skuld | f31b0285f3bccd657e9b591732186a807584901d2ab8924897fa679ed1b39a1b

General

Target

EzFN-Manager.exe
Size

3.8MB
MD5

2edfa42f0313ebe2b05d0d3961deaf3b
SHA1

82ba26770f8a59297e668a6ca95b4049c82b67e3
SHA256

f31b0285f3bccd657e9b591732186a807584901d2ab8924897fa679ed1b39a1b
SHA512

4bfe9e9766677aaf6e630ec8e653f9d61a75677e34b15661f3f04889b5c1397d9e06fb2e81bf7cda1e46fd00139528a4412278b6882ffcf78278ab0a69714378
SSDEEP

49152:GQyw/FgZl3Vslwr1ymub72iQkxDonnrxxxqNWN/l4itPBFGsDJjr6uas4:yw/K33VslU8zQkxkrhNzXZDFFZ4

Score

10^/10

skuld xworm discovery execution persistence rat stealer trojan upx

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1309150098055495793/k9e9xgOw-6_C2plzzrJuXKnk0n6rjOfFwyNN15kYdvJC528Av5hMa6QHDC_kqeEBzjsS

Extracted

Family

xworm

Version

5.0

C2

ezfn57.serveo.net:4782

Mutex

s6QNsQsMG6xRRrJT

Attributes

Install_directory
%ProgramData%
install_file
WinRar.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4644-27-0x0000000000400000-0x0000000000438000-memory.dmp	family_xworm

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2212	powershell.exe
3676	powershell.exe
1964	powershell.exe
1512	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

WinRAR.exeMicrosoft Teams.exeWinRAR.exe

pid	Process
1936	WinRAR.exe
4932	Microsoft Teams.exe
4644	WinRAR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Microsoft Teams.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	Microsoft Teams.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

WinRAR.exe

description	pid	Process	procid_target
PID 1936 set thread context of 4644	1936	WinRAR.exe	82

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x001c00000002aae3-18.dat	upx
behavioral1/memory/4932-23-0x00000000006C0000-0x0000000001125000-memory.dmp	upx
behavioral1/memory/4932-25-0x00000000006C0000-0x0000000001125000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exeWinRAR.exeWinRAR.exepowershell.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRAR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinRAR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
4048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1964	powershell.exe
1964	powershell.exe
1512	powershell.exe
1512	powershell.exe
2212	powershell.exe
2212	powershell.exe
3676	powershell.exe
3676	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

WinRAR.exeMicrosoft Teams.exeWinRAR.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1936	WinRAR.exe
Token: SeDebugPrivilege	4932	Microsoft Teams.exe
Token: SeDebugPrivilege	4644	WinRAR.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

EzFN-Manager.exeMicrosoft Teams.exeWinRAR.exeWinRAR.exe

description	pid	Process	procid_target
PID 2644 wrote to memory of 1936	2644	EzFN-Manager.exe	78
PID 2644 wrote to memory of 1936	2644	EzFN-Manager.exe	78
PID 2644 wrote to memory of 1936	2644	EzFN-Manager.exe	78
PID 2644 wrote to memory of 4932	2644	EzFN-Manager.exe	79
PID 2644 wrote to memory of 4932	2644	EzFN-Manager.exe	79
PID 4932 wrote to memory of 4112	4932	Microsoft Teams.exe	81
PID 4932 wrote to memory of 4112	4932	Microsoft Teams.exe	81
PID 1936 wrote to memory of 4644	1936	WinRAR.exe	82
PID 1936 wrote to memory of 4644	1936	WinRAR.exe	82
PID 1936 wrote to memory of 4644	1936	WinRAR.exe	82
PID 1936 wrote to memory of 4644	1936	WinRAR.exe	82
PID 1936 wrote to memory of 4644	1936	WinRAR.exe	82
PID 1936 wrote to memory of 4644	1936	WinRAR.exe	82
PID 1936 wrote to memory of 4644	1936	WinRAR.exe	82
PID 1936 wrote to memory of 4644	1936	WinRAR.exe	82
PID 4644 wrote to memory of 1964	4644	WinRAR.exe	84
PID 4644 wrote to memory of 1964	4644	WinRAR.exe	84
PID 4644 wrote to memory of 1964	4644	WinRAR.exe	84
PID 4644 wrote to memory of 1512	4644	WinRAR.exe	86
PID 4644 wrote to memory of 1512	4644	WinRAR.exe	86
PID 4644 wrote to memory of 1512	4644	WinRAR.exe	86
PID 4644 wrote to memory of 2212	4644	WinRAR.exe	88
PID 4644 wrote to memory of 2212	4644	WinRAR.exe	88
PID 4644 wrote to memory of 2212	4644	WinRAR.exe	88
PID 4644 wrote to memory of 3676	4644	WinRAR.exe	90
PID 4644 wrote to memory of 3676	4644	WinRAR.exe	90
PID 4644 wrote to memory of 3676	4644	WinRAR.exe	90

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
4112	attrib.exe

C:\Users\Admin\AppData\Local\Temp\EzFN-Manager.exe
"C:\Users\Admin\AppData\Local\Temp\EzFN-Manager.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Roaming\WinRAR.exe
  "C:\Users\Admin\AppData\Roaming\WinRAR.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Roaming\WinRAR.exe
    "C:\Users\Admin\AppData\Roaming\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRAR.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1512
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinRar.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinRar.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3676
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinRar" /tr "C:\ProgramData\WinRar.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4048
- C:\Users\Admin\AppData\Roaming\Microsoft Teams.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft Teams.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft Teams.exe"
    3⤵
    - Views/modifies file attributes
    PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WinRAR.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6f6dc3fa4808e9c112d05660a8456360

SHA1
46a4f8afbe84c1b042b6d7e9adbe2166ba698394

SHA256
e193d18b54e71f04367ff1d316ebd79bd82628b5bfa317d19b9bd018a672e2d4

SHA512
c47d343b04f94f06bd63c3883752007b9340bede137a70a6ef28bb658be65eeb1c4584d4c63908e1de6ecbeff5a453345ca3d4bf96d872400dbf955ffe908139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ca9b5678bffddb260323b961b9f0f87d

SHA1
22e55aacbe89d17f0a9dc1e8763ebde232d1103c

SHA256
1eced0cac9642799b6c36b808aa10ba4c9782a956e54d8e61ffc399d7dfa1308

SHA512
6db3ab461b85f0211204b882309de8a5187ee56b4b22edf17932e7009ea84f10d330da5e3ec4f0a9d41e6e07a7281f6a2ae33277d26c6c2583bfbfc81f7dedfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6a966c05e65aa13261fedb9f04f665d5

SHA1
71419ac9533f78b2143e5b74ab0d9db2b62aab3b

SHA256
bae927decf31c292c41a75dcec77b94a37d928c9bcd7c17aa582583a8e915229

SHA512
1a92eaccdf0bb0621b1a2cca4d8547d993092cb9ca771a72587bf51efac0981cdaaa85000c600fff1b647add2ec92097ff1a43216a331f24387437efdf135088

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_30ketony.yut.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft Teams.exe

Filesize
3.3MB

MD5
ffa33049612a638a2f40c2a89722a6f4

SHA1
a453ea7f4c26dbe56d547988d8afe5fbf642e7df

SHA256
589e6cc7481b257d46466116096f4df95a41daaca908a661a528dd3b658e4ea2

SHA512
e7f05a846dd9cdf20f1330569974b4b2f677f34e74b32964836c6c38b6902c25109dea3259b64543a525a4af49bfb9011ad58365d6c597bc78f99f84aa79c927

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR.exe

Filesize
379KB

MD5
49129093416a454d99955d5ac0eea133

SHA1
587263d5c272c0a351aa5d2d5818e1c317c5f712

SHA256
fd1aa71f521f8d6bccda3129f55960d844e5b7dd2374476cc6693df4d1d7ebf7

SHA512
1958d9c48e1900d2854134c7df9772d3fca7af8020b22916d94931b814a0ca4f9b2e9a92cdefa1c5ff5338d72d122ee6485b649ef6db2268cccc105a42e9ff70

Download Submit
memory/1512-81-0x000000006F900000-0x000000006F94C000-memory.dmp

Filesize
304KB

Download
memory/1936-14-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/1936-22-0x0000000000D70000-0x0000000000DD4000-memory.dmp

Filesize
400KB

Download
memory/1936-26-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/1964-47-0x0000000006230000-0x000000000627C000-memory.dmp

Filesize
304KB

Download
memory/1964-58-0x00000000073E0000-0x00000000073FE000-memory.dmp

Filesize
120KB

Download
memory/1964-34-0x0000000005580000-0x0000000005BAA000-memory.dmp

Filesize
6.2MB

Download
memory/1964-35-0x0000000005470000-0x0000000005492000-memory.dmp

Filesize
136KB

Download
memory/1964-36-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/1964-68-0x0000000007880000-0x0000000007888000-memory.dmp

Filesize
32KB

Download
memory/1964-45-0x0000000005D70000-0x00000000060C7000-memory.dmp

Filesize
3.3MB

Download
memory/1964-46-0x00000000061F0000-0x000000000620E000-memory.dmp

Filesize
120KB

Download
memory/1964-33-0x00000000029E0000-0x0000000002A16000-memory.dmp

Filesize
216KB

Download
memory/1964-48-0x00000000067D0000-0x0000000006804000-memory.dmp

Filesize
208KB

Download
memory/1964-49-0x000000006F900000-0x000000006F94C000-memory.dmp

Filesize
304KB

Download
memory/1964-67-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/1964-59-0x0000000007410000-0x00000000074B4000-memory.dmp

Filesize
656KB

Download
memory/1964-60-0x0000000007B90000-0x000000000820A000-memory.dmp

Filesize
6.5MB

Download
memory/1964-61-0x0000000007540000-0x000000000755A000-memory.dmp

Filesize
104KB

Download
memory/1964-62-0x00000000075B0000-0x00000000075BA000-memory.dmp

Filesize
40KB

Download
memory/1964-63-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/1964-64-0x0000000007750000-0x0000000007761000-memory.dmp

Filesize
68KB

Download
memory/1964-65-0x0000000007780000-0x000000000778E000-memory.dmp

Filesize
56KB

Download
memory/1964-66-0x0000000007790000-0x00000000077A5000-memory.dmp

Filesize
84KB

Download
memory/2212-99-0x0000000006390000-0x00000000066E7000-memory.dmp

Filesize
3.3MB

Download
memory/2212-101-0x000000006F900000-0x000000006F94C000-memory.dmp

Filesize
304KB

Download
memory/2644-0-0x00007FF9D6B73000-0x00007FF9D6B75000-memory.dmp

Filesize
8KB

Download
memory/2644-1-0x00000000003E0000-0x00000000007B6000-memory.dmp

Filesize
3.8MB

Download
memory/3676-116-0x0000000005EF0000-0x0000000006247000-memory.dmp

Filesize
3.3MB

Download
memory/3676-121-0x000000006F900000-0x000000006F94C000-memory.dmp

Filesize
304KB

Download
memory/4644-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4644-31-0x0000000005490000-0x000000000552C000-memory.dmp

Filesize
624KB

Download
memory/4644-32-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/4932-25-0x00000000006C0000-0x0000000001125000-memory.dmp

Filesize
10.4MB

Download
memory/4932-23-0x00000000006C0000-0x0000000001125000-memory.dmp

Filesize
10.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads