Analysis
-
max time kernel
13s -
max time network
22s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
06-07-2024 21:04
General
-
Target
main.exe
-
Size
9.5MB
-
MD5
15767d56c12becc21502a59355a9c163
-
SHA1
360524f903a06307f32a9fd8ca839da949c75916
-
SHA256
7cb04b7c094f2f1beb40a7b27136a9ff9c954b3edda52f5de99b31635e50b6db
-
SHA512
e7faa7034920ed376869548fe2107035d7c24c578961fa2a1317f5f2231b2333668fd475a3b2deaf99fc4e87894f59837d40950f67cdadb4b1b016d0761dc13a
-
SSDEEP
98304:NzZIWZX0gybHFmOKMW2S6by4ELW/6FQKVVSf:n3501sMW2SiyxqEVVSf
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1258496423444615342/CgJY-4xdm5Ye24oauoByyHTOC86vzjGJvv8cMxKQz03UpkK8RVz4-rL3_dhMIWWysqJ_
Signatures
-
Skuld stealer
An info stealer written in Go lang.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\main.exe2⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe2⤵
- Views/modifies file attributes
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.5MB
MD515767d56c12becc21502a59355a9c163
SHA1360524f903a06307f32a9fd8ca839da949c75916
SHA2567cb04b7c094f2f1beb40a7b27136a9ff9c954b3edda52f5de99b31635e50b6db
SHA512e7faa7034920ed376869548fe2107035d7c24c578961fa2a1317f5f2231b2333668fd475a3b2deaf99fc4e87894f59837d40950f67cdadb4b1b016d0761dc13a