skuld | 414180a9f9707cb3501546487051badead26b0d08d0143302c62f84b81a565f5

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Comet.exe
Size

8.6MB
MD5

1f5d19397b48172aba35885f39e318fa
SHA1

df77020bffc62f386b5ce0ad0cde3d8f8b704b93
SHA256

dd780875686be33910002f91aaeb8f8ec70a2f3972c41c707a59ef18cd900e74
SHA512

4ccec7c602582d467a63e8f6e8fc222e73bb88a589256fac0577452b6ffaaec58adf2b5e216f8a27404c4717a74f239ce73226385133764b75baa775b25de4a0
SSDEEP

196608:u9+8ZspGS5puzUZqVBU6NABaScfR3xeUDyzfS/FNgeLCtNP:u9+EEp5ZqPBOhcftAUDyzqNutNP

Score

10^/10

skuld stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1320235014511792160/59qb1BvUIDJlYJZoQnnxe4CNf8Swi8--Nwm7q4BECFectFCCJWiM-H8Ng2tA4-dl6Vyb

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Executes dropped EXE 20 IoCs

pid	Process
472	deltadll.exe
1264	Process not Found
2744	deltadll.exe
3036	deltadll.exe
1180	deltadll.exe
2296	deltadll.exe
852	deltadll.exe
848	deltadll.exe
2024	deltadll.exe
1620	deltadll.exe
2768	deltadll.exe
2592	deltadll.exe
620	deltadll.exe
1040	deltadll.exe
1948	deltadll.exe
2380	deltadll.exe
1156	deltadll.exe
1748	deltadll.exe
2680	deltadll.exe
2808	deltadll.exe

Loads dropped DLL 57 IoCs

pid	Process
2336	Comet.exe
2336	Comet.exe
3012	Process not Found
2984	Comet.exe
2984	Comet.exe
2804	Process not Found
2796	Comet.exe
2796	Comet.exe
2360	Process not Found
1304	Comet.exe
1304	Comet.exe
1728	Process not Found
2556	Comet.exe
2556	Comet.exe
2404	Process not Found
2368	Comet.exe
2368	Comet.exe
700	Process not Found
320	Comet.exe
320	Comet.exe
108	Process not Found
1556	Comet.exe
1556	Comet.exe
2660	Process not Found
932	Comet.exe
932	Comet.exe
2956	Process not Found
2260	Comet.exe
2260	Comet.exe
2780	Process not Found
3052	Comet.exe
3052	Comet.exe
2820	Process not Found
2940	Comet.exe
2940	Comet.exe
2448	Process not Found
3048	Comet.exe
3048	Comet.exe
2456	Process not Found
892	Comet.exe
892	Comet.exe
1532	Process not Found
2556	Comet.exe
2556	Comet.exe
2248	Process not Found
2368	Comet.exe
2368	Comet.exe
108	Process not Found
2716	Comet.exe
2716	Comet.exe
1176	Process not Found
1504	Comet.exe
1504	Comet.exe
2244	Process not Found
2620	Comet.exe
2620	Comet.exe
2912	Process not Found

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
21	ip-api.com
38	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	Comet.exe
Token: SeDebugPrivilege	2984	Comet.exe
Token: SeDebugPrivilege	2796	Comet.exe
Token: SeDebugPrivilege	1304	Comet.exe
Token: SeDebugPrivilege	2556	Comet.exe
Token: SeDebugPrivilege	2368	Comet.exe
Token: SeDebugPrivilege	320	Comet.exe
Token: SeDebugPrivilege	1556	Comet.exe
Token: SeDebugPrivilege	932	Comet.exe
Token: SeDebugPrivilege	2260	Comet.exe
Token: SeDebugPrivilege	3052	Comet.exe
Token: SeDebugPrivilege	2940	Comet.exe
Token: SeDebugPrivilege	3048	Comet.exe
Token: SeDebugPrivilege	892	Comet.exe
Token: SeDebugPrivilege	2556	Comet.exe
Token: SeDebugPrivilege	2368	Comet.exe
Token: SeDebugPrivilege	2716	Comet.exe
Token: SeDebugPrivilege	1504	Comet.exe
Token: SeDebugPrivilege	2620	Comet.exe
Token: SeDebugPrivilege	1528	Comet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2984	2336	Comet.exe	30
PID 2336 wrote to memory of 2984	2336	Comet.exe	30
PID 2336 wrote to memory of 2984	2336	Comet.exe	30
PID 2336 wrote to memory of 472	2336	Comet.exe	31
PID 2336 wrote to memory of 472	2336	Comet.exe	31
PID 2336 wrote to memory of 472	2336	Comet.exe	31
PID 2984 wrote to memory of 2796	2984	Comet.exe	33
PID 2984 wrote to memory of 2796	2984	Comet.exe	33
PID 2984 wrote to memory of 2796	2984	Comet.exe	33
PID 2984 wrote to memory of 2744	2984	Comet.exe	34
PID 2984 wrote to memory of 2744	2984	Comet.exe	34
PID 2984 wrote to memory of 2744	2984	Comet.exe	34
PID 2796 wrote to memory of 1304	2796	Comet.exe	36
PID 2796 wrote to memory of 1304	2796	Comet.exe	36
PID 2796 wrote to memory of 1304	2796	Comet.exe	36
PID 2796 wrote to memory of 3036	2796	Comet.exe	37
PID 2796 wrote to memory of 3036	2796	Comet.exe	37
PID 2796 wrote to memory of 3036	2796	Comet.exe	37
PID 1304 wrote to memory of 2556	1304	Comet.exe	39
PID 1304 wrote to memory of 2556	1304	Comet.exe	39
PID 1304 wrote to memory of 2556	1304	Comet.exe	39
PID 1304 wrote to memory of 1180	1304	Comet.exe	40
PID 1304 wrote to memory of 1180	1304	Comet.exe	40
PID 1304 wrote to memory of 1180	1304	Comet.exe	40
PID 2556 wrote to memory of 2368	2556	Comet.exe	42
PID 2556 wrote to memory of 2368	2556	Comet.exe	42
PID 2556 wrote to memory of 2368	2556	Comet.exe	42
PID 2556 wrote to memory of 2296	2556	Comet.exe	43
PID 2556 wrote to memory of 2296	2556	Comet.exe	43
PID 2556 wrote to memory of 2296	2556	Comet.exe	43
PID 2368 wrote to memory of 320	2368	Comet.exe	45
PID 2368 wrote to memory of 320	2368	Comet.exe	45
PID 2368 wrote to memory of 320	2368	Comet.exe	45
PID 2368 wrote to memory of 852	2368	Comet.exe	46
PID 2368 wrote to memory of 852	2368	Comet.exe	46
PID 2368 wrote to memory of 852	2368	Comet.exe	46
PID 320 wrote to memory of 1556	320	Comet.exe	48
PID 320 wrote to memory of 1556	320	Comet.exe	48
PID 320 wrote to memory of 1556	320	Comet.exe	48
PID 320 wrote to memory of 848	320	Comet.exe	49
PID 320 wrote to memory of 848	320	Comet.exe	49
PID 320 wrote to memory of 848	320	Comet.exe	49
PID 1556 wrote to memory of 932	1556	Comet.exe	51
PID 1556 wrote to memory of 932	1556	Comet.exe	51
PID 1556 wrote to memory of 932	1556	Comet.exe	51
PID 1556 wrote to memory of 2024	1556	Comet.exe	52
PID 1556 wrote to memory of 2024	1556	Comet.exe	52
PID 1556 wrote to memory of 2024	1556	Comet.exe	52
PID 932 wrote to memory of 2260	932	Comet.exe	54
PID 932 wrote to memory of 2260	932	Comet.exe	54
PID 932 wrote to memory of 2260	932	Comet.exe	54
PID 932 wrote to memory of 1620	932	Comet.exe	55
PID 932 wrote to memory of 1620	932	Comet.exe	55
PID 932 wrote to memory of 1620	932	Comet.exe	55
PID 2260 wrote to memory of 3052	2260	Comet.exe	57
PID 2260 wrote to memory of 3052	2260	Comet.exe	57
PID 2260 wrote to memory of 3052	2260	Comet.exe	57
PID 2260 wrote to memory of 2768	2260	Comet.exe	58
PID 2260 wrote to memory of 2768	2260	Comet.exe	58
PID 2260 wrote to memory of 2768	2260	Comet.exe	58
PID 3052 wrote to memory of 2940	3052	Comet.exe	60
PID 3052 wrote to memory of 2940	3052	Comet.exe	60
PID 3052 wrote to memory of 2940	3052	Comet.exe	60
PID 3052 wrote to memory of 2592	3052	Comet.exe	61

C:\Users\Admin\AppData\Local\Temp\Comet.exe
"C:\Users\Admin\AppData\Local\Temp\Comet.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\Comet.exe
  "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\Comet.exe
    "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
      "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        7⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        8⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        9⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        10⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        11⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        12⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        13⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        14⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        15⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        16⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        17⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        18⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        19⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        20⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        19⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        18⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        17⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        16⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        15⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        14⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        13⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        12⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        11⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        10⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        9⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        8⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        7⤵
        Executes dropped EXE
        
        PID:852
      - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        6⤵
        Executes dropped EXE
        
        PID:2296
    - - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        5⤵
        Executes dropped EXE
        
        PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
      "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
      4⤵
      Executes dropped EXE
      PID:3036
- - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
    "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
    3⤵
    - Executes dropped EXE
    PID:2744
- C:\Users\Admin\AppData\Local\Temp\deltadll.exe
  "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
  2⤵
  - Executes dropped EXE
  PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\deltadll.exe

Filesize
14.8MB

MD5
19c446f51d203d1fb7eb23210709417b

SHA1
6e33b8d13d1539630615e581e5ab03de371c0dc6

SHA256
b67cae29bac60920b3edc02081da697c4c6486411c1bc77f29b68cb1f23e3ffc

SHA512
9d8601a0c2e090cd5fc6315c1671d669cd6a6bf20d3ef24cb1a111e344464913fe809c9b27d32608b93b988a37e59c90086ccf68545ce385ef58f96365a439df

Download Submit
memory/2336-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x000000013F1E0000-0x000000013FA8A000-memory.dmp

Filesize
8.7MB

Download
memory/2336-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-12-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2984-3-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2984-19-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download