skuld | 80b9912b40dbbba68f9b83c2f18495149cc120a285ab7fae0a333e223412eb3f

General

Target

SecurityHealthSystray.exe
Size

9.9MB
MD5

66dcb8e404e39465f21e8c17c223cbce
SHA1

7e2f220191e06da058b76257e71c707378721c4f
SHA256

80b9912b40dbbba68f9b83c2f18495149cc120a285ab7fae0a333e223412eb3f
SHA512

85a0bd29d8ed2f77d561b9c60565a11defe65885ef5783d77ea13b374bf3d5b0cf10fa996d623e526faf65e3b7ab2423ff3810638c18c32a9936b8a2d5a80164
SSDEEP

98304:6QI9wzKxmhMIIKfGTibiyCC9cK8yE2ICafZmwjsEejd:6IzKxmhhtbiyCicRfDUjd

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1281798080831684654/97q8rBV9oGoDnjnN72iLt4FY_BkQfULH9HMX-mbmcq4SFeqjHV9Up44HYqKZGhBj6eoL

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SecurityHealthSystray.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org

flow	ioc
1	api.ipify.org
2	api.ipify.org

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

SecurityHealthSystray.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	3764	SecurityHealthSystray.exe
Token: SeIncreaseQuotaPrivilege	1796	wmic.exe
Token: SeSecurityPrivilege	1796	wmic.exe
Token: SeTakeOwnershipPrivilege	1796	wmic.exe
Token: SeLoadDriverPrivilege	1796	wmic.exe
Token: SeSystemProfilePrivilege	1796	wmic.exe
Token: SeSystemtimePrivilege	1796	wmic.exe
Token: SeProfSingleProcessPrivilege	1796	wmic.exe
Token: SeIncBasePriorityPrivilege	1796	wmic.exe
Token: SeCreatePagefilePrivilege	1796	wmic.exe
Token: SeBackupPrivilege	1796	wmic.exe
Token: SeRestorePrivilege	1796	wmic.exe
Token: SeShutdownPrivilege	1796	wmic.exe
Token: SeDebugPrivilege	1796	wmic.exe
Token: SeSystemEnvironmentPrivilege	1796	wmic.exe
Token: SeRemoteShutdownPrivilege	1796	wmic.exe
Token: SeUndockPrivilege	1796	wmic.exe
Token: SeManageVolumePrivilege	1796	wmic.exe
Token: 33	1796	wmic.exe
Token: 34	1796	wmic.exe
Token: 35	1796	wmic.exe
Token: 36	1796	wmic.exe
Token: SeIncreaseQuotaPrivilege	1796	wmic.exe
Token: SeSecurityPrivilege	1796	wmic.exe
Token: SeTakeOwnershipPrivilege	1796	wmic.exe
Token: SeLoadDriverPrivilege	1796	wmic.exe
Token: SeSystemProfilePrivilege	1796	wmic.exe
Token: SeSystemtimePrivilege	1796	wmic.exe
Token: SeProfSingleProcessPrivilege	1796	wmic.exe
Token: SeIncBasePriorityPrivilege	1796	wmic.exe
Token: SeCreatePagefilePrivilege	1796	wmic.exe
Token: SeBackupPrivilege	1796	wmic.exe
Token: SeRestorePrivilege	1796	wmic.exe
Token: SeShutdownPrivilege	1796	wmic.exe
Token: SeDebugPrivilege	1796	wmic.exe
Token: SeSystemEnvironmentPrivilege	1796	wmic.exe
Token: SeRemoteShutdownPrivilege	1796	wmic.exe
Token: SeUndockPrivilege	1796	wmic.exe
Token: SeManageVolumePrivilege	1796	wmic.exe
Token: 33	1796	wmic.exe
Token: 34	1796	wmic.exe
Token: 35	1796	wmic.exe
Token: 36	1796	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SecurityHealthSystray.exe

description	pid	process	target process
PID 3764 wrote to memory of 4436	3764	SecurityHealthSystray.exe	attrib.exe
PID 3764 wrote to memory of 4436	3764	SecurityHealthSystray.exe	attrib.exe
PID 3764 wrote to memory of 1852	3764	SecurityHealthSystray.exe	attrib.exe
PID 3764 wrote to memory of 1852	3764	SecurityHealthSystray.exe	attrib.exe
PID 3764 wrote to memory of 1796	3764	SecurityHealthSystray.exe	wmic.exe
PID 3764 wrote to memory of 1796	3764	SecurityHealthSystray.exe	wmic.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4436 attrib.exe
1852 attrib.exe

pid	process
4436	attrib.exe
1852	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4436
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:1852
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
9.9MB

MD5
66dcb8e404e39465f21e8c17c223cbce

SHA1
7e2f220191e06da058b76257e71c707378721c4f

SHA256
80b9912b40dbbba68f9b83c2f18495149cc120a285ab7fae0a333e223412eb3f

SHA512
85a0bd29d8ed2f77d561b9c60565a11defe65885ef5783d77ea13b374bf3d5b0cf10fa996d623e526faf65e3b7ab2423ff3810638c18c32a9936b8a2d5a80164

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads