Overview

overview

10

Static

static

10

stash.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    22s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    09-11-2024 23:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    stash.exe

  • Size

    9.9MB

  • MD5

    40ad54e33822abdcd90635d7c67177b3

  • SHA1

    53b241134681528e5d03094d166d6d8b6f2af1a5

  • SHA256

    6e40a38ba66b802dc1a8aa811b0a090651f486cc937bf70809a48186a1e2742b

  • SHA512

    ff88038919a13fd12e0dea90234a38103a01af0b909618c25933e42a0f85b019b8ff3fdde357b2dc5dbd8b437bc273571f639dd2a7a82fe69b3b95c01d27c967

  • SSDEEP

    98304:eQ8s/OFn5xf/vu/JzTTSdObLjCoZ866ExDxgCZmBoH9S4XO:Z83nbf/vAZhLjCoq6nLQ4PX

Score
10/10
skuldpersistencestealer

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1304955469110055034/m1QTVUBhcZccEpwJaZfvBzrHfDfS7LV_UkVwHOOsYgkvP4PL1bwN71LIje8gpF5r_dPf

Signatures

  • Skuld family
    skuld
  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\stash.exe
    "C:\Users\Admin\AppData\Local\Temp\stash.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\stash.exe
      2⤵
      • Views/modifies file attributes
      PID:2368
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    Filesize

    7.8MB

    MD5

    73648696c0e6125fb9dbbe9dbac039ce

    SHA1

    298f6c23620e88a91f61a9852dd806a9c71b2542

    SHA256

    53339bfb551c891277282a64fddf67707966faa88e4cebd295521ea2fd4383b2

    SHA512

    a599439f244ba32a6a36f2e4a5db51f4de680360e55c27a48202d92eb83b4bc764916a24bf5a222e3e0df60d860d7ec0d1bd2ce5cb8d231191d043564a64c406

    Download Submit

  • memory/4508-2-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-1-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-0-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-12-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-11-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-10-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-9-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-8-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-7-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4508-6-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp

    Filesize

    4KB

    Download