Analysis Overview
SHA256
6e40a38ba66b802dc1a8aa811b0a090651f486cc937bf70809a48186a1e2742b
Threat Level: Known bad
The file stash.exe was found to be: Known bad.
Malicious Activity Summary
Skuld family
Skuld stealer
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:54
Signatures
Skuld family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:54
Reported
2024-11-09 23:55
Platform
win10ltsc2021-20241023-en
Max time kernel
30s
Max time network
22s
Command Line
Signatures
Skuld family
Skuld stealer
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" | C:\Users\Admin\AppData\Local\Temp\stash.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\stash.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1412 wrote to memory of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\stash.exe | C:\Windows\system32\attrib.exe |
| PID 1412 wrote to memory of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\stash.exe | C:\Windows\system32\attrib.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\stash.exe
"C:\Users\Admin\AppData\Local\Temp\stash.exe"
C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Local\Temp\stash.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.140.244.186:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
Files
memory/4508-2-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp
memory/4508-1-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp
memory/4508-0-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp
memory/4508-12-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp
memory/4508-11-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp
memory/4508-10-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp
memory/4508-9-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp
memory/4508-8-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp
memory/4508-7-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp
memory/4508-6-0x000001D24B3A0000-0x000001D24B3A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
| MD5 | 73648696c0e6125fb9dbbe9dbac039ce |
| SHA1 | 298f6c23620e88a91f61a9852dd806a9c71b2542 |
| SHA256 | 53339bfb551c891277282a64fddf67707966faa88e4cebd295521ea2fd4383b2 |
| SHA512 | a599439f244ba32a6a36f2e4a5db51f4de680360e55c27a48202d92eb83b4bc764916a24bf5a222e3e0df60d860d7ec0d1bd2ce5cb8d231191d043564a64c406 |