Analysis
-
max time kernel
25s -
max time network
20s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
26/03/2025, 09:33
Behavioral task
behavioral1
Sample
skuld.exe
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
10 signatures
150 seconds
General
-
Target
skuld.exe
-
Size
15.4MB
-
MD5
43ce92b13e04631f69e15b76db98f51e
-
SHA1
e20b2c6ed2d3e17b2f1a764b0ab1036158154b06
-
SHA256
95b1a6969c6daa323432e99d25bf3b0c33a21efec679871badc3b2a34410149f
-
SHA512
23f9187621b7d006f154b0fec253d70abb674318b7b03b9cadd8087ee7669701a5361e6c12beef17d10e26e2b40ff41596e8abcc44a8fabe1fad1e25b4151c8c
-
SSDEEP
196608:jAKz060voeVsJEsQ7R/wTymlb8F+Bvp+wsvwRR3Jk04:j/0DviAR/wum+F+BDjHqR
Score
10/10
Malware Config
Extracted
Family
skuld
C2
https://discord.com/api/webhooks/1353661726381572147/DvQndSN-KFEIW6Dut8-fuk824N_vcYG_9jzKvSM2RDLP9kwb4j3E7svLXZPoggpJeUi6
Signatures
-
Skuld family
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" skuld.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 5924 skuld.exe Token: SeDebugPrivilege 3632 taskmgr.exe Token: SeSystemProfilePrivilege 3632 taskmgr.exe Token: SeCreateGlobalPrivilege 3632 taskmgr.exe Token: 33 3632 taskmgr.exe Token: SeIncBasePriorityPrivilege 3632 taskmgr.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe 3632 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5924 wrote to memory of 5736 5924 skuld.exe 82 PID 5924 wrote to memory of 5736 5924 skuld.exe 82 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5736 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\skuld.exe"C:\Users\Admin\AppData\Local\Temp\skuld.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5924 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Local\Temp\skuld.exe2⤵
- Views/modifies file attributes
PID:5736
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3632
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.0MB
MD58129708de5e3810c18ff8864519139be
SHA13f50c81f694a0d9d0b721d0b2a1051de93b335f7
SHA256d824df5d3ff6d30d8db814cb91ce81f037b89c09b2d7a3e91e6e2c554c976977
SHA512d0f558b6b7b4d65ed6c3d5a905ce4513e954412d74ca7c3062fcde2b0eb429922c6964ffaad2dcb2cd9023f5432e629c1d9fb507eff44cf3f88a943f69801e4c