627312f41ab8bd594c1a751b5e4ed822

SHA512
1780ec6327852d5f82b22082618b16247e8d2c1aeef1612954313dffabbe05a6ef2c70869a39d70898d4cc954186ae516c02803a57f67bc7a4d3efd699cf0a5f

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
012b5e53af0e19c09932b13cd27f8c80

SHA1
250d7945ca0a1d3c2d4c2595efb35c3428770b18

SHA256
6ecbd129a6a65749130e1511357f939f91cbf8de414ffa9542db7606917ee5ce

SHA512
9d4c595317ef6ddf2995c3285f10aeca4d343f592b11c6402722d8b9940f08105a10e963a584950d56a1b75e6147c94b1885248743b7e54d3dbf6ce82adbc9ec

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
3a927d29ab96d02d2b9afd633c0805f3

SHA1
b365db399840f0ef54597afc3941fc25851782fb

SHA256
17d28e4d1953b1fe626dc6a12f44781173ff6a4a08f486291febe8d53385334f

SHA512
e6fd1cca8c1970a825244c7ad485d096a8eaac4802041520abd62415ef39f19e6bd0f207816144b76f08fb6cfec22582df376c487567e77e40fa8d67d274a3c9

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
756c19fd5bb88e2fca3947822a69c6b1

SHA1
e7abb01d493bed4c072ec9d066cdf6ae4e5a17d2

SHA256
21040aa334e7d9508e2d137d7227835c145c573fee45181518316df5183c9811

SHA512
84f8feeee31dadc5ec5b2e671e742de5eb9b300015a7d11f3da1ed76385feee9be7eacc4fd33538bd7da9a4604104f985675e31d3f9879baa00221a4df5004fb

Download Submit
memory/2412-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2412-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2436-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2436-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2448-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2448-59-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2556-27-0x0000000001CB0000-0x0000000001CCF000-memory.dmp

Filesize
124KB

Download
memory/2556-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2600-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2600-41-0x0000000000360000-0x000000000037F000-memory.dmp

Filesize
124KB

Download
memory/2600-67-0x0000000000360000-0x000000000037F000-memory.dmp

Filesize
124KB

Download
memory/3028-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3028-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3028-15-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download