skuld | 414180a9f9707cb3501546487051badead26b0d08d0143302c62f84b81a565f5

Resubmissions

26-12-2024 10:52

241226-myqcmatlhx 10

26-12-2024 10:39

241226-mp9pxatjfz 10

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Comet.exe
Size

8.6MB
MD5

1f5d19397b48172aba35885f39e318fa
SHA1

df77020bffc62f386b5ce0ad0cde3d8f8b704b93
SHA256

dd780875686be33910002f91aaeb8f8ec70a2f3972c41c707a59ef18cd900e74
SHA512

4ccec7c602582d467a63e8f6e8fc222e73bb88a589256fac0577452b6ffaaec58adf2b5e216f8a27404c4717a74f239ce73226385133764b75baa775b25de4a0
SSDEEP

196608:u9+8ZspGS5puzUZqVBU6NABaScfR3xeUDyzfS/FNgeLCtNP:u9+EEp5ZqPBOhcftAUDyzqNutNP

Score

10^/10

skuld stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1320235014511792160/59qb1BvUIDJlYJZoQnnxe4CNf8Swi8--Nwm7q4BECFectFCCJWiM-H8Ng2tA4-dl6Vyb

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Executes dropped EXE 26 IoCs

pid	Process
2696	deltadll.exe
2972	deltadll.exe
2880	deltadll.exe
1516	deltadll.exe
348	deltadll.exe
572	deltadll.exe
2264	deltadll.exe
1776	deltadll.exe
2364	deltadll.exe
2052	deltadll.exe
1204	Process not Found
1772	deltadll.exe
2184	deltadll.exe
2476	deltadll.exe
2996	deltadll.exe
2660	deltadll.exe
2540	deltadll.exe
1376	deltadll.exe
2132	deltadll.exe
884	deltadll.exe
1604	deltadll.exe
2168	deltadll.exe
2392	deltadll.exe
2728	deltadll.exe
2664	deltadll.exe
924	deltadll.exe

Loads dropped DLL 64 IoCs

pid	Process
620	Comet.exe
620	Comet.exe
2860	Process not Found
2248	Comet.exe
2248	Comet.exe
2764	Process not Found
2796	Comet.exe
2796	Comet.exe
1640	Process not Found
2204	Comet.exe
2204	Comet.exe
1724	Process not Found
2912	Comet.exe
2912	Comet.exe
1160	Process not Found
1648	Comet.exe
1648	Comet.exe
1484	Process not Found
2144	Comet.exe
2144	Comet.exe
1924	Process not Found
1052	Comet.exe
1052	Comet.exe
1656	Process not Found
828	Comet.exe
828	Comet.exe
2336	Process not Found
832	Comet.exe
832	Comet.exe
1600	Process not Found
1972	Comet.exe
1972	Comet.exe
2780	Process not Found
2804	Comet.exe
2804	Comet.exe
2600	Process not Found
2892	Comet.exe
2892	Comet.exe
2864	Process not Found
2588	Comet.exe
2588	Comet.exe
1556	Process not Found
2204	Comet.exe
2204	Comet.exe
2628	Process not Found
1904	Comet.exe
1904	Comet.exe
2072	Process not Found
2228	Comet.exe
2228	Comet.exe
2416	Process not Found
992	Comet.exe
992	Comet.exe
840	Process not Found
1676	Comet.exe
1676	Comet.exe
1284	Process not Found
2444	Comet.exe
2444	Comet.exe
372	Process not Found
3068	Comet.exe
3068	Comet.exe
2088	Process not Found
2492	Comet.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
27	ip-api.com
50	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	Comet.exe
Token: SeDebugPrivilege	2248	Comet.exe
Token: SeDebugPrivilege	2796	Comet.exe
Token: SeDebugPrivilege	2204	Comet.exe
Token: SeDebugPrivilege	2912	Comet.exe
Token: SeDebugPrivilege	1648	Comet.exe
Token: SeDebugPrivilege	2144	Comet.exe
Token: SeDebugPrivilege	1052	Comet.exe
Token: SeDebugPrivilege	828	Comet.exe
Token: SeDebugPrivilege	832	Comet.exe
Token: SeDebugPrivilege	1972	Comet.exe
Token: SeDebugPrivilege	2804	Comet.exe
Token: SeDebugPrivilege	2892	Comet.exe
Token: SeDebugPrivilege	2588	Comet.exe
Token: SeDebugPrivilege	2204	Comet.exe
Token: SeDebugPrivilege	1904	Comet.exe
Token: SeDebugPrivilege	2228	Comet.exe
Token: SeDebugPrivilege	992	Comet.exe
Token: SeDebugPrivilege	1676	Comet.exe
Token: SeDebugPrivilege	2444	Comet.exe
Token: SeDebugPrivilege	3068	Comet.exe
Token: SeDebugPrivilege	2492	Comet.exe
Token: SeDebugPrivilege	2060	Comet.exe
Token: SeDebugPrivilege	1328	Comet.exe
Token: SeDebugPrivilege	2568	Comet.exe
Token: SeDebugPrivilege	484	Comet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2248	620	Comet.exe	31
PID 620 wrote to memory of 2248	620	Comet.exe	31
PID 620 wrote to memory of 2248	620	Comet.exe	31
PID 620 wrote to memory of 2696	620	Comet.exe	32
PID 620 wrote to memory of 2696	620	Comet.exe	32
PID 620 wrote to memory of 2696	620	Comet.exe	32
PID 2248 wrote to memory of 2796	2248	Comet.exe	34
PID 2248 wrote to memory of 2796	2248	Comet.exe	34
PID 2248 wrote to memory of 2796	2248	Comet.exe	34
PID 2248 wrote to memory of 2972	2248	Comet.exe	35
PID 2248 wrote to memory of 2972	2248	Comet.exe	35
PID 2248 wrote to memory of 2972	2248	Comet.exe	35
PID 2796 wrote to memory of 2204	2796	Comet.exe	38
PID 2796 wrote to memory of 2204	2796	Comet.exe	38
PID 2796 wrote to memory of 2204	2796	Comet.exe	38
PID 2796 wrote to memory of 2880	2796	Comet.exe	39
PID 2796 wrote to memory of 2880	2796	Comet.exe	39
PID 2796 wrote to memory of 2880	2796	Comet.exe	39
PID 2204 wrote to memory of 2912	2204	Comet.exe	41
PID 2204 wrote to memory of 2912	2204	Comet.exe	41
PID 2204 wrote to memory of 2912	2204	Comet.exe	41
PID 2204 wrote to memory of 1516	2204	Comet.exe	42
PID 2204 wrote to memory of 1516	2204	Comet.exe	42
PID 2204 wrote to memory of 1516	2204	Comet.exe	42
PID 2912 wrote to memory of 1648	2912	Comet.exe	44
PID 2912 wrote to memory of 1648	2912	Comet.exe	44
PID 2912 wrote to memory of 1648	2912	Comet.exe	44
PID 2912 wrote to memory of 348	2912	Comet.exe	45
PID 2912 wrote to memory of 348	2912	Comet.exe	45
PID 2912 wrote to memory of 348	2912	Comet.exe	45
PID 1648 wrote to memory of 2144	1648	Comet.exe	47
PID 1648 wrote to memory of 2144	1648	Comet.exe	47
PID 1648 wrote to memory of 2144	1648	Comet.exe	47
PID 1648 wrote to memory of 572	1648	Comet.exe	48
PID 1648 wrote to memory of 572	1648	Comet.exe	48
PID 1648 wrote to memory of 572	1648	Comet.exe	48
PID 2144 wrote to memory of 1052	2144	Comet.exe	50
PID 2144 wrote to memory of 1052	2144	Comet.exe	50
PID 2144 wrote to memory of 1052	2144	Comet.exe	50
PID 2144 wrote to memory of 2264	2144	Comet.exe	51
PID 2144 wrote to memory of 2264	2144	Comet.exe	51
PID 2144 wrote to memory of 2264	2144	Comet.exe	51
PID 1052 wrote to memory of 828	1052	Comet.exe	53
PID 1052 wrote to memory of 828	1052	Comet.exe	53
PID 1052 wrote to memory of 828	1052	Comet.exe	53
PID 1052 wrote to memory of 1776	1052	Comet.exe	54
PID 1052 wrote to memory of 1776	1052	Comet.exe	54
PID 1052 wrote to memory of 1776	1052	Comet.exe	54
PID 828 wrote to memory of 832	828	Comet.exe	56
PID 828 wrote to memory of 832	828	Comet.exe	56
PID 828 wrote to memory of 832	828	Comet.exe	56
PID 828 wrote to memory of 2364	828	Comet.exe	57
PID 828 wrote to memory of 2364	828	Comet.exe	57
PID 828 wrote to memory of 2364	828	Comet.exe	57
PID 832 wrote to memory of 1972	832	Comet.exe	59
PID 832 wrote to memory of 1972	832	Comet.exe	59
PID 832 wrote to memory of 1972	832	Comet.exe	59
PID 832 wrote to memory of 2052	832	Comet.exe	60
PID 832 wrote to memory of 2052	832	Comet.exe	60
PID 832 wrote to memory of 2052	832	Comet.exe	60
PID 1972 wrote to memory of 2804	1972	Comet.exe	62
PID 1972 wrote to memory of 2804	1972	Comet.exe	62
PID 1972 wrote to memory of 2804	1972	Comet.exe	62
PID 1972 wrote to memory of 1772	1972	Comet.exe	63

C:\Users\Admin\AppData\Local\Temp\Comet.exe
"C:\Users\Admin\AppData\Local\Temp\Comet.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\Comet.exe
  "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\Comet.exe
    "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
      "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        7⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        8⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        9⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        10⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        11⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        12⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        13⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        14⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        15⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        16⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        17⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        18⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        19⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        20⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        21⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        22⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        26⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        25⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        24⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        23⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        22⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        21⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        20⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        19⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        18⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        17⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        16⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        15⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        14⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        13⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        12⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        11⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        10⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        9⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        8⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        7⤵
        Executes dropped EXE
        
        PID:572
      - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        6⤵
        Executes dropped EXE
        
        PID:348
    - - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        5⤵
        Executes dropped EXE
        
        PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
      "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
      4⤵
      Executes dropped EXE
      PID:2880
- - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
    "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
    3⤵
    - Executes dropped EXE
    PID:2972
- C:\Users\Admin\AppData\Local\Temp\deltadll.exe
  "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
  2⤵
  - Executes dropped EXE
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\deltadll.exe

Filesize
14.8MB

MD5
19c446f51d203d1fb7eb23210709417b

SHA1
6e33b8d13d1539630615e581e5ab03de371c0dc6

SHA256
b67cae29bac60920b3edc02081da697c4c6486411c1bc77f29b68cb1f23e3ffc

SHA512
9d8601a0c2e090cd5fc6315c1671d669cd6a6bf20d3ef24cb1a111e344464913fe809c9b27d32608b93b988a37e59c90086ccf68545ce385ef58f96365a439df

Download Submit
memory/620-0-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

Filesize
4KB

Download
memory/620-1-0x000000013F390000-0x000000013FC3A000-memory.dmp

Filesize
8.7MB

Download
memory/620-2-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/620-13-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2248-3-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2248-23-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download