skuld | 0d0cae8bd18fa3651c20c36eef95c57b9c628b8f8f34ccd815b353e38629ef1d

Analysis

max time kernel
4s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skuld.exe
Size

9.5MB
MD5

0f4ab4d8d417e5a6de7a3bee48bf9bf5
SHA1

6facdd19f68318f1a921eeaaec5357dbc83d1f09
SHA256

0d0cae8bd18fa3651c20c36eef95c57b9c628b8f8f34ccd815b353e38629ef1d
SHA512

a59f1357ed58ec31ce39b4d8cfdb87a465ed0841548679d5243ad3c9dbe69657ef5afea0f3187343c6ad3919219b48d5043e715ab52190dbffed52ff6770041e
SSDEEP

98304:bq+hSe9c0IA4WZCWdeU22wr64EElpEkF8P6COf6:bzlW0/rgU22wm49lpS6COf6

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1256288994715504753/vRZ2YlmvWav_Xq3tKlvLbuDavow9TpxdgABdnYwerMJM9BsEbaV9yHxghPye81qRv_Pc

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	skuld.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	skuld.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 3164	920	skuld.exe	81
PID 920 wrote to memory of 3164	920	skuld.exe	81
PID 920 wrote to memory of 1780	920	skuld.exe	82
PID 920 wrote to memory of 1780	920	skuld.exe	82

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3164	attrib.exe
1780	attrib.exe

C:\Users\Admin\AppData\Local\Temp\skuld.exe
"C:\Users\Admin\AppData\Local\Temp\skuld.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\skuld.exe
  2⤵
  - Views/modifies file attributes
  PID:3164
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.5MB

MD5
0f4ab4d8d417e5a6de7a3bee48bf9bf5

SHA1
6facdd19f68318f1a921eeaaec5357dbc83d1f09

SHA256
0d0cae8bd18fa3651c20c36eef95c57b9c628b8f8f34ccd815b353e38629ef1d

SHA512
a59f1357ed58ec31ce39b4d8cfdb87a465ed0841548679d5243ad3c9dbe69657ef5afea0f3187343c6ad3919219b48d5043e715ab52190dbffed52ff6770041e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads