Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 09:20
Static task
static1
Behavioral task
behavioral1
Sample
sigma.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
sigma.exe
Resource
win10v2004-20241007-en
General
-
Target
sigma.exe
-
Size
23.8MB
-
MD5
7b3b8c7ad73e483139127a259eedb39b
-
SHA1
8c8951d762a0cd2cdb6cc7ba3112d069fe95a4ec
-
SHA256
8f9b5cb5362dcbc71f288d310a67b65957a18e83c660078f6d32056a6077c7ed
-
SHA512
a4d1f60e6bced99b36f5057748ea1515eeccc7d4b1e64930063748c280c8f392962b079ab321e53cf8a366f1dd48ec79f28149a312e6d577f3cc3119d24c4056
-
SSDEEP
393216:V52BpDr3fdoc+5my5krGTONk+SBw7MSM5lMVFoga:b2Bp/7+0yBuk/BwJMzmFoga
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1294219914600513648/1hMj8NibsG6kkmCebWQXD2dsOS3COgpf78DC2CqwIi8Ve2EgBTg8fRzgTY1uxq8ArsSQ
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sg.exepid process 1132 sg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" sg.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
sigma.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sigma.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sg.exedescription pid process Token: SeDebugPrivilege 1132 sg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
sigma.exesg.exedescription pid process target process PID 2416 wrote to memory of 1132 2416 sigma.exe sg.exe PID 2416 wrote to memory of 1132 2416 sigma.exe sg.exe PID 1132 wrote to memory of 1816 1132 sg.exe attrib.exe PID 1132 wrote to memory of 1816 1132 sg.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sigma.exe"C:\Users\Admin\AppData\Local\Temp\sigma.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\sigma_9303f122-6bf5-4cc3-89f4-6e6f6d8619e5\sg.exe"C:\Users\Admin\AppData\Local\Temp\sigma_9303f122-6bf5-4cc3-89f4-6e6f6d8619e5\sg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\sigma_9303f122-6bf5-4cc3-89f4-6e6f6d8619e5\sg.exe3⤵
- Views/modifies file attributes
PID:1816
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.8MB
MD52a90ba072e3b471bcde749b7cd016fa3
SHA1022469956011ddd8c84ab82f23bb4af9f3c2a5d9
SHA256e6e38df3a9b32c592012748cd2a01f29faeb0aee3028571cb2abfa8d4f997102
SHA5125886639582079c80871883aac6aa562215cb7b77de4a7dcc64916b83d39b96c03c4d0bee8e56efd87b39106226749561fc03292fd98e3d875eaa5e5b7b248530