Overview
overview
10Static
static
10FastColore...ox.dll
windows10-2004-x64
1GameDev.dll
windows10-2004-x64
1OpenSource.dll
windows10-2004-x64
1ReadME.dll
windows10-2004-x64
1Setup.dll
windows10-2004-x64
1Textures.dll
windows10-2004-x64
1Themes.dll
windows10-2004-x64
1Update.dll
windows10-2004-x64
1Vega X.exe
windows10-2004-x64
7exploit-main.dll
windows10-2004-x64
1Analysis
-
max time kernel
81s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-02-2023 22:02
Behavioral task
behavioral1
Sample
FastColoredTextBox.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
GameDev.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
OpenSource.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
ReadME.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
Setup.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
Textures.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Themes.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
Update.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Vega X.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral10
Sample
exploit-main.dll
Resource
win10v2004-20230220-en
General
-
Target
Vega X.exe
-
Size
703.0MB
-
MD5
69694c57644b680fca5953ff14ce50f8
-
SHA1
d3c1c6c0db6661df76bc47808a19c9895385e746
-
SHA256
c0c67545f4ae6636718bfbda89550c7ee89041e473baa6936e64629564720c00
-
SHA512
01a7d4ad8aae5803c160a9ac22cb155e03d2e85eeefe663b5ef4e01b53653ac5bbb65e9cb2ac85c59cc1da1ce055ded7b3f35dafb68a419acdd7eca6ce7ad68c
-
SSDEEP
49152:IZ+3yoz51fQ1IbhmmyY8a3sLFA8pQb2ik12:IS1umoLO8pY
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2100 wmic.exe Token: SeSecurityPrivilege 2100 wmic.exe Token: SeTakeOwnershipPrivilege 2100 wmic.exe Token: SeLoadDriverPrivilege 2100 wmic.exe Token: SeSystemProfilePrivilege 2100 wmic.exe Token: SeSystemtimePrivilege 2100 wmic.exe Token: SeProfSingleProcessPrivilege 2100 wmic.exe Token: SeIncBasePriorityPrivilege 2100 wmic.exe Token: SeCreatePagefilePrivilege 2100 wmic.exe Token: SeBackupPrivilege 2100 wmic.exe Token: SeRestorePrivilege 2100 wmic.exe Token: SeShutdownPrivilege 2100 wmic.exe Token: SeDebugPrivilege 2100 wmic.exe Token: SeSystemEnvironmentPrivilege 2100 wmic.exe Token: SeRemoteShutdownPrivilege 2100 wmic.exe Token: SeUndockPrivilege 2100 wmic.exe Token: SeManageVolumePrivilege 2100 wmic.exe Token: 33 2100 wmic.exe Token: 34 2100 wmic.exe Token: 35 2100 wmic.exe Token: 36 2100 wmic.exe Token: SeIncreaseQuotaPrivilege 2100 wmic.exe Token: SeSecurityPrivilege 2100 wmic.exe Token: SeTakeOwnershipPrivilege 2100 wmic.exe Token: SeLoadDriverPrivilege 2100 wmic.exe Token: SeSystemProfilePrivilege 2100 wmic.exe Token: SeSystemtimePrivilege 2100 wmic.exe Token: SeProfSingleProcessPrivilege 2100 wmic.exe Token: SeIncBasePriorityPrivilege 2100 wmic.exe Token: SeCreatePagefilePrivilege 2100 wmic.exe Token: SeBackupPrivilege 2100 wmic.exe Token: SeRestorePrivilege 2100 wmic.exe Token: SeShutdownPrivilege 2100 wmic.exe Token: SeDebugPrivilege 2100 wmic.exe Token: SeSystemEnvironmentPrivilege 2100 wmic.exe Token: SeRemoteShutdownPrivilege 2100 wmic.exe Token: SeUndockPrivilege 2100 wmic.exe Token: SeManageVolumePrivilege 2100 wmic.exe Token: 33 2100 wmic.exe Token: 34 2100 wmic.exe Token: 35 2100 wmic.exe Token: 36 2100 wmic.exe Token: SeIncreaseQuotaPrivilege 2588 WMIC.exe Token: SeSecurityPrivilege 2588 WMIC.exe Token: SeTakeOwnershipPrivilege 2588 WMIC.exe Token: SeLoadDriverPrivilege 2588 WMIC.exe Token: SeSystemProfilePrivilege 2588 WMIC.exe Token: SeSystemtimePrivilege 2588 WMIC.exe Token: SeProfSingleProcessPrivilege 2588 WMIC.exe Token: SeIncBasePriorityPrivilege 2588 WMIC.exe Token: SeCreatePagefilePrivilege 2588 WMIC.exe Token: SeBackupPrivilege 2588 WMIC.exe Token: SeRestorePrivilege 2588 WMIC.exe Token: SeShutdownPrivilege 2588 WMIC.exe Token: SeDebugPrivilege 2588 WMIC.exe Token: SeSystemEnvironmentPrivilege 2588 WMIC.exe Token: SeRemoteShutdownPrivilege 2588 WMIC.exe Token: SeUndockPrivilege 2588 WMIC.exe Token: SeManageVolumePrivilege 2588 WMIC.exe Token: 33 2588 WMIC.exe Token: 34 2588 WMIC.exe Token: 35 2588 WMIC.exe Token: 36 2588 WMIC.exe Token: SeIncreaseQuotaPrivilege 2588 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Vega X.execmd.execmd.exedescription pid process target process PID 4924 wrote to memory of 2100 4924 Vega X.exe wmic.exe PID 4924 wrote to memory of 2100 4924 Vega X.exe wmic.exe PID 4924 wrote to memory of 2788 4924 Vega X.exe cmd.exe PID 4924 wrote to memory of 2788 4924 Vega X.exe cmd.exe PID 2788 wrote to memory of 2588 2788 cmd.exe WMIC.exe PID 2788 wrote to memory of 2588 2788 cmd.exe WMIC.exe PID 4924 wrote to memory of 4256 4924 Vega X.exe cmd.exe PID 4924 wrote to memory of 4256 4924 Vega X.exe cmd.exe PID 4256 wrote to memory of 3724 4256 cmd.exe WMIC.exe PID 4256 wrote to memory of 3724 4256 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vega X.exe"C:\Users\Admin\AppData\Local\Temp\Vega X.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:3724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD518da5c19d469f921ff9d44f1f17de97b
SHA1bef606053494e1f516431d40f2aca29cf1deeb20
SHA256662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0
SHA5129eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD546988a922937a39036d6b71e62d0f966
SHA14a997f2a0360274ec7990aac156870a5a7030665
SHA2565954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6
SHA512dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d