0223d85eaf5cd5b188e61e9c99b62a9b5cfba4c5d2ed13576858b40327451ae7

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sky Beta.exe
Size

152.7MB
MD5

82bba5f337a5441c52486c72dbe1ae91
SHA1

8e31ee0ec80cbf883b5ee945fed9b9e330407f5b
SHA256

28654e3b799752f56c9699d156c01f21dbbe598058ba52e9b8f876a0e7c8ce09
SHA512

16300c7c590145f9da4b8c06b6efe1be77a3ba037234d4de8fae3586c9453698596f6fa2e0600a171d0512a9b9b28dfbe55d27bffafe673e4c8afcbfb12660e7
SSDEEP

1572864:qLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:qypCmJctBjj2+Jv

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Sky Beta.exe

Loads dropped DLL 2 IoCs

pid	Process
3244	Sky Beta.exe
3244	Sky Beta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates processes with tasklist 1 TTPs 10 IoCs

Process Discovery

T1057

pid	Process
3384	tasklist.exe
5052	tasklist.exe
3348	tasklist.exe
3228	tasklist.exe
1988	tasklist.exe
5084	tasklist.exe
1540	tasklist.exe
4816	tasklist.exe
1824	tasklist.exe
4656	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3960	Sky Beta.exe
3960	Sky Beta.exe
1428	Sky Beta.exe
1428	Sky Beta.exe
1428	Sky Beta.exe
1428	Sky Beta.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	tasklist.exe
Token: SeDebugPrivilege	3228	tasklist.exe
Token: SeDebugPrivilege	1988	tasklist.exe
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeDebugPrivilege	4816	tasklist.exe
Token: SeDebugPrivilege	5084	tasklist.exe
Token: SeDebugPrivilege	3384	tasklist.exe
Token: SeDebugPrivilege	5052	tasklist.exe
Token: SeDebugPrivilege	1824	tasklist.exe
Token: SeDebugPrivilege	4656	tasklist.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe
Token: SeShutdownPrivilege	3244	Sky Beta.exe
Token: SeCreatePagefilePrivilege	3244	Sky Beta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 4900	3244	Sky Beta.exe	87
PID 3244 wrote to memory of 4900	3244	Sky Beta.exe	87
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 4900 wrote to memory of 3348	4900	cmd.exe	85
PID 4900 wrote to memory of 3348	4900	cmd.exe	85
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 692	3244	Sky Beta.exe	86
PID 3244 wrote to memory of 3960	3244	Sky Beta.exe	89
PID 3244 wrote to memory of 3960	3244	Sky Beta.exe	89
PID 3244 wrote to memory of 208	3244	Sky Beta.exe	90
PID 3244 wrote to memory of 208	3244	Sky Beta.exe	90
PID 208 wrote to memory of 3228	208	cmd.exe	92
PID 208 wrote to memory of 3228	208	cmd.exe	92
PID 3244 wrote to memory of 532	3244	Sky Beta.exe	93
PID 3244 wrote to memory of 532	3244	Sky Beta.exe	93
PID 532 wrote to memory of 1988	532	cmd.exe	95
PID 532 wrote to memory of 1988	532	cmd.exe	95
PID 3244 wrote to memory of 3048	3244	Sky Beta.exe	96
PID 3244 wrote to memory of 3048	3244	Sky Beta.exe	96
PID 3048 wrote to memory of 1540	3048	cmd.exe	98
PID 3048 wrote to memory of 1540	3048	cmd.exe	98
PID 3244 wrote to memory of 2304	3244	Sky Beta.exe	99
PID 3244 wrote to memory of 2304	3244	Sky Beta.exe	99
PID 2304 wrote to memory of 4816	2304	cmd.exe	101
PID 2304 wrote to memory of 4816	2304	cmd.exe	101
PID 3244 wrote to memory of 4392	3244	Sky Beta.exe	102
PID 3244 wrote to memory of 4392	3244	Sky Beta.exe	102
PID 4392 wrote to memory of 5084	4392	cmd.exe	104
PID 4392 wrote to memory of 5084	4392	cmd.exe	104
PID 3244 wrote to memory of 4372	3244	Sky Beta.exe	105
PID 3244 wrote to memory of 4372	3244	Sky Beta.exe	105
PID 4372 wrote to memory of 3384	4372	cmd.exe	107
PID 4372 wrote to memory of 3384	4372	cmd.exe	107
PID 3244 wrote to memory of 440	3244	Sky Beta.exe	109
PID 3244 wrote to memory of 440	3244	Sky Beta.exe	109
PID 440 wrote to memory of 5052	440	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
"C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1744,i,15679237672164000475,10484915220717251909,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --mojo-platform-channel-handle=1960 --field-trial-handle=1744,i,15679237672164000475,10484915220717251909,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4280
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:912
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1744,i,15679237672164000475,10484915220717251909,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1428

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1c4e89f0-2047-46d1-b8a8-bbf8a2da95b0.tmp.node

Filesize
155KB

MD5
5e5e518ef0b6fdc731da7c6b92478aa0

SHA1
e2cd51e5ee4d2bb317d2eb88f1008c3a4d06616c

SHA256
eec714e3ec4aa4f4894541829ebca1cea5bded48a1995ff9534ce57d41ffc3de

SHA512
5532288bd119937122af641d580721205bdcbeb05bc8595a68f59879cb1b76cd950d1a2a28f1226c7642d2d423f2bffe6e6c7cf27cc3957d894324dd1d2ee07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\207a9035-1476-4719-bed4-183d4d91b387.tmp.node

Filesize
1.8MB

MD5
beb8d911d40e8fe94770d9d341e0de11

SHA1
d24d31e5b44a4a80969e2a669fb9b0ed42cfd479

SHA256
ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7

SHA512
079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe

Download Submit
memory/1428-40-0x0000015813BE0000-0x0000015813BE1000-memory.dmp

Filesize
4KB

Download
memory/1428-41-0x0000015813BE0000-0x0000015813BE1000-memory.dmp

Filesize
4KB

Download
memory/1428-42-0x0000015813BE0000-0x0000015813BE1000-memory.dmp

Filesize
4KB

Download
memory/1428-46-0x0000015813BE0000-0x0000015813BE1000-memory.dmp

Filesize
4KB

Download
memory/1428-47-0x0000015813BE0000-0x0000015813BE1000-memory.dmp

Filesize
4KB

Download
memory/1428-48-0x0000015813BE0000-0x0000015813BE1000-memory.dmp

Filesize
4KB

Download
memory/1428-49-0x0000015813BE0000-0x0000015813BE1000-memory.dmp

Filesize
4KB

Download
memory/1428-50-0x0000015813BE0000-0x0000015813BE1000-memory.dmp

Filesize
4KB

Download
memory/1428-51-0x0000015813BE0000-0x0000015813BE1000-memory.dmp

Filesize
4KB

Download
memory/1428-52-0x0000015813BE0000-0x0000015813BE1000-memory.dmp

Filesize
4KB

Download