Overview
overview
9Static
static
3VegaX.exe
windows7-x64
7VegaX.exe
windows10-2004-x64
9$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3System.exe
windows7-x64
7System.exe
windows10-2004-x64
9d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/...05.dll
windows7-x64
1resources/...05.dll
windows10-2004-x64
1resources/...am.exe
windows7-x64
1resources/...am.exe
windows10-2004-x64
1resources/...ot.exe
windows7-x64
3resources/...ot.exe
windows10-2004-x64
3resources/elevate.exe
windows7-x64
3resources/elevate.exe
windows10-2004-x64
3swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
VegaX.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
VegaX.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
System.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
System.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
resources/app.asar.unpacked/node_modules/take-cam/DirectShowLib-2005.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral19
Sample
resources/app.asar.unpacked/node_modules/take-cam/DirectShowLib-2005.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
resources/app.asar.unpacked/node_modules/take-cam/prey-webcam.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral21
Sample
resources/app.asar.unpacked/node_modules/take-cam/prey-webcam.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
resources/app.asar.unpacked/node_modules/take-cam/snapshot.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral23
Sample
resources/app.asar.unpacked/node_modules/take-cam/snapshot.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
resources/elevate.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
resources/elevate.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
swiftshader/libEGL.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral27
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral29
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
vk_swiftshader.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral31
Sample
vk_swiftshader.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
vulkan-1.dll
Resource
win7-20240903-en
windows7-x64
General
-
Target
System.exe
-
Size
139.6MB
-
MD5
a1bd7f9fcdb0b75d30fa9f0caac5d2a7
-
SHA1
5602eb1782cb0de1aba91d3c06589be195c5dee8
-
SHA256
7c878c82ccd577f3dad67fb1fe5e0b681f27ba9a741c79bfd9bbfa032dccde65
-
SHA512
1befc5c99e4832dd5d53759c4ff6e24d9a6059e494573f84d3395c1473690d29ec1534f9fcce20ab54f811a69d4c443f862dc7ddb908c99037637105b58bf85e
-
SSDEEP
786432:d14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:d14kpHwQjCWv+K18CedmVvEQEpcJW
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1716 System.exe 1716 System.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ipinfo.io 3 ipinfo.io 5 ipinfo.io -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2808 tasklist.exe 2892 tasklist.exe -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 1720 WMIC.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1916 WMIC.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1716 System.exe 1716 System.exe 1760 System.exe 1164 powershell.exe 1716 System.exe 1716 System.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2808 tasklist.exe Token: SeIncreaseQuotaPrivilege 824 WMIC.exe Token: SeSecurityPrivilege 824 WMIC.exe Token: SeTakeOwnershipPrivilege 824 WMIC.exe Token: SeLoadDriverPrivilege 824 WMIC.exe Token: SeSystemProfilePrivilege 824 WMIC.exe Token: SeSystemtimePrivilege 824 WMIC.exe Token: SeProfSingleProcessPrivilege 824 WMIC.exe Token: SeIncBasePriorityPrivilege 824 WMIC.exe Token: SeCreatePagefilePrivilege 824 WMIC.exe Token: SeBackupPrivilege 824 WMIC.exe Token: SeRestorePrivilege 824 WMIC.exe Token: SeShutdownPrivilege 824 WMIC.exe Token: SeDebugPrivilege 824 WMIC.exe Token: SeSystemEnvironmentPrivilege 824 WMIC.exe Token: SeRemoteShutdownPrivilege 824 WMIC.exe Token: SeUndockPrivilege 824 WMIC.exe Token: SeManageVolumePrivilege 824 WMIC.exe Token: 33 824 WMIC.exe Token: 34 824 WMIC.exe Token: 35 824 WMIC.exe Token: SeIncreaseQuotaPrivilege 824 WMIC.exe Token: SeSecurityPrivilege 824 WMIC.exe Token: SeTakeOwnershipPrivilege 824 WMIC.exe Token: SeLoadDriverPrivilege 824 WMIC.exe Token: SeSystemProfilePrivilege 824 WMIC.exe Token: SeSystemtimePrivilege 824 WMIC.exe Token: SeProfSingleProcessPrivilege 824 WMIC.exe Token: SeIncBasePriorityPrivilege 824 WMIC.exe Token: SeCreatePagefilePrivilege 824 WMIC.exe Token: SeBackupPrivilege 824 WMIC.exe Token: SeRestorePrivilege 824 WMIC.exe Token: SeShutdownPrivilege 824 WMIC.exe Token: SeDebugPrivilege 824 WMIC.exe Token: SeSystemEnvironmentPrivilege 824 WMIC.exe Token: SeRemoteShutdownPrivilege 824 WMIC.exe Token: SeUndockPrivilege 824 WMIC.exe Token: SeManageVolumePrivilege 824 WMIC.exe Token: 33 824 WMIC.exe Token: 34 824 WMIC.exe Token: 35 824 WMIC.exe Token: SeDebugPrivilege 2892 tasklist.exe Token: SeShutdownPrivilege 1716 System.exe Token: SeShutdownPrivilege 1716 System.exe Token: SeIncreaseQuotaPrivilege 2748 WMIC.exe Token: SeSecurityPrivilege 2748 WMIC.exe Token: SeTakeOwnershipPrivilege 2748 WMIC.exe Token: SeLoadDriverPrivilege 2748 WMIC.exe Token: SeSystemProfilePrivilege 2748 WMIC.exe Token: SeSystemtimePrivilege 2748 WMIC.exe Token: SeProfSingleProcessPrivilege 2748 WMIC.exe Token: SeIncBasePriorityPrivilege 2748 WMIC.exe Token: SeCreatePagefilePrivilege 2748 WMIC.exe Token: SeBackupPrivilege 2748 WMIC.exe Token: SeRestorePrivilege 2748 WMIC.exe Token: SeShutdownPrivilege 2748 WMIC.exe Token: SeDebugPrivilege 2748 WMIC.exe Token: SeSystemEnvironmentPrivilege 2748 WMIC.exe Token: SeRemoteShutdownPrivilege 2748 WMIC.exe Token: SeUndockPrivilege 2748 WMIC.exe Token: SeManageVolumePrivilege 2748 WMIC.exe Token: 33 2748 WMIC.exe Token: 34 2748 WMIC.exe Token: 35 2748 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2796 1716 System.exe 28 PID 1716 wrote to memory of 2796 1716 System.exe 28 PID 1716 wrote to memory of 2796 1716 System.exe 28 PID 2796 wrote to memory of 2808 2796 cmd.exe 30 PID 2796 wrote to memory of 2808 2796 cmd.exe 30 PID 2796 wrote to memory of 2808 2796 cmd.exe 30 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 2824 1716 System.exe 31 PID 1716 wrote to memory of 604 1716 System.exe 33 PID 1716 wrote to memory of 604 1716 System.exe 33 PID 1716 wrote to memory of 604 1716 System.exe 33 PID 604 wrote to memory of 824 604 cmd.exe 35 PID 604 wrote to memory of 824 604 cmd.exe 35 PID 604 wrote to memory of 824 604 cmd.exe 35 PID 1716 wrote to memory of 1864 1716 System.exe 36 PID 1716 wrote to memory of 1864 1716 System.exe 36 PID 1716 wrote to memory of 1864 1716 System.exe 36 PID 1716 wrote to memory of 2844 1716 System.exe 37 PID 1716 wrote to memory of 2844 1716 System.exe 37 PID 1716 wrote to memory of 2844 1716 System.exe 37 PID 1864 wrote to memory of 2892 1864 cmd.exe 40 PID 1864 wrote to memory of 2892 1864 cmd.exe 40 PID 1864 wrote to memory of 2892 1864 cmd.exe 40 PID 2844 wrote to memory of 2900 2844 cmd.exe 41 PID 2844 wrote to memory of 2900 2844 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=988 --field-trial-handle=1156,7934876477860234694,1365077378137308632,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"2⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=NaN get ExecutablePath3⤵
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\net.exenet session3⤵PID:2900
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:3036
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"2⤵PID:2560
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get size3⤵
- Collects information from the system
PID:1720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"2⤵PID:1796
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory3⤵PID:1976
-
-
C:\Windows\system32\more.commore +13⤵PID:1736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵PID:2084
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:1756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"2⤵PID:1752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"2⤵PID:1808
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption, osarchitecture3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\system32\more.commore +13⤵PID:2588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"2⤵PID:2088
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:1036
-
-
C:\Windows\system32\more.commore +13⤵PID:2196
-
-
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1612 --field-trial-handle=1156,7934876477860234694,1365077378137308632,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1616 --field-trial-handle=1156,7934876477860234694,1365077378137308632,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"2⤵PID:1560
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController get name3⤵
- Detects videocard installed
PID:1916
-
-
C:\Windows\system32\more.commore +13⤵PID:928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵PID:400
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
643KB
MD5d549d81caf247e8779887b59b5605d67
SHA1a6b04e526da738b6501a6b570cef2146ea516ae6
SHA25667e5b369c0dcafe09077eabc98662d37218b1b081373a6b18ab980b8e3c84bef
SHA512eb3f831a594b9290075be6b5b338a4b13c596c174b8c97b466d3b1eff00386ffdee9e0598a4fa45c3a3de6028bfafa462e8b87e458f79b67646d3f02705438a6
-
Filesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61