skuld | 80b9912b40dbbba68f9b83c2f18495149cc120a285ab7fae0a333e223412eb3f

General

Target

RealtekHDAudioManager.exe
Size

9.9MB
MD5

66dcb8e404e39465f21e8c17c223cbce
SHA1

7e2f220191e06da058b76257e71c707378721c4f
SHA256

80b9912b40dbbba68f9b83c2f18495149cc120a285ab7fae0a333e223412eb3f
SHA512

85a0bd29d8ed2f77d561b9c60565a11defe65885ef5783d77ea13b374bf3d5b0cf10fa996d623e526faf65e3b7ab2423ff3810638c18c32a9936b8a2d5a80164
SSDEEP

98304:6QI9wzKxmhMIIKfGTibiyCC9cK8yE2ICafZmwjsEejd:6IzKxmhhtbiyCicRfDUjd

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1281798080831684654/97q8rBV9oGoDnjnN72iLt4FY_BkQfULH9HMX-mbmcq4SFeqjHV9Up44HYqKZGhBj6eoL

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RealtekHDAudioManager.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	RealtekHDAudioManager.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org

flow	ioc
1	api.ipify.org
2	api.ipify.org

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

RealtekHDAudioManager.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2856	RealtekHDAudioManager.exe
Token: SeIncreaseQuotaPrivilege	1416	wmic.exe
Token: SeSecurityPrivilege	1416	wmic.exe
Token: SeTakeOwnershipPrivilege	1416	wmic.exe
Token: SeLoadDriverPrivilege	1416	wmic.exe
Token: SeSystemProfilePrivilege	1416	wmic.exe
Token: SeSystemtimePrivilege	1416	wmic.exe
Token: SeProfSingleProcessPrivilege	1416	wmic.exe
Token: SeIncBasePriorityPrivilege	1416	wmic.exe
Token: SeCreatePagefilePrivilege	1416	wmic.exe
Token: SeBackupPrivilege	1416	wmic.exe
Token: SeRestorePrivilege	1416	wmic.exe
Token: SeShutdownPrivilege	1416	wmic.exe
Token: SeDebugPrivilege	1416	wmic.exe
Token: SeSystemEnvironmentPrivilege	1416	wmic.exe
Token: SeRemoteShutdownPrivilege	1416	wmic.exe
Token: SeUndockPrivilege	1416	wmic.exe
Token: SeManageVolumePrivilege	1416	wmic.exe
Token: 33	1416	wmic.exe
Token: 34	1416	wmic.exe
Token: 35	1416	wmic.exe
Token: 36	1416	wmic.exe
Token: SeIncreaseQuotaPrivilege	1416	wmic.exe
Token: SeSecurityPrivilege	1416	wmic.exe
Token: SeTakeOwnershipPrivilege	1416	wmic.exe
Token: SeLoadDriverPrivilege	1416	wmic.exe
Token: SeSystemProfilePrivilege	1416	wmic.exe
Token: SeSystemtimePrivilege	1416	wmic.exe
Token: SeProfSingleProcessPrivilege	1416	wmic.exe
Token: SeIncBasePriorityPrivilege	1416	wmic.exe
Token: SeCreatePagefilePrivilege	1416	wmic.exe
Token: SeBackupPrivilege	1416	wmic.exe
Token: SeRestorePrivilege	1416	wmic.exe
Token: SeShutdownPrivilege	1416	wmic.exe
Token: SeDebugPrivilege	1416	wmic.exe
Token: SeSystemEnvironmentPrivilege	1416	wmic.exe
Token: SeRemoteShutdownPrivilege	1416	wmic.exe
Token: SeUndockPrivilege	1416	wmic.exe
Token: SeManageVolumePrivilege	1416	wmic.exe
Token: 33	1416	wmic.exe
Token: 34	1416	wmic.exe
Token: 35	1416	wmic.exe
Token: 36	1416	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

RealtekHDAudioManager.exe

description	pid	process	target process
PID 2856 wrote to memory of 1836	2856	RealtekHDAudioManager.exe	attrib.exe
PID 2856 wrote to memory of 1836	2856	RealtekHDAudioManager.exe	attrib.exe
PID 2856 wrote to memory of 532	2856	RealtekHDAudioManager.exe	attrib.exe
PID 2856 wrote to memory of 532	2856	RealtekHDAudioManager.exe	attrib.exe
PID 2856 wrote to memory of 1416	2856	RealtekHDAudioManager.exe	wmic.exe
PID 2856 wrote to memory of 1416	2856	RealtekHDAudioManager.exe	wmic.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1836 attrib.exe
532 attrib.exe

pid	process
1836	attrib.exe
532	attrib.exe

C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioManager.exe
"C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioManager.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\RealtekHDAudioManager.exe
  2⤵
  - Views/modifies file attributes
  PID:1836
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:532
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.9MB

MD5
66dcb8e404e39465f21e8c17c223cbce

SHA1
7e2f220191e06da058b76257e71c707378721c4f

SHA256
80b9912b40dbbba68f9b83c2f18495149cc120a285ab7fae0a333e223412eb3f

SHA512
85a0bd29d8ed2f77d561b9c60565a11defe65885ef5783d77ea13b374bf3d5b0cf10fa996d623e526faf65e3b7ab2423ff3810638c18c32a9936b8a2d5a80164

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads