73fec669d22c5c4ed518a11681e8b2af2038eca843ada4be221495d683f4fe48

General

Target

ScorpionTool.exe
Size

14.7MB
MD5

1fa5f0dad29dd8494a0f6ec19ae54135
SHA1

377c3eea9d87f447dc8087559952675d577b5212
SHA256

73fec669d22c5c4ed518a11681e8b2af2038eca843ada4be221495d683f4fe48
SHA512

0a7351d3cff651e4fd4e6cb7d49850c683a5801c7d2c950a35d20bbf69f0575f8f2fee4fab6c449c2c15eb1423c23355da1799c1ff6c74f1248d32180aff6943
SSDEEP

393216:Ytd45Gs7PJR6UfvxUS15iab4U4lMl4LvdPWYFbx/6IX:YtOwAR6UfvxUS1Ua8UmMlEWY33

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2612	Stepasha.exe
2712	MotherRussia.exe
2448	nologin.exe

Loads dropped DLL 10 IoCs

pid	Process
1196	ScorpionTool.exe
1196	ScorpionTool.exe
2752	Process not Found
2712	MotherRussia.exe
2448	nologin.exe
2316	WerFault.exe
2316	WerFault.exe
2316	WerFault.exe
2316	WerFault.exe
2316	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2316	2612	WerFault.exe	28

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2612	1196	ScorpionTool.exe	28
PID 1196 wrote to memory of 2612	1196	ScorpionTool.exe	28
PID 1196 wrote to memory of 2612	1196	ScorpionTool.exe	28
PID 1196 wrote to memory of 2612	1196	ScorpionTool.exe	28
PID 1196 wrote to memory of 2712	1196	ScorpionTool.exe	29
PID 1196 wrote to memory of 2712	1196	ScorpionTool.exe	29
PID 1196 wrote to memory of 2712	1196	ScorpionTool.exe	29
PID 1196 wrote to memory of 2712	1196	ScorpionTool.exe	29
PID 2712 wrote to memory of 2448	2712	MotherRussia.exe	31
PID 2712 wrote to memory of 2448	2712	MotherRussia.exe	31
PID 2712 wrote to memory of 2448	2712	MotherRussia.exe	31
PID 2612 wrote to memory of 2316	2612	Stepasha.exe	32
PID 2612 wrote to memory of 2316	2612	Stepasha.exe	32
PID 2612 wrote to memory of 2316	2612	Stepasha.exe	32
PID 2612 wrote to memory of 2316	2612	Stepasha.exe	32

C:\Users\Admin\AppData\Local\Temp\ScorpionTool.exe
"C:\Users\Admin\AppData\Local\Temp\ScorpionTool.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\Stepasha.exe
  "C:\Users\Admin\AppData\Local\Temp\Stepasha.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 596
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2316
- C:\Users\Admin\AppData\Local\Temp\MotherRussia.exe
  "C:\Users\Admin\AppData\Local\Temp\MotherRussia.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\onefile_2712_133601697004226000\nologin.exe
    "C:\Users\Admin\AppData\Local\Temp\MotherRussia.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2712_133601697004226000\nologin.exe

Filesize
14.8MB

MD5
b6d2fa2b76d484e765b1bac9127714c7

SHA1
7d6abdcea5f2374194eccf44baebcd80e42f1b71

SHA256
4792e0df1cdac95f4c993e638ed7482bc6dadf297bed7e17098a3e718a81d69a

SHA512
47b038d3befe96688edb05f6dbc9d3a0b6668d06ae6d986c8fb2b2231a32897c417e028bec278ab4848c0a10abb4515165d114147e30a08adfb72ea3744ef5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2712_133601697004226000\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
\Users\Admin\AppData\Local\Temp\MotherRussia.exe

Filesize
14.3MB

MD5
5cfa20567b15c18013730ba2cf151729

SHA1
74d0387974291d78eddc180a6c751085e88872b0

SHA256
ba61d72aa02d6c13103c50e79f99eae2075e8df959cce34077ea96e8d3a3a8fe

SHA512
360e6a2f66546b078edab3563943a5b723e7c23d68487404e450a3f374e85ae6bf89aae8d73464aeaecf1e01de9af6f3cee6b428c335deb231b1edf18f5a2038

Download Submit
\Users\Admin\AppData\Local\Temp\Stepasha.exe

Filesize
12KB

MD5
b7d6dbf3c258d3523d6404c93e7d1229

SHA1
1dfbaae3c73265f36ee88f8e2ba06f05a536c2b2

SHA256
07b49aea0cdf8dc748ea328ec5708ccc25b442a804c1ee0dd10d4ebc81713c15

SHA512
e590ac023f67e6ded5f3926913bb7d6276e23102497b2ae4b203110b10f7f3e81e3436b63ec52c5434ae99750127a3a4836f62bb0bd3b53e9566a9ff06ab7e4f

Download Submit
memory/1196-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1196-1-0x0000000000D10000-0x0000000001BC0000-memory.dmp

Filesize
14.7MB

Download
memory/2612-10-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/2612-11-0x0000000000390000-0x00000000003AA000-memory.dmp

Filesize
104KB

Download
memory/2612-13-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/2612-14-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-94-0x0000000074AB0000-0x000000007519E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing