Overview

overview

10

Static

static

1

Scorpix-Ex...1).zip

windows11-21h2-x64

1

Executor/README.txt

windows11-21h2-x64

Executor/S.../AI.py

windows11-21h2-x64

Executor/S...FO.txt

windows11-21h2-x64

3

Executor/S...or.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scorpix-ExecutorV3 (1).zip

  • Size

    3KB

  • Sample

    240726-qh36bszdqp

  • MD5

    5f679006ecf3d56366f564a9e2d363e0

  • SHA1

    42ab09ffe00f347fc4a55f1c3c64b6b4c6d65e3e

  • SHA256

    ef81ac0d15b52e782d94a291b6b6541c64d5d09dad0be86cee462d8608527767

  • SHA512

    0f687a89c496bb2ad4fdc756753addb9d61784cad026edc749bf50db735f6c9fb3c8c5d118b1cdfb9786f64c1640646c67b8abb7ae3a34e00db4ea52293ad509

Score
10/10
collectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationransomwarespywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/booyaskas/Scorpoxe/releases/download/vypix/Scorpix.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/vlyian/scorpix/releases/download/vypix/Scorpix-ExecutorV3.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/vlyian/scorpixe/releases/download/vypix/ScorpixDLL.exe

Targets

    • Target

      Scorpix-ExecutorV3 (1).zip

    • Size

      3KB

    • MD5

      5f679006ecf3d56366f564a9e2d363e0

    • SHA1

      42ab09ffe00f347fc4a55f1c3c64b6b4c6d65e3e

    • SHA256

      ef81ac0d15b52e782d94a291b6b6541c64d5d09dad0be86cee462d8608527767

    • SHA512

      0f687a89c496bb2ad4fdc756753addb9d61784cad026edc749bf50db735f6c9fb3c8c5d118b1cdfb9786f64c1640646c67b8abb7ae3a34e00db4ea52293ad509

    Score
    1/10
    behavioral1

    • Target

      Executor/README.txt

    • Size

      649B

    • MD5

      f934b73123b18b2aa05abffa15f3627f

    • SHA1

      5d3e072bfa2fc2384ec015897d7e2b362179241d

    • SHA256

      6119918c0a31c0f8cdd51c3f4a98f713e0e5c215bbf2658ab0d42d84f94cddf6

    • SHA512

      b5a75b7ea2f65a96e0404e8b1f6da22181cf367deed2b0bab6e3ac77d53cd39ba27b1fed7596dfe781c9ab8bd1c5f6216aaebb54e9fef0234b71dcd019b16f4b

    Score
    10/10
    discoveryevasionpersistenceransomwaretrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral2

    • Target

      Executor/Scorpix AI/Scorpix AI/AI.py

    • Size

      1KB

    • MD5

      a59bd19c247fad2e81999cccda24a143

    • SHA1

      c1be586bfe4024759fa7a63b6ffe3f6792ed3aa1

    • SHA256

      ab74799d9a03db16167adf36414f8a83bc66e8ce24221c050500167bf360a9fa

    • SHA512

      059e674423a61ef622273a354f72ffafb989944f8ca667c430b49f8f5a5f410ec5873936531ba64eeb0649b2d41a7229e6020adcbf7d90ee72bcafc1c7b8ab9e

    Score
    10/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral3

    • Target

      Executor/Scripts/INFO.txt

    • Size

      56B

    • MD5

      25c6b9a9edad8363d48ecf95396e4c51

    • SHA1

      5cc1ca69e0925f9947138e895ba6ef8ed789f2e0

    • SHA256

      ed40a6a566c27f9808c02cf5e8f71013e247b14a4bfd5ddacd417b44ca577ac5

    • SHA512

      41e1da80115a977058c839c4cd0eb32ba4febe125c10ba80c5f484aa8bd02eae6d7705516c6eceff7e0f9b26c0b56f8b3839a0e6119c5b0cb88db97c9009b066

    Score
    3/10
    behavioral4

    • Target

      Executor/Start Executor.bat

    • Size

      551B

    • MD5

      fe821790779e191b514f7d90b381d191

    • SHA1

      03be2cfc52ec390a30209c33f7ea3a42589a0785

    • SHA256

      6afbbef338a695004853bb806f146efdd2d216a1fa58cb34fd10509495b4415b

    • SHA512

      425cdb0bd257a71a952293c77984635484dd30a6fc8c9f287100a99016ffc51a884442595eb6eed102fcbceebb6b01f609ba45f5fb2535a3156a8eef04ab50aa

    Score
    10/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Tasks