Overview

overview

10

Static

static

3

wso6rghb.exe

windows7-x64

10

wso6rghb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wso6rghb.exe

  • Size

    31.5MB

  • MD5

    44463a510f5c916dee00f95536f17c03

  • SHA1

    4ea56721d3d3dfad48350f8dc0062a88933bfe26

  • SHA256

    d53109ba9cd341b681f38af94dad53cebbb1aa8cfbe87252f37e51cceb0409c4

  • SHA512

    70a9a806d51ecfe57d44b0fec766c1caa79921d81cf3a830e8beef340ce503d778608b82bcdfb17e83ae90334e222a4336ad913deed873ada3e789edb8d9bbac

  • SSDEEP

    786432:L8DYYU85aXV48IX2fbXiuQd2xPEdW4KbmHf2etV:9YU85CxsKbXGuPEdW4vDV

Score
10/10
skuldevasionexecutionpersistencepyinstallerstealertrojanupx

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1254118767479230536/uMZWbLjVaGr8S-PRvi_Z47CPXEDiOJ-ssPsLmthPiK0slWmgI1yaAACp9fcD_soa2x8n

Signatures

  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 10 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\wso6rghb.exe
    "C:\Users\Admin\AppData\Local\Temp\wso6rghb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\@ewwcringe1.exe
      "C:\Users\Admin\AppData\Local\Temp\@ewwcringe1.exe"
      2⤵
      • Executes dropped EXE
      PID:2332
    • C:\Users\Admin\AppData\Local\Temp\@ewwcringe2.exe
      "C:\Users\Admin\AppData\Local\Temp\@ewwcringe2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Users\Admin\AppData\Local\Temp\@ewwcringe2.exe
        "C:\Users\Admin\AppData\Local\Temp\@ewwcringe2.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2836
    • C:\Users\Admin\AppData\Local\Temp\@ewwcringe3.exe
      "C:\Users\Admin\AppData\Local\Temp\@ewwcringe3.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Local\Temp\@ewwcringe3.exe
        "C:\Users\Admin\AppData\Local\Temp\@ewwcringe3.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:304
    • C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe
      "C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2520
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe" /rl HIGHEST /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2296
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1276
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\wso6rghb.exe" >> NUL
      2⤵
        PID:2960
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1420
    • C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe
      C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe explorer.exe
      1⤵
      • Executes dropped EXE
      PID:2152
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {A45E98DC-6C1A-4E09-A937-A6FFA1BB601F} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe
        C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe
        2⤵
        • Executes dropped EXE
        PID:3036
      • C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe
        C:\Users\Admin\AppData\Local\Temp\@ewwcringe4.exe
        2⤵
        • Executes dropped EXE
        PID:2408

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Image File Execution Options Injection

    1
    T1546.012

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Image File Execution Options Injection

    1
    T1546.012

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    3
    T1562

    Disable or Modify Tools

    3
    T1562.001

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\@ewwcringe3.exe
      Filesize

      17.6MB

      MD5

      7b106d2e85e109ef2d39590558576ad0

      SHA1

      fd2e58e1a6f9acddd220cbcae1e8ff2f8f98a0d6

      SHA256

      44b042fce2476cc647c22c705a18870b2a9a1f370143623479bf6d95ed69f5b1

      SHA512

      de17bdad7f9b99261a41776aee9aba85b2407f5c6fed35d509df1ba627e8734e3b0e730adee7e5023d1d37d7b55368e46acc6809b33a426fed7ea20188a62574

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI26122\python310.dll
      Filesize

      1.4MB

      MD5

      cb0b4cf4ee16344ab13914c95e2ef4ce

      SHA1

      ba7a0b9d76e9dccdc6097d7e98ec0d20879e1c61

      SHA256

      a2b591ecadbd12bd1cd6e1c231bff1e814b71e9e99ffca450ece2f736e5ef1b6

      SHA512

      cdc9ad107a275bbe8e93c06f6dd0d2a2c1ac13df92a216fb98485583ecfb6e3d92f2c87c4dd80aceb05f3e9a4113468e60891ef4e3245386eb30201927384dd5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI30122\python312.dll
      Filesize

      1.7MB

      MD5

      18677d48ba556e529b73d6e60afaf812

      SHA1

      68f93ed1e3425432ac639a8f0911c144f1d4c986

      SHA256

      8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

      SHA512

      a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

      Download Submit

    • \Users\Admin\AppData\Local\Temp\@ewwcringe1.exe
      Filesize

      9.5MB

      MD5

      731a1079358da3c16b1a3194e57eb2a7

      SHA1

      2335b7a6166560777161a9901e64613f34973956

      SHA256

      38a352addbbc535386ba3a2374a5c133c24c5ff115ecad7bd3d86173e9e01435

      SHA512

      0a0e0a61090d78bfa821a70c2ec6c9c1c40fe9cede4c7a94eed4fcd0e221ea377712bfea97785e51a2c58bbfd44420a1f63f1d42361da56f42dabb7a038d091b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\@ewwcringe2.exe
      Filesize

      7.4MB

      MD5

      4a82c2af0014bbd4ea5b734c6be267a1

      SHA1

      226ece166cc85c06bac7337e3bb6b5fb4e1c6224

      SHA256

      548b44c82dc3eb23c5f3d612028b474fb195ba1f43a8680f15cfd5e7382152c8

      SHA512

      80067cd5c14a043ac30b4007eb02ea3d4a1e68a4259e705e1cef6605db82e251a8d7f71d393cc744b0523360d735978b1f74b5881e4653322df38f87af2b3414

      Download Submit

    • \Users\Admin\AppData\Local\Temp\@ewwcringe4.exe
      Filesize

      487KB

      MD5

      2512ffd22ca2132712c66a8267807aa8

      SHA1

      c874e8b20fe09f6d028f5e67d9e5c1bbcec3f609

      SHA256

      23f13d84cf85104b23d8323adb04e1c60e463b3ef04aa3f004dbd2d9e5e60c13

      SHA512

      fd888411c363819963aef29a2d68f14d7aeb227a294b018946b98f215307fdc6726e70452b66886f3325c176ef9da9095208e15f33ad19f60f35ad5358947c32

      Download Submit

    • memory/304-169-0x000007FEF57A0000-0x000007FEF5C06000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1196-57-0x0000000005790000-0x000000000592A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1276-174-0x000000001B600000-0x000000001B8E2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1276-175-0x0000000002350000-0x0000000002358000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2152-177-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2408-361-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2408-365-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-220-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-356-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-222-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-496-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-245-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-266-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-287-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-314-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-335-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-193-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-62-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-475-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-385-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-406-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-431-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2520-454-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2836-42-0x000007FEF5C10000-0x000007FEF62D4000-memory.dmp

      Filesize

      6.8MB

      Download

    • memory/3036-225-0x0000000000400000-0x000000000059A000-memory.dmp

      Filesize

      1.6MB

      Download