610f0ac7f61d0e450281941a5476f6316fa14ddd6fd06210029905246b56b0ef

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15/12/2024, 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release.exe
Size

423KB
MD5

be4cbe10f071b583895eb48b532e837a
SHA1

cf7fe65594aa9d74a23b35cb608c01e6a7912014
SHA256

610f0ac7f61d0e450281941a5476f6316fa14ddd6fd06210029905246b56b0ef
SHA512

7fbe0c286bebc18db0e46f17757ce824b643856d2d647eef8e9ec1d66c5af145bfdbac4904c2f494d1d6e4480fd96aaa7de7c66bfd1083c2d3a841c08b42e47a
SSDEEP

6144:YeghbOV4Asvo/Z+wo6TmTIHnqgKIuTi5gTaWnLLDt1dbWAOaKapXFWbcF5U:YeKbOV4A3ho9IKNti5gT/wUzzWYU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2380	skuld.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	release.exe
2524	release.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	release.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2380	2524	release.exe	31
PID 2524 wrote to memory of 2380	2524	release.exe	31
PID 2524 wrote to memory of 2380	2524	release.exe	31
PID 2524 wrote to memory of 2380	2524	release.exe	31

C:\Users\Admin\AppData\Local\Temp\release.exe
"C:\Users\Admin\AppData\Local\Temp\release.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\skuld.exe
  "C:\Users\Admin\AppData\Local\Temp\skuld.exe"
  2⤵
  - Executes dropped EXE
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\skuld.exe

Filesize
9.5MB

MD5
be0fab815395a13d4d6190070028299f

SHA1
e56acd831f795128fd0ec0363435638a656a3236

SHA256
abbf573224595e5999b43e7dc97596255b7187d3619fea99e45d76b7caaf7a0e

SHA512
c4ae881530e465f94682f35918898928c08bf8ba34469015eeee3a5b15bbb0471dbf07663b215e5b4fb8ed9b337364ccc1d32b345b4fa14d07d391065699be4d

Download Submit