0223d85eaf5cd5b188e61e9c99b62a9b5cfba4c5d2ed13576858b40327451ae7

Analysis

max time kernel
152s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sky Beta.exe
Size

152.7MB
MD5

82bba5f337a5441c52486c72dbe1ae91
SHA1

8e31ee0ec80cbf883b5ee945fed9b9e330407f5b
SHA256

28654e3b799752f56c9699d156c01f21dbbe598058ba52e9b8f876a0e7c8ce09
SHA512

16300c7c590145f9da4b8c06b6efe1be77a3ba037234d4de8fae3586c9453698596f6fa2e0600a171d0512a9b9b28dfbe55d27bffafe673e4c8afcbfb12660e7
SSDEEP

1572864:qLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:qypCmJctBjj2+Jv

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Sky Beta.exe

Loads dropped DLL 2 IoCs

pid	Process
4652	Sky Beta.exe
4652	Sky Beta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates processes with tasklist 1 TTPs 10 IoCs

Process Discovery

T1057

pid	Process
2984	tasklist.exe
2364	tasklist.exe
5076	tasklist.exe
4580	tasklist.exe
3588	tasklist.exe
4852	tasklist.exe
1872	tasklist.exe
4684	tasklist.exe
3096	tasklist.exe
832	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1632	Sky Beta.exe
1632	Sky Beta.exe
1384	Sky Beta.exe
1384	Sky Beta.exe
1384	Sky Beta.exe
1384	Sky Beta.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	832	tasklist.exe
Token: SeDebugPrivilege	1872	tasklist.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeDebugPrivilege	2984	tasklist.exe
Token: SeDebugPrivilege	2364	tasklist.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeDebugPrivilege	4684	tasklist.exe
Token: SeDebugPrivilege	5076	tasklist.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeDebugPrivilege	4580	tasklist.exe
Token: SeDebugPrivilege	3588	tasklist.exe
Token: SeDebugPrivilege	4852	tasklist.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeDebugPrivilege	3096	tasklist.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe
Token: SeShutdownPrivilege	4652	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4652	Sky Beta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 3244	4652	Sky Beta.exe	83
PID 4652 wrote to memory of 3244	4652	Sky Beta.exe	83
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 3244 wrote to memory of 832	3244	cmd.exe	86
PID 3244 wrote to memory of 832	3244	cmd.exe	86
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 620	4652	Sky Beta.exe	85
PID 4652 wrote to memory of 1632	4652	Sky Beta.exe	88
PID 4652 wrote to memory of 1632	4652	Sky Beta.exe	88
PID 4652 wrote to memory of 4076	4652	Sky Beta.exe	89
PID 4652 wrote to memory of 4076	4652	Sky Beta.exe	89
PID 4076 wrote to memory of 1872	4076	cmd.exe	91
PID 4076 wrote to memory of 1872	4076	cmd.exe	91
PID 4652 wrote to memory of 3520	4652	Sky Beta.exe	92
PID 4652 wrote to memory of 3520	4652	Sky Beta.exe	92
PID 3520 wrote to memory of 2984	3520	cmd.exe	96
PID 3520 wrote to memory of 2984	3520	cmd.exe	96
PID 4652 wrote to memory of 3612	4652	Sky Beta.exe	97
PID 4652 wrote to memory of 3612	4652	Sky Beta.exe	97
PID 3612 wrote to memory of 2364	3612	cmd.exe	99
PID 3612 wrote to memory of 2364	3612	cmd.exe	99
PID 4652 wrote to memory of 4424	4652	Sky Beta.exe	100
PID 4652 wrote to memory of 4424	4652	Sky Beta.exe	100
PID 4424 wrote to memory of 4684	4424	cmd.exe	102
PID 4424 wrote to memory of 4684	4424	cmd.exe	102
PID 4652 wrote to memory of 1232	4652	Sky Beta.exe	104
PID 4652 wrote to memory of 1232	4652	Sky Beta.exe	104
PID 1232 wrote to memory of 5076	1232	cmd.exe	106
PID 1232 wrote to memory of 5076	1232	cmd.exe	106
PID 4652 wrote to memory of 212	4652	Sky Beta.exe	107
PID 4652 wrote to memory of 212	4652	Sky Beta.exe	107
PID 212 wrote to memory of 4580	212	cmd.exe	109
PID 212 wrote to memory of 4580	212	cmd.exe	109
PID 4652 wrote to memory of 2472	4652	Sky Beta.exe	110
PID 4652 wrote to memory of 2472	4652	Sky Beta.exe	110
PID 2472 wrote to memory of 3588	2472	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
"C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1768,i,10362771873128411559,13850514989055018116,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:620
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --mojo-platform-channel-handle=1948 --field-trial-handle=1768,i,10362771873128411559,13850514989055018116,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3896
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2180
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3096
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1768,i,10362771873128411559,13850514989055018116,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b2555970-be0b-4028-9044-21adb000af5f.tmp.node

Filesize
1.8MB

MD5
beb8d911d40e8fe94770d9d341e0de11

SHA1
d24d31e5b44a4a80969e2a669fb9b0ed42cfd479

SHA256
ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7

SHA512
079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec7a222c-06ae-4174-9345-4de07b51e3be.tmp.node

Filesize
155KB

MD5
5e5e518ef0b6fdc731da7c6b92478aa0

SHA1
e2cd51e5ee4d2bb317d2eb88f1008c3a4d06616c

SHA256
eec714e3ec4aa4f4894541829ebca1cea5bded48a1995ff9534ce57d41ffc3de

SHA512
5532288bd119937122af641d580721205bdcbeb05bc8595a68f59879cb1b76cd950d1a2a28f1226c7642d2d423f2bffe6e6c7cf27cc3957d894324dd1d2ee07f

Download Submit
memory/1384-40-0x0000022F6F530000-0x0000022F6F531000-memory.dmp

Filesize
4KB

Download
memory/1384-41-0x0000022F6F530000-0x0000022F6F531000-memory.dmp

Filesize
4KB

Download
memory/1384-42-0x0000022F6F530000-0x0000022F6F531000-memory.dmp

Filesize
4KB

Download
memory/1384-52-0x0000022F6F530000-0x0000022F6F531000-memory.dmp

Filesize
4KB

Download
memory/1384-51-0x0000022F6F530000-0x0000022F6F531000-memory.dmp

Filesize
4KB

Download
memory/1384-50-0x0000022F6F530000-0x0000022F6F531000-memory.dmp

Filesize
4KB

Download
memory/1384-49-0x0000022F6F530000-0x0000022F6F531000-memory.dmp

Filesize
4KB

Download
memory/1384-48-0x0000022F6F530000-0x0000022F6F531000-memory.dmp

Filesize
4KB

Download
memory/1384-47-0x0000022F6F530000-0x0000022F6F531000-memory.dmp

Filesize
4KB

Download
memory/1384-46-0x0000022F6F530000-0x0000022F6F531000-memory.dmp

Filesize
4KB

Download