skuld | 96f8c4d428daa5a50489c73f48a563d98a9fc17dead3a9e50fe19842fab0a795

Analysis

max time kernel
194s
max time network
255s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skuld.exe
Size

3.6MB
MD5

4cc05288a42115b5e73bbd793a3d9abd
SHA1

839161afaf58f73af7c2be1493b134aa28035ef1
SHA256

96f8c4d428daa5a50489c73f48a563d98a9fc17dead3a9e50fe19842fab0a795
SHA512

f121866af5a3d9b080e07d30aab988fd7399b2eaa256efc76d69bab1156347558a4d389ee3c3b766c664bdc2d13ea1d877c778cd2397d250b47f16c6d85de848
SSDEEP

98304:ide/ZwLJb2arvBP37ntULaBt9JSgneQqvUK8Y:idkZ2JSuB/btU49SgHqvv

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1257036488672153761/NvDp_1b2nXLy-u8-yrTiFucpasoL2g34R7fCAV1w_Hji_Wd5urWsmS5DdJXMZb_5lbXp

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

skuld.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	skuld.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org

flow	ioc
1	api.ipify.org
2	api.ipify.org

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

skuld.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	840	skuld.exe
Token: SeIncreaseQuotaPrivilege	780	wmic.exe
Token: SeSecurityPrivilege	780	wmic.exe
Token: SeTakeOwnershipPrivilege	780	wmic.exe
Token: SeLoadDriverPrivilege	780	wmic.exe
Token: SeSystemProfilePrivilege	780	wmic.exe
Token: SeSystemtimePrivilege	780	wmic.exe
Token: SeProfSingleProcessPrivilege	780	wmic.exe
Token: SeIncBasePriorityPrivilege	780	wmic.exe
Token: SeCreatePagefilePrivilege	780	wmic.exe
Token: SeBackupPrivilege	780	wmic.exe
Token: SeRestorePrivilege	780	wmic.exe
Token: SeShutdownPrivilege	780	wmic.exe
Token: SeDebugPrivilege	780	wmic.exe
Token: SeSystemEnvironmentPrivilege	780	wmic.exe
Token: SeRemoteShutdownPrivilege	780	wmic.exe
Token: SeUndockPrivilege	780	wmic.exe
Token: SeManageVolumePrivilege	780	wmic.exe
Token: 33	780	wmic.exe
Token: 34	780	wmic.exe
Token: 35	780	wmic.exe
Token: 36	780	wmic.exe
Token: SeIncreaseQuotaPrivilege	780	wmic.exe
Token: SeSecurityPrivilege	780	wmic.exe
Token: SeTakeOwnershipPrivilege	780	wmic.exe
Token: SeLoadDriverPrivilege	780	wmic.exe
Token: SeSystemProfilePrivilege	780	wmic.exe
Token: SeSystemtimePrivilege	780	wmic.exe
Token: SeProfSingleProcessPrivilege	780	wmic.exe
Token: SeIncBasePriorityPrivilege	780	wmic.exe
Token: SeCreatePagefilePrivilege	780	wmic.exe
Token: SeBackupPrivilege	780	wmic.exe
Token: SeRestorePrivilege	780	wmic.exe
Token: SeShutdownPrivilege	780	wmic.exe
Token: SeDebugPrivilege	780	wmic.exe
Token: SeSystemEnvironmentPrivilege	780	wmic.exe
Token: SeRemoteShutdownPrivilege	780	wmic.exe
Token: SeUndockPrivilege	780	wmic.exe
Token: SeManageVolumePrivilege	780	wmic.exe
Token: 33	780	wmic.exe
Token: 34	780	wmic.exe
Token: 35	780	wmic.exe
Token: 36	780	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

skuld.exe

description	pid	process	target process
PID 840 wrote to memory of 600	840	skuld.exe	attrib.exe
PID 840 wrote to memory of 600	840	skuld.exe	attrib.exe
PID 840 wrote to memory of 4160	840	skuld.exe	attrib.exe
PID 840 wrote to memory of 4160	840	skuld.exe	attrib.exe
PID 840 wrote to memory of 780	840	skuld.exe	wmic.exe
PID 840 wrote to memory of 780	840	skuld.exe	wmic.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

600 attrib.exe
4160 attrib.exe

pid	process
600	attrib.exe
4160	attrib.exe

C:\Users\Admin\AppData\Local\Temp\skuld.exe
"C:\Users\Admin\AppData\Local\Temp\skuld.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\skuld.exe
  2⤵
  - Views/modifies file attributes
  PID:600
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4160
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
3.6MB

MD5
4cc05288a42115b5e73bbd793a3d9abd

SHA1
839161afaf58f73af7c2be1493b134aa28035ef1

SHA256
96f8c4d428daa5a50489c73f48a563d98a9fc17dead3a9e50fe19842fab0a795

SHA512
f121866af5a3d9b080e07d30aab988fd7399b2eaa256efc76d69bab1156347558a4d389ee3c3b766c664bdc2d13ea1d877c778cd2397d250b47f16c6d85de848

Download Submit
memory/840-0-0x0000000000CE0000-0x0000000001702000-memory.dmp

Filesize
10.1MB

Download
memory/840-4-0x0000000000CE0000-0x0000000001702000-memory.dmp

Filesize
10.1MB

Download