Overview

overview

10

Static

static

10

LoPi.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    145s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-10-2024 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LoPi.exe

  • Size

    9.9MB

  • MD5

    1abd63f11821dd425441e659c890632b

  • SHA1

    e4772d6e84217f0c0ff15aa5580a13f3424d2ac0

  • SHA256

    5dc88f47dfefad9feb60493de86d4bbdd407b158f4b6c768759e726ce497754f

  • SHA512

    29eeab5c7c06b83f0557a375c3faf1fd868dfb2d89f2035728197a45bcb664e951fabfbb5191857beb576a8de3a009aef2f7a760d52305c14c754573e9d3b06e

  • SSDEEP

    98304:hzU4brhxBASgf/gEpiji6Ig8TWA7EIICafZm/mbnXg:hxrhxBAGZji6IdThoRTXg

Score
10/10
skuldpersistencestealer

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1296197362108338248/k492vQ1I3SDXcmvWcvsy2EcSUzrwhNmILrYhR3qSF8R7tkcE-C5GgZSxuS3IlNschBWg

Signatures

  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\LoPi.exe
    "C:\Users\Admin\AppData\Local\Temp\LoPi.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:500
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\LoPi.exe
      2⤵
      • Views/modifies file attributes
      PID:4936
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      2⤵
      • Views/modifies file attributes
      PID:4412
    • C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    Filesize

    9.9MB

    MD5

    1abd63f11821dd425441e659c890632b

    SHA1

    e4772d6e84217f0c0ff15aa5580a13f3424d2ac0

    SHA256

    5dc88f47dfefad9feb60493de86d4bbdd407b158f4b6c768759e726ce497754f

    SHA512

    29eeab5c7c06b83f0557a375c3faf1fd868dfb2d89f2035728197a45bcb664e951fabfbb5191857beb576a8de3a009aef2f7a760d52305c14c754573e9d3b06e

    Download Submit