skuld | 7514379d03a14596ecf9e1a378d844d90314561d660e0c3947131e279fa27f73

General

Target

main.exe
Size

14.2MB
MD5

32555cfe5d6baeaf6a7fe7bb7fb65b2c
SHA1

d96b09517a45fdbcb852751dadbf6f8ba880c809
SHA256

7514379d03a14596ecf9e1a378d844d90314561d660e0c3947131e279fa27f73
SHA512

53ff705e8180255fed91da6d1e671b4cdd5d9bb837679748d54acb7da75a8419684d9795e69fa259b6b89e9f09678dde8d941de74e7d3034e43a593a11ad7f1e
SSDEEP

196608:JMhP4WgzpUmKAUIo4z3wVSIPLFFrL0AGtWT6U:JyP2Zo40HLvL7Gty

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1253745341237301298/0bupEAbWw7WhJJNHQZuklnmeXgWr4vsCHwsXRKwqRFI02WfhfcKZFllI_i5uOwkWj_II

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

main.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	main.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
1 api.ipify.org
2 api.ipify.org
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 7 Go-http-client/1.1

flow	ioc
5	ip-api.com
1	api.ipify.org
2	api.ipify.org

description	flow	ioc
HTTP User-Agent header	7	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

main.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	main.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	main.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	main.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wmic.exe

pid process

2780 wmic.exe
2780 wmic.exe
2780 wmic.exe
2780 wmic.exe

pid	process
2780	wmic.exe
2780	wmic.exe
2780	wmic.exe
2780	wmic.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

main.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	3472	main.exe
Token: SeIncreaseQuotaPrivilege	2780	wmic.exe
Token: SeSecurityPrivilege	2780	wmic.exe
Token: SeTakeOwnershipPrivilege	2780	wmic.exe
Token: SeLoadDriverPrivilege	2780	wmic.exe
Token: SeSystemProfilePrivilege	2780	wmic.exe
Token: SeSystemtimePrivilege	2780	wmic.exe
Token: SeProfSingleProcessPrivilege	2780	wmic.exe
Token: SeIncBasePriorityPrivilege	2780	wmic.exe
Token: SeCreatePagefilePrivilege	2780	wmic.exe
Token: SeBackupPrivilege	2780	wmic.exe
Token: SeRestorePrivilege	2780	wmic.exe
Token: SeShutdownPrivilege	2780	wmic.exe
Token: SeDebugPrivilege	2780	wmic.exe
Token: SeSystemEnvironmentPrivilege	2780	wmic.exe
Token: SeRemoteShutdownPrivilege	2780	wmic.exe
Token: SeUndockPrivilege	2780	wmic.exe
Token: SeManageVolumePrivilege	2780	wmic.exe
Token: 33	2780	wmic.exe
Token: 34	2780	wmic.exe
Token: 35	2780	wmic.exe
Token: 36	2780	wmic.exe
Token: SeIncreaseQuotaPrivilege	2780	wmic.exe
Token: SeSecurityPrivilege	2780	wmic.exe
Token: SeTakeOwnershipPrivilege	2780	wmic.exe
Token: SeLoadDriverPrivilege	2780	wmic.exe
Token: SeSystemProfilePrivilege	2780	wmic.exe
Token: SeSystemtimePrivilege	2780	wmic.exe
Token: SeProfSingleProcessPrivilege	2780	wmic.exe
Token: SeIncBasePriorityPrivilege	2780	wmic.exe
Token: SeCreatePagefilePrivilege	2780	wmic.exe
Token: SeBackupPrivilege	2780	wmic.exe
Token: SeRestorePrivilege	2780	wmic.exe
Token: SeShutdownPrivilege	2780	wmic.exe
Token: SeDebugPrivilege	2780	wmic.exe
Token: SeSystemEnvironmentPrivilege	2780	wmic.exe
Token: SeRemoteShutdownPrivilege	2780	wmic.exe
Token: SeUndockPrivilege	2780	wmic.exe
Token: SeManageVolumePrivilege	2780	wmic.exe
Token: 33	2780	wmic.exe
Token: 34	2780	wmic.exe
Token: 35	2780	wmic.exe
Token: 36	2780	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

main.exe

description	pid	process	target process
PID 3472 wrote to memory of 3460	3472	main.exe	attrib.exe
PID 3472 wrote to memory of 3460	3472	main.exe	attrib.exe
PID 3472 wrote to memory of 4772	3472	main.exe	attrib.exe
PID 3472 wrote to memory of 4772	3472	main.exe	attrib.exe
PID 3472 wrote to memory of 2780	3472	main.exe	wmic.exe
PID 3472 wrote to memory of 2780	3472	main.exe	wmic.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3460 attrib.exe
4772 attrib.exe

pid	process
3460	attrib.exe
4772	attrib.exe

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\main.exe
  2⤵
  - Views/modifies file attributes
  PID:3460
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Views/modifies file attributes
  PID:4772
- C:\Windows\System32\Wbem\wmic.exe
  wmic csproduct get UUID
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
14.2MB

MD5
32555cfe5d6baeaf6a7fe7bb7fb65b2c

SHA1
d96b09517a45fdbcb852751dadbf6f8ba880c809

SHA256
7514379d03a14596ecf9e1a378d844d90314561d660e0c3947131e279fa27f73

SHA512
53ff705e8180255fed91da6d1e671b4cdd5d9bb837679748d54acb7da75a8419684d9795e69fa259b6b89e9f09678dde8d941de74e7d3034e43a593a11ad7f1e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads