skuld | 56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543

Analysis

max time kernel
100s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
22/03/2025, 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50KfF6O.exe
Size

3.2MB
MD5

9ec5cf784ec23ca09c2921668912cfeb
SHA1

4b9c8b0d197c359368164e5738b44a65fba40741
SHA256

56bd8367607b32bfe275478f96bbd0fe213c07eee696e0a268f817ea757a9543
SHA512

043d623ae8f3dbb43b504ba08d916f27f9054c4df46c6b5d0ae56e98c44b919e8d9a05e333c08adad286353bf5f6f1b75c1ee23f819462654c94e1542c31c464
SSDEEP

98304:f3bOTeskaH0XNniR5aAebmGeCpmC7ir4:/bOT1kaHeaGe87

Score

10^/10

skuld persistence stealer upx

Malware Config

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1349647136895012916/qSys_fpsL_y7usKH_AyrFupSjzSsVfg2t895g2HV8Yz72asrwCIsHaqqhPtDFjz8g8_E

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	50KfF6O.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5492-0-0x00000000006B0000-0x000000000113E000-memory.dmp	upx
behavioral2/memory/5492-2-0x00000000006B0000-0x000000000113E000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5492	50KfF6O.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5492 wrote to memory of 3036	5492	50KfF6O.exe	79
PID 5492 wrote to memory of 3036	5492	50KfF6O.exe	79

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3036	attrib.exe

C:\Users\Admin\AppData\Local\Temp\50KfF6O.exe
"C:\Users\Admin\AppData\Local\Temp\50KfF6O.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5492
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\50KfF6O.exe
  2⤵
  - Views/modifies file attributes
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5492-0-0x00000000006B0000-0x000000000113E000-memory.dmp

Filesize
10.6MB

Download
memory/5492-2-0x00000000006B0000-0x000000000113E000-memory.dmp

Filesize
10.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads