Malware Analysis Report

2024-12-07 20:19

Sample ID 241119-j25d6ssckf
Target 80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe
SHA256 80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2
Tags
persistence skuld
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2

Threat Level: Known bad

The file 80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe was found to be: Known bad.

Malicious Activity Summary

persistence skuld

Skuld family

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 08:10

Signatures

Skuld family

skuld

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 08:10

Reported

2024-11-19 08:12

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" C:\Users\Admin\AppData\Local\Temp\80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe

"C:\Users\Admin\AppData\Local\Temp\80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe"

C:\Windows\system32\attrib.exe

attrib +h +s C:\Users\Admin\AppData\Local\Temp\80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 08:10

Reported

2024-11-19 08:12

Platform

win7-20240729-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe

"C:\Users\Admin\AppData\Local\Temp\80bf09a25f2f811a45913cd27eabddedfec841929d508737f19994acd05b3db2.exe"

Network

N/A

Files

N/A