0223d85eaf5cd5b188e61e9c99b62a9b5cfba4c5d2ed13576858b40327451ae7

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sky Beta.exe
Size

152.7MB
MD5

82bba5f337a5441c52486c72dbe1ae91
SHA1

8e31ee0ec80cbf883b5ee945fed9b9e330407f5b
SHA256

28654e3b799752f56c9699d156c01f21dbbe598058ba52e9b8f876a0e7c8ce09
SHA512

16300c7c590145f9da4b8c06b6efe1be77a3ba037234d4de8fae3586c9453698596f6fa2e0600a171d0512a9b9b28dfbe55d27bffafe673e4c8afcbfb12660e7
SSDEEP

1572864:qLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:qypCmJctBjj2+Jv

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	Sky Beta.exe

Loads dropped DLL 2 IoCs

pid	Process
2196	Sky Beta.exe
2196	Sky Beta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates processes with tasklist 1 TTPs 10 IoCs

Process Discovery

T1057

pid	Process
1392	tasklist.exe
664	tasklist.exe
4688	tasklist.exe
1808	tasklist.exe
1148	tasklist.exe
1516	tasklist.exe
4692	tasklist.exe
1040	tasklist.exe
1524	tasklist.exe
1220	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1008	Sky Beta.exe
1008	Sky Beta.exe
1596	Sky Beta.exe
1596	Sky Beta.exe
1596	Sky Beta.exe
1596	Sky Beta.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeDebugPrivilege	1516	tasklist.exe
Token: SeDebugPrivilege	1392	tasklist.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeDebugPrivilege	664	tasklist.exe
Token: SeDebugPrivilege	4688	tasklist.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeDebugPrivilege	4692	tasklist.exe
Token: SeDebugPrivilege	1040	tasklist.exe
Token: SeDebugPrivilege	1524	tasklist.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeDebugPrivilege	1808	tasklist.exe
Token: SeDebugPrivilege	1220	tasklist.exe
Token: SeDebugPrivilege	1148	tasklist.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe
Token: SeShutdownPrivilege	2196	Sky Beta.exe
Token: SeCreatePagefilePrivilege	2196	Sky Beta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 556	2196	Sky Beta.exe	83
PID 2196 wrote to memory of 556	2196	Sky Beta.exe	83
PID 556 wrote to memory of 1516	556	cmd.exe	85
PID 556 wrote to memory of 1516	556	cmd.exe	85
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 2056	2196	Sky Beta.exe	86
PID 2196 wrote to memory of 1008	2196	Sky Beta.exe	88
PID 2196 wrote to memory of 1008	2196	Sky Beta.exe	88
PID 2196 wrote to memory of 4704	2196	Sky Beta.exe	89
PID 2196 wrote to memory of 4704	2196	Sky Beta.exe	89
PID 4704 wrote to memory of 1392	4704	cmd.exe	91
PID 4704 wrote to memory of 1392	4704	cmd.exe	91
PID 2196 wrote to memory of 4004	2196	Sky Beta.exe	94
PID 2196 wrote to memory of 4004	2196	Sky Beta.exe	94
PID 4004 wrote to memory of 664	4004	cmd.exe	96
PID 4004 wrote to memory of 664	4004	cmd.exe	96
PID 2196 wrote to memory of 2676	2196	Sky Beta.exe	97
PID 2196 wrote to memory of 2676	2196	Sky Beta.exe	97
PID 2676 wrote to memory of 4688	2676	cmd.exe	99
PID 2676 wrote to memory of 4688	2676	cmd.exe	99
PID 2196 wrote to memory of 3384	2196	Sky Beta.exe	101
PID 2196 wrote to memory of 3384	2196	Sky Beta.exe	101
PID 3384 wrote to memory of 4692	3384	cmd.exe	103
PID 3384 wrote to memory of 4692	3384	cmd.exe	103
PID 2196 wrote to memory of 1676	2196	Sky Beta.exe	104
PID 2196 wrote to memory of 1676	2196	Sky Beta.exe	104
PID 1676 wrote to memory of 1040	1676	cmd.exe	106
PID 1676 wrote to memory of 1040	1676	cmd.exe	106
PID 2196 wrote to memory of 3664	2196	Sky Beta.exe	107
PID 2196 wrote to memory of 3664	2196	Sky Beta.exe	107
PID 3664 wrote to memory of 1524	3664	cmd.exe	109
PID 3664 wrote to memory of 1524	3664	cmd.exe	109
PID 2196 wrote to memory of 4964	2196	Sky Beta.exe	110
PID 2196 wrote to memory of 4964	2196	Sky Beta.exe	110
PID 4964 wrote to memory of 1808	4964	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
"C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1796,i,11477925191765039382,12238783031567789341,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2056
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --mojo-platform-channel-handle=1960 --field-trial-handle=1796,i,11477925191765039382,12238783031567789341,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2860
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2248
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1796,i,11477925191765039382,12238783031567789341,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52445b50-d901-464d-aab7-46bf09d5577c.tmp.node

Filesize
1.8MB

MD5
beb8d911d40e8fe94770d9d341e0de11

SHA1
d24d31e5b44a4a80969e2a669fb9b0ed42cfd479

SHA256
ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7

SHA512
079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaee73d9-05b0-4e06-880c-722936aace4c.tmp.node

Filesize
155KB

MD5
5e5e518ef0b6fdc731da7c6b92478aa0

SHA1
e2cd51e5ee4d2bb317d2eb88f1008c3a4d06616c

SHA256
eec714e3ec4aa4f4894541829ebca1cea5bded48a1995ff9534ce57d41ffc3de

SHA512
5532288bd119937122af641d580721205bdcbeb05bc8595a68f59879cb1b76cd950d1a2a28f1226c7642d2d423f2bffe6e6c7cf27cc3957d894324dd1d2ee07f

Download Submit
memory/1596-41-0x000001A7B4FF0000-0x000001A7B4FF1000-memory.dmp

Filesize
4KB

Download
memory/1596-40-0x000001A7B4FF0000-0x000001A7B4FF1000-memory.dmp

Filesize
4KB

Download
memory/1596-42-0x000001A7B4FF0000-0x000001A7B4FF1000-memory.dmp

Filesize
4KB

Download
memory/1596-47-0x000001A7B4FF0000-0x000001A7B4FF1000-memory.dmp

Filesize
4KB

Download
memory/1596-46-0x000001A7B4FF0000-0x000001A7B4FF1000-memory.dmp

Filesize
4KB

Download
memory/1596-49-0x000001A7B4FF0000-0x000001A7B4FF1000-memory.dmp

Filesize
4KB

Download
memory/1596-48-0x000001A7B4FF0000-0x000001A7B4FF1000-memory.dmp

Filesize
4KB

Download
memory/1596-50-0x000001A7B4FF0000-0x000001A7B4FF1000-memory.dmp

Filesize
4KB

Download
memory/1596-51-0x000001A7B4FF0000-0x000001A7B4FF1000-memory.dmp

Filesize
4KB

Download
memory/1596-52-0x000001A7B4FF0000-0x000001A7B4FF1000-memory.dmp

Filesize
4KB

Download