Overview
overview
7Static
static
3Sky Beta .exe
windows7-x64
Sky Beta .exe
windows10-2004-x64
$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1Sky Beta.exe
windows7-x64
1Sky Beta.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1locales/af.ps1
windows7-x64
1locales/af.ps1
windows10-2004-x64
1locales/en-GB.ps1
windows7-x64
1locales/en-GB.ps1
windows10-2004-x64
1locales/et.ps1
windows7-x64
1locales/et.ps1
windows10-2004-x64
1locales/pt-BR.ps1
windows7-x64
1locales/pt-BR.ps1
windows10-2004-x64
1locales/sk.ps1
windows7-x64
1locales/sk.ps1
windows10-2004-x64
1locales/uk.ps1
windows7-x64
1locales/uk.ps1
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1Analysis
-
max time kernel
153s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 03:15
Static task
static1
Behavioral task
behavioral1
Sample
Sky Beta .exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
Sky Beta .exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Sky Beta.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
Sky Beta.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
locales/af.ps1
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral19
Sample
locales/af.ps1
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
locales/en-GB.ps1
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral21
Sample
locales/en-GB.ps1
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
locales/et.ps1
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral23
Sample
locales/et.ps1
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
locales/pt-BR.ps1
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral25
Sample
locales/pt-BR.ps1
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
locales/sk.ps1
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral27
Sample
locales/sk.ps1
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
locales/uk.ps1
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral29
Sample
locales/uk.ps1
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
resources/elevate.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral31
Sample
resources/elevate.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
vk_swiftshader.dll
Resource
win7-20231215-en
windows7-x64
General
-
Target
Sky Beta.exe
-
Size
152.7MB
-
MD5
82bba5f337a5441c52486c72dbe1ae91
-
SHA1
8e31ee0ec80cbf883b5ee945fed9b9e330407f5b
-
SHA256
28654e3b799752f56c9699d156c01f21dbbe598058ba52e9b8f876a0e7c8ce09
-
SHA512
16300c7c590145f9da4b8c06b6efe1be77a3ba037234d4de8fae3586c9453698596f6fa2e0600a171d0512a9b9b28dfbe55d27bffafe673e4c8afcbfb12660e7
-
SSDEEP
1572864:qLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:qypCmJctBjj2+Jv
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe Sky Beta.exe -
Loads dropped DLL 2 IoCs
pid Process 5096 Sky Beta.exe 5096 Sky Beta.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates processes with tasklist 1 TTPs 10 IoCs
pid Process 4256 tasklist.exe 3776 tasklist.exe 400 tasklist.exe 2564 tasklist.exe 3980 tasklist.exe 1328 tasklist.exe 2936 tasklist.exe 1104 tasklist.exe 3164 tasklist.exe 4700 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2196 Sky Beta.exe 2196 Sky Beta.exe 1464 Sky Beta.exe 1464 Sky Beta.exe 1464 Sky Beta.exe 1464 Sky Beta.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 400 tasklist.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeDebugPrivilege 3164 tasklist.exe Token: SeDebugPrivilege 4700 tasklist.exe Token: SeDebugPrivilege 3980 tasklist.exe Token: SeDebugPrivilege 1328 tasklist.exe Token: SeDebugPrivilege 2564 tasklist.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeDebugPrivilege 4256 tasklist.exe Token: SeDebugPrivilege 2936 tasklist.exe Token: SeDebugPrivilege 1104 tasklist.exe Token: SeDebugPrivilege 3776 tasklist.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe Token: SeShutdownPrivilege 5096 Sky Beta.exe Token: SeCreatePagefilePrivilege 5096 Sky Beta.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 1372 5096 Sky Beta.exe 83 PID 5096 wrote to memory of 1372 5096 Sky Beta.exe 83 PID 1372 wrote to memory of 400 1372 cmd.exe 84 PID 1372 wrote to memory of 400 1372 cmd.exe 84 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 900 5096 Sky Beta.exe 85 PID 5096 wrote to memory of 2196 5096 Sky Beta.exe 88 PID 5096 wrote to memory of 2196 5096 Sky Beta.exe 88 PID 5096 wrote to memory of 4048 5096 Sky Beta.exe 89 PID 5096 wrote to memory of 4048 5096 Sky Beta.exe 89 PID 4048 wrote to memory of 3164 4048 cmd.exe 91 PID 4048 wrote to memory of 3164 4048 cmd.exe 91 PID 5096 wrote to memory of 1180 5096 Sky Beta.exe 94 PID 5096 wrote to memory of 1180 5096 Sky Beta.exe 94 PID 1180 wrote to memory of 4700 1180 cmd.exe 93 PID 1180 wrote to memory of 4700 1180 cmd.exe 93 PID 5096 wrote to memory of 1460 5096 Sky Beta.exe 95 PID 5096 wrote to memory of 1460 5096 Sky Beta.exe 95 PID 1460 wrote to memory of 3980 1460 cmd.exe 96 PID 1460 wrote to memory of 3980 1460 cmd.exe 96 PID 5096 wrote to memory of 1312 5096 Sky Beta.exe 100 PID 5096 wrote to memory of 1312 5096 Sky Beta.exe 100 PID 1312 wrote to memory of 1328 1312 cmd.exe 99 PID 1312 wrote to memory of 1328 1312 cmd.exe 99 PID 5096 wrote to memory of 4584 5096 Sky Beta.exe 103 PID 5096 wrote to memory of 4584 5096 Sky Beta.exe 103 PID 4584 wrote to memory of 2564 4584 cmd.exe 102 PID 4584 wrote to memory of 2564 4584 cmd.exe 102 PID 5096 wrote to memory of 3712 5096 Sky Beta.exe 106 PID 5096 wrote to memory of 3712 5096 Sky Beta.exe 106 PID 3712 wrote to memory of 4256 3712 cmd.exe 104 PID 3712 wrote to memory of 4256 3712 cmd.exe 104 PID 5096 wrote to memory of 1548 5096 Sky Beta.exe 109 PID 5096 wrote to memory of 1548 5096 Sky Beta.exe 109 PID 1548 wrote to memory of 2936 1548 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe"C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
-
C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe"C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1752,i,10533387683047674661,16542106289980005192,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:900
-
-
C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe"C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --mojo-platform-channel-handle=1948 --field-trial-handle=1752,i,10533387683047674661,16542106289980005192,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe"C:\Users\Admin\AppData\Local\Temp\Sky Beta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2392 --field-trial-handle=1752,i,10533387683047674661,16542106289980005192,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464
-
-
C:\Windows\system32\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
C:\Windows\system32\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
C:\Windows\system32\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
C:\Windows\system32\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
C:\Windows\system32\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
C:\Windows\system32\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
C:\Windows\system32\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD561e63e27e085d7e731868df5794b637d
SHA1cdfe839f5a31d08f52b200fe3683e8244dd7872c
SHA25603a68ae45d2c3f0a4a0247bd0a433e9e10c3ff50d76e128b0883cfeeea2857e5
SHA51241818e5dde932a6242528758315578dc3b7bcae9238a8f945bcbea4c3a810084b4fac09d2dd795953e78d5e42361fd65dfe2df464aa7459bc33d170648bc9a5d
-
Filesize
87KB
MD53231ba35236f9ed5d1d4287ce2475ab7
SHA1193dedb2b49a235577d6a87cb3318169b0d0566d
SHA256e816f72ec64837aa4c9c95dbb8efaff9cb7f75ff0952e7eeb93b267d2cf56b34
SHA5128ede1ea63165a4e56bcc46d00925e921971fc655413dceb1952e6bb7f06889a0307e3a26f127ced9b243983d85a04942b52b5dad456c2ddae5ce6453e4de16c1