546496eab1ffb0b28bd052c681d7a4b161b518bccead48c2427e88ac4efff451

General

Target

Vega X.exe
Size

703.0MB
MD5

69694c57644b680fca5953ff14ce50f8
SHA1

d3c1c6c0db6661df76bc47808a19c9895385e746
SHA256

c0c67545f4ae6636718bfbda89550c7ee89041e473baa6936e64629564720c00
SHA512

01a7d4ad8aae5803c160a9ac22cb155e03d2e85eeefe663b5ef4e01b53653ac5bbb65e9cb2ac85c59cc1da1ce055ded7b3f35dafb68a419acdd7eca6ce7ad68c
SSDEEP

49152:IZ+3yoz51fQ1IbhmmyY8a3sLFA8pQb2ik12:IS1umoLO8pY

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2100	wmic.exe
Token: SeSecurityPrivilege	2100	wmic.exe
Token: SeTakeOwnershipPrivilege	2100	wmic.exe
Token: SeLoadDriverPrivilege	2100	wmic.exe
Token: SeSystemProfilePrivilege	2100	wmic.exe
Token: SeSystemtimePrivilege	2100	wmic.exe
Token: SeProfSingleProcessPrivilege	2100	wmic.exe
Token: SeIncBasePriorityPrivilege	2100	wmic.exe
Token: SeCreatePagefilePrivilege	2100	wmic.exe
Token: SeBackupPrivilege	2100	wmic.exe
Token: SeRestorePrivilege	2100	wmic.exe
Token: SeShutdownPrivilege	2100	wmic.exe
Token: SeDebugPrivilege	2100	wmic.exe
Token: SeSystemEnvironmentPrivilege	2100	wmic.exe
Token: SeRemoteShutdownPrivilege	2100	wmic.exe
Token: SeUndockPrivilege	2100	wmic.exe
Token: SeManageVolumePrivilege	2100	wmic.exe
Token: 33	2100	wmic.exe
Token: 34	2100	wmic.exe
Token: 35	2100	wmic.exe
Token: 36	2100	wmic.exe
Token: SeIncreaseQuotaPrivilege	2100	wmic.exe
Token: SeSecurityPrivilege	2100	wmic.exe
Token: SeTakeOwnershipPrivilege	2100	wmic.exe
Token: SeLoadDriverPrivilege	2100	wmic.exe
Token: SeSystemProfilePrivilege	2100	wmic.exe
Token: SeSystemtimePrivilege	2100	wmic.exe
Token: SeProfSingleProcessPrivilege	2100	wmic.exe
Token: SeIncBasePriorityPrivilege	2100	wmic.exe
Token: SeCreatePagefilePrivilege	2100	wmic.exe
Token: SeBackupPrivilege	2100	wmic.exe
Token: SeRestorePrivilege	2100	wmic.exe
Token: SeShutdownPrivilege	2100	wmic.exe
Token: SeDebugPrivilege	2100	wmic.exe
Token: SeSystemEnvironmentPrivilege	2100	wmic.exe
Token: SeRemoteShutdownPrivilege	2100	wmic.exe
Token: SeUndockPrivilege	2100	wmic.exe
Token: SeManageVolumePrivilege	2100	wmic.exe
Token: 33	2100	wmic.exe
Token: 34	2100	wmic.exe
Token: 35	2100	wmic.exe
Token: 36	2100	wmic.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeSecurityPrivilege	2588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2588	WMIC.exe
Token: SeLoadDriverPrivilege	2588	WMIC.exe
Token: SeSystemProfilePrivilege	2588	WMIC.exe
Token: SeSystemtimePrivilege	2588	WMIC.exe
Token: SeProfSingleProcessPrivilege	2588	WMIC.exe
Token: SeIncBasePriorityPrivilege	2588	WMIC.exe
Token: SeCreatePagefilePrivilege	2588	WMIC.exe
Token: SeBackupPrivilege	2588	WMIC.exe
Token: SeRestorePrivilege	2588	WMIC.exe
Token: SeShutdownPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	2588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2588	WMIC.exe
Token: SeRemoteShutdownPrivilege	2588	WMIC.exe
Token: SeUndockPrivilege	2588	WMIC.exe
Token: SeManageVolumePrivilege	2588	WMIC.exe
Token: 33	2588	WMIC.exe
Token: 34	2588	WMIC.exe
Token: 35	2588	WMIC.exe
Token: 36	2588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Vega X.execmd.execmd.exe

description	pid	process	target process
PID 4924 wrote to memory of 2100	4924	Vega X.exe	wmic.exe
PID 4924 wrote to memory of 2100	4924	Vega X.exe	wmic.exe
PID 4924 wrote to memory of 2788	4924	Vega X.exe	cmd.exe
PID 4924 wrote to memory of 2788	4924	Vega X.exe	cmd.exe
PID 2788 wrote to memory of 2588	2788	cmd.exe	WMIC.exe
PID 2788 wrote to memory of 2588	2788	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 4256	4924	Vega X.exe	cmd.exe
PID 4924 wrote to memory of 4256	4924	Vega X.exe	cmd.exe
PID 4256 wrote to memory of 3724	4256	cmd.exe	WMIC.exe
PID 4256 wrote to memory of 3724	4256	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\Vega X.exe
"C:\Users\Admin\AppData\Local\Temp\Vega X.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:3724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
18da5c19d469f921ff9d44f1f17de97b

SHA1
bef606053494e1f516431d40f2aca29cf1deeb20

SHA256
662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0

SHA512
9eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit

Analysis

Sharing