skuld | 6a2e5993469b6b620c3ef4a9352e6e2b8d825146e3fb388391b8e91b47594503

Analysis

max time kernel
79s
max time network
87s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-08-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skuld.exe
Size

9.5MB
MD5

655c7596f98a9c606483e69e5c8c9ff4
SHA1

bede56d95e12fad34087580bbf1c017b9e2c7ed1
SHA256

6a2e5993469b6b620c3ef4a9352e6e2b8d825146e3fb388391b8e91b47594503
SHA512

33097433252dd9618bf362031dffa50740e83d72cbf3733f6e7a4d156e3e7ba732f01a56037555d57cffdbbe2f060353f8c4935fc7ec8add2031147c80701519
SSDEEP

98304:8LHFot0wLNGDRSdL8oT+ia1+mkAEQmP7F/Bz2aIP:iOt0wLX8oT+H1+mk5Qmz5IP

Score

10^/10

skuld persistence stealer

Malware Config

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

skuld.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	skuld.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org

flow	ioc
1	api.ipify.org
2	api.ipify.org

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

skuld.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1580	skuld.exe
Token: SeIncreaseQuotaPrivilege	3804	wmic.exe
Token: SeSecurityPrivilege	3804	wmic.exe
Token: SeTakeOwnershipPrivilege	3804	wmic.exe
Token: SeLoadDriverPrivilege	3804	wmic.exe
Token: SeSystemProfilePrivilege	3804	wmic.exe
Token: SeSystemtimePrivilege	3804	wmic.exe
Token: SeProfSingleProcessPrivilege	3804	wmic.exe
Token: SeIncBasePriorityPrivilege	3804	wmic.exe
Token: SeCreatePagefilePrivilege	3804	wmic.exe
Token: SeBackupPrivilege	3804	wmic.exe
Token: SeRestorePrivilege	3804	wmic.exe
Token: SeShutdownPrivilege	3804	wmic.exe
Token: SeDebugPrivilege	3804	wmic.exe
Token: SeSystemEnvironmentPrivilege	3804	wmic.exe
Token: SeRemoteShutdownPrivilege	3804	wmic.exe
Token: SeUndockPrivilege	3804	wmic.exe
Token: SeManageVolumePrivilege	3804	wmic.exe
Token: 33	3804	wmic.exe
Token: 34	3804	wmic.exe
Token: 35	3804	wmic.exe
Token: 36	3804	wmic.exe
Token: SeIncreaseQuotaPrivilege	3804	wmic.exe
Token: SeSecurityPrivilege	3804	wmic.exe
Token: SeTakeOwnershipPrivilege	3804	wmic.exe
Token: SeLoadDriverPrivilege	3804	wmic.exe
Token: SeSystemProfilePrivilege	3804	wmic.exe
Token: SeSystemtimePrivilege	3804	wmic.exe
Token: SeProfSingleProcessPrivilege	3804	wmic.exe
Token: SeIncBasePriorityPrivilege	3804	wmic.exe
Token: SeCreatePagefilePrivilege	3804	wmic.exe
Token: SeBackupPrivilege	3804	wmic.exe
Token: SeRestorePrivilege	3804	wmic.exe
Token: SeShutdownPrivilege	3804	wmic.exe
Token: SeDebugPrivilege	3804	wmic.exe
Token: SeSystemEnvironmentPrivilege	3804	wmic.exe
Token: SeRemoteShutdownPrivilege	3804	wmic.exe
Token: SeUndockPrivilege	3804	wmic.exe
Token: SeManageVolumePrivilege	3804	wmic.exe
Token: 33	3804	wmic.exe
Token: 34	3804	wmic.exe
Token: 35	3804	wmic.exe
Token: 36	3804	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

skuld.exe

description	pid	process	target process
PID 1580 wrote to memory of 1404	1580	skuld.exe	attrib.exe
PID 1580 wrote to memory of 1404	1580	skuld.exe	attrib.exe
PID 1580 wrote to memory of 4908	1580	skuld.exe	attrib.exe
PID 1580 wrote to memory of 4908	1580	skuld.exe	attrib.exe
PID 1580 wrote to memory of 3804	1580	skuld.exe	wmic.exe
PID 1580 wrote to memory of 3804	1580	skuld.exe	wmic.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1404 attrib.exe
4908 attrib.exe

pid	process
1404	attrib.exe
4908	attrib.exe

C:\Users\Admin\AppData\Local\Temp\skuld.exe
"C:\Users\Admin\AppData\Local\Temp\skuld.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\skuld.exe
  2⤵
  - Views/modifies file attributes
  PID:1404
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4908
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.5MB

MD5
655c7596f98a9c606483e69e5c8c9ff4

SHA1
bede56d95e12fad34087580bbf1c017b9e2c7ed1

SHA256
6a2e5993469b6b620c3ef4a9352e6e2b8d825146e3fb388391b8e91b47594503

SHA512
33097433252dd9618bf362031dffa50740e83d72cbf3733f6e7a4d156e3e7ba732f01a56037555d57cffdbbe2f060353f8c4935fc7ec8add2031147c80701519

Download Submit