Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Sky Beta .exe

windows7-x64

7

Sky Beta .exe

windows10-2004-x64

7

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

1

LICENSES.c...m.html

windows10-2004-x64

1

Sky Beta.exe

windows7-x64

1

Sky Beta.exe

windows10-2004-x64

7

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

locales/af.ps1

windows7-x64

1

locales/af.ps1

windows10-2004-x64

1

locales/en-GB.ps1

windows7-x64

1

locales/en-GB.ps1

windows10-2004-x64

1

locales/et.ps1

windows7-x64

1

locales/et.ps1

windows10-2004-x64

1

locales/pt-BR.ps1

windows7-x64

1

locales/pt-BR.ps1

windows10-2004-x64

1

locales/sk.ps1

windows7-x64

1

locales/sk.ps1

windows10-2004-x64

1

locales/uk.ps1

windows7-x64

1

locales/uk.ps1

windows10-2004-x64

1

resources/elevate.exe

windows7-x64

1

resources/elevate.exe

windows10-2004-x64

1

vk_swiftshader.dll

windows7-x64

1

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 03:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sky Beta.exe

  • Size

    152.7MB

  • MD5

    82bba5f337a5441c52486c72dbe1ae91

  • SHA1

    8e31ee0ec80cbf883b5ee945fed9b9e330407f5b

  • SHA256

    28654e3b799752f56c9699d156c01f21dbbe598058ba52e9b8f876a0e7c8ce09

  • SHA512

    16300c7c590145f9da4b8c06b6efe1be77a3ba037234d4de8fae3586c9453698596f6fa2e0600a171d0512a9b9b28dfbe55d27bffafe673e4c8afcbfb12660e7

  • SSDEEP

    1572864:qLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:qypCmJctBjj2+Jv

Score
7/10
spywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates processes with tasklist 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
    "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3912
    • C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
      "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1680,i,8003340748033330071,17179015242705847583,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:4540
      • C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
        "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --mojo-platform-channel-handle=1960 --field-trial-handle=1680,i,8003340748033330071,17179015242705847583,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4384
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2232
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1464
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4300
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:644
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4112
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3288
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:64
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2856
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4844
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
          PID:4988
          • C:\Windows\system32\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2344
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "tasklist"
          2⤵
            PID:3916
            • C:\Windows\system32\tasklist.exe
              tasklist
              3⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:3884
          • C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe
            "C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1680,i,8003340748033330071,17179015242705847583,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4652

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2770efce-7bf5-4f73-a6f9-8326792bc188.tmp.node
          Filesize

          155KB

          MD5

          5e5e518ef0b6fdc731da7c6b92478aa0

          SHA1

          e2cd51e5ee4d2bb317d2eb88f1008c3a4d06616c

          SHA256

          eec714e3ec4aa4f4894541829ebca1cea5bded48a1995ff9534ce57d41ffc3de

          SHA512

          5532288bd119937122af641d580721205bdcbeb05bc8595a68f59879cb1b76cd950d1a2a28f1226c7642d2d423f2bffe6e6c7cf27cc3957d894324dd1d2ee07f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\56dfc9b2-574a-42c2-89c6-af706830c0bd.tmp.node
          Filesize

          1.8MB

          MD5

          beb8d911d40e8fe94770d9d341e0de11

          SHA1

          d24d31e5b44a4a80969e2a669fb9b0ed42cfd479

          SHA256

          ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7

          SHA512

          079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe

          Download Submit

        • memory/4652-41-0x0000019416BB0000-0x0000019416BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4652-40-0x0000019416BB0000-0x0000019416BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4652-42-0x0000019416BB0000-0x0000019416BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4652-46-0x0000019416BB0000-0x0000019416BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4652-47-0x0000019416BB0000-0x0000019416BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4652-48-0x0000019416BB0000-0x0000019416BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4652-49-0x0000019416BB0000-0x0000019416BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4652-50-0x0000019416BB0000-0x0000019416BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4652-51-0x0000019416BB0000-0x0000019416BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4652-52-0x0000019416BB0000-0x0000019416BB1000-memory.dmp

          Filesize

          4KB

          Download