2462bab518fe5cebef008cb12b44065348f9173df6bf4d9f80dfda82869575d1

Analysis

max time kernel
152s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sky Beta.exe
Size

152.7MB
MD5

82bba5f337a5441c52486c72dbe1ae91
SHA1

8e31ee0ec80cbf883b5ee945fed9b9e330407f5b
SHA256

28654e3b799752f56c9699d156c01f21dbbe598058ba52e9b8f876a0e7c8ce09
SHA512

16300c7c590145f9da4b8c06b6efe1be77a3ba037234d4de8fae3586c9453698596f6fa2e0600a171d0512a9b9b28dfbe55d27bffafe673e4c8afcbfb12660e7
SSDEEP

1572864:qLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:qypCmJctBjj2+Jv

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Sky Beta.exe

Loads dropped DLL 2 IoCs

pid	Process
4692	Sky Beta.exe
4692	Sky Beta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates processes with tasklist 1 TTPs 10 IoCs

Process Discovery

T1057

pid	Process
4012	tasklist.exe
468	tasklist.exe
864	tasklist.exe
2340	tasklist.exe
3188	tasklist.exe
4112	tasklist.exe
2508	tasklist.exe
1780	tasklist.exe
3260	tasklist.exe
1420	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1696	Sky Beta.exe
1696	Sky Beta.exe
1276	Sky Beta.exe
1276	Sky Beta.exe
1276	Sky Beta.exe
1276	Sky Beta.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	tasklist.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeDebugPrivilege	4012	tasklist.exe
Token: SeDebugPrivilege	468	tasklist.exe
Token: SeDebugPrivilege	1420	tasklist.exe
Token: SeDebugPrivilege	864	tasklist.exe
Token: SeDebugPrivilege	2340	tasklist.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeDebugPrivilege	3188	tasklist.exe
Token: SeDebugPrivilege	4112	tasklist.exe
Token: SeDebugPrivilege	3260	tasklist.exe
Token: SeDebugPrivilege	2508	tasklist.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe
Token: SeShutdownPrivilege	4692	Sky Beta.exe
Token: SeCreatePagefilePrivilege	4692	Sky Beta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 4676	4692	Sky Beta.exe	86
PID 4692 wrote to memory of 4676	4692	Sky Beta.exe	86
PID 4676 wrote to memory of 1780	4676	cmd.exe	89
PID 4676 wrote to memory of 1780	4676	cmd.exe	89
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 2232	4692	Sky Beta.exe	87
PID 4692 wrote to memory of 1696	4692	Sky Beta.exe	90
PID 4692 wrote to memory of 1696	4692	Sky Beta.exe	90
PID 4692 wrote to memory of 528	4692	Sky Beta.exe	93
PID 4692 wrote to memory of 528	4692	Sky Beta.exe	93
PID 528 wrote to memory of 4012	528	cmd.exe	92
PID 528 wrote to memory of 4012	528	cmd.exe	92
PID 4692 wrote to memory of 5048	4692	Sky Beta.exe	96
PID 4692 wrote to memory of 5048	4692	Sky Beta.exe	96
PID 5048 wrote to memory of 468	5048	cmd.exe	94
PID 5048 wrote to memory of 468	5048	cmd.exe	94
PID 4692 wrote to memory of 1280	4692	Sky Beta.exe	101
PID 4692 wrote to memory of 1280	4692	Sky Beta.exe	101
PID 1280 wrote to memory of 1420	1280	cmd.exe	98
PID 1280 wrote to memory of 1420	1280	cmd.exe	98
PID 4692 wrote to memory of 4476	4692	Sky Beta.exe	102
PID 4692 wrote to memory of 4476	4692	Sky Beta.exe	102
PID 4476 wrote to memory of 864	4476	cmd.exe	104
PID 4476 wrote to memory of 864	4476	cmd.exe	104
PID 4692 wrote to memory of 3808	4692	Sky Beta.exe	105
PID 4692 wrote to memory of 3808	4692	Sky Beta.exe	105
PID 3808 wrote to memory of 2340	3808	cmd.exe	106
PID 3808 wrote to memory of 2340	3808	cmd.exe	106
PID 4692 wrote to memory of 4880	4692	Sky Beta.exe	110
PID 4692 wrote to memory of 4880	4692	Sky Beta.exe	110
PID 4880 wrote to memory of 3188	4880	cmd.exe	109
PID 4880 wrote to memory of 3188	4880	cmd.exe	109
PID 4692 wrote to memory of 4472	4692	Sky Beta.exe	113
PID 4692 wrote to memory of 4472	4692	Sky Beta.exe	113
PID 4472 wrote to memory of 4112	4472	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
"C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1744,i,13181175687544420501,4742338557869405784,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --mojo-platform-channel-handle=1940 --field-trial-handle=1744,i,13181175687544420501,4742338557869405784,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:860
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1212 --field-trial-handle=1744,i,13181175687544420501,4742338557869405784,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1276

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\246157f1-31ad-4ff9-b2e0-cee905fa394b.tmp.node

Filesize
155KB

MD5
5e5e518ef0b6fdc731da7c6b92478aa0

SHA1
e2cd51e5ee4d2bb317d2eb88f1008c3a4d06616c

SHA256
eec714e3ec4aa4f4894541829ebca1cea5bded48a1995ff9534ce57d41ffc3de

SHA512
5532288bd119937122af641d580721205bdcbeb05bc8595a68f59879cb1b76cd950d1a2a28f1226c7642d2d423f2bffe6e6c7cf27cc3957d894324dd1d2ee07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebd34457-997a-4e6f-990f-5cf884f55622.tmp.node

Filesize
1.6MB

MD5
d4ea78aa02027fe173ece3c18d69f4df

SHA1
4d97b67d772b5980f75257104c3a6d52d160af37

SHA256
a6436658f64a03171a5396b788fccd0f09fc450ba3c37806b6b96996ede330b1

SHA512
d6b45631e6f99ab534617e8812d85c03d64758a095e8faa60804c11f11499e5c1a042e0fcf8d12b84a0d83b5b503bf375036471a435579858607e1f69c177b65

Download Submit
memory/1276-40-0x00000223CAD50000-0x00000223CAD51000-memory.dmp

Filesize
4KB

Download
memory/1276-42-0x00000223CAD50000-0x00000223CAD51000-memory.dmp

Filesize
4KB

Download
memory/1276-41-0x00000223CAD50000-0x00000223CAD51000-memory.dmp

Filesize
4KB

Download
memory/1276-47-0x00000223CAD50000-0x00000223CAD51000-memory.dmp

Filesize
4KB

Download
memory/1276-46-0x00000223CAD50000-0x00000223CAD51000-memory.dmp

Filesize
4KB

Download
memory/1276-49-0x00000223CAD50000-0x00000223CAD51000-memory.dmp

Filesize
4KB

Download
memory/1276-48-0x00000223CAD50000-0x00000223CAD51000-memory.dmp

Filesize
4KB

Download
memory/1276-51-0x00000223CAD50000-0x00000223CAD51000-memory.dmp

Filesize
4KB

Download
memory/1276-50-0x00000223CAD50000-0x00000223CAD51000-memory.dmp

Filesize
4KB

Download
memory/1276-52-0x00000223CAD50000-0x00000223CAD51000-memory.dmp

Filesize
4KB

Download