Overview

overview

9

Static

static

7

SeroXen.exe

windows7-x64

9

SeroXen.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-03-2023 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SeroXen.exe

  • Size

    5.5MB

  • MD5

    e3ea239194c4518d7fc8fb69334168ac

  • SHA1

    473f96fa10a95f63463d38a62a0ae8248702fddf

  • SHA256

    1d9af7c6da48e00d634679c064d4ec726c1feb303b2032bd2034c0e5a4626a86

  • SHA512

    7a7a8d5a02b33ab1b20efb0fba4a9d67ff433684badc4a045ac55a76a11aeac958e70c69b0bf919985fd3729be1e5e568b80b497c6c0b961d7f183f1f6cef1a9

  • SSDEEP

    98304:PJMhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:eg53HRVu7vHDpS1IqBRU7kCs2q

Score
9/10
agilenetevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SeroXen.exe
    "C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 4 > nul & taskill /F /IM "SeroXen.exe" & taskill /F /IM "SeroXen HWID Reset.exe" & taskill /F /IM "SeroXen Toolkit.exe" & rmdir /s /q %userprofile%\AppData\Local\SeroXen & rmdir /s /q %userprofile%\AppData\Local\SeroXen & del /f %userprofile%\Desktop\SeroXen.lnk & taskkill /F /IM "SeroXen.exe" & taskkill /F /IM "SeroXen HWID Reset.exe" & taskkill /F /IM "SeroXen Toolkit.exe" & rmdir /s /q "C:\Users\Admin\AppData\Local\Temp" & rmdir /s /q "C:\Users\Admin\AppData\Local\Temp" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1 -n 4
        3⤵
        • Runs ping.exe
        PID:484
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM "SeroXen.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1424
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM "SeroXen HWID Reset.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4136
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM "SeroXen Toolkit.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\49979061-04bb-41a9-8625-de2d15652f02\AgileDotNetRT64.dll
    Filesize

    3.0MB

    MD5

    e3bd88b3c3e9b33dfa72c814f8826cff

    SHA1

    6d220c9eb7ee695f2b9dec261941bed59cac15e4

    SHA256

    28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

    SHA512

    fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\49979061-04bb-41a9-8625-de2d15652f02\AgileDotNetRT64.dll
    Filesize

    3.0MB

    MD5

    e3bd88b3c3e9b33dfa72c814f8826cff

    SHA1

    6d220c9eb7ee695f2b9dec261941bed59cac15e4

    SHA256

    28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

    SHA512

    fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\499790~1\AGILED~1.DLL
    Filesize

    3.0MB

    MD5

    e3bd88b3c3e9b33dfa72c814f8826cff

    SHA1

    6d220c9eb7ee695f2b9dec261941bed59cac15e4

    SHA256

    28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796

    SHA512

    fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

    Download Submit
  • memory/4792-147-0x000001BB195E0000-0x000001BB195F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4792-150-0x000001BB195E0000-0x000001BB195F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4792-143-0x00007FFA7AFC0000-0x00007FFA7B10E000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4792-142-0x00007FFA79AE0000-0x00007FFA7A33F000-memory.dmp
    Filesize

    8.4MB

    Download
  • memory/4792-144-0x000001BB195E0000-0x000001BB195F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4792-145-0x00007FFA79AE0000-0x00007FFA7A33F000-memory.dmp
    Filesize

    8.4MB

    Download
  • memory/4792-146-0x000001BB195E0000-0x000001BB195F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4792-133-0x000001BB7E860000-0x000001BB7EDE2000-memory.dmp
    Filesize

    5.5MB

    Download
  • memory/4792-149-0x00007FFA79AE0000-0x00007FFA7A33F000-memory.dmp
    Filesize

    8.4MB

    Download
  • memory/4792-141-0x000001BB195E0000-0x000001BB195F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4792-151-0x000001BB195E0000-0x000001BB195F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4792-152-0x00007FFA79AE0000-0x00007FFA7A33F000-memory.dmp
    Filesize

    8.4MB

    Download
  • memory/4792-153-0x000001BB1D980000-0x000001BB1DAEA000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/4792-154-0x000001BB195E0000-0x000001BB195F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4792-155-0x000001BB195E0000-0x000001BB195F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4792-160-0x00007FFA79AE0000-0x00007FFA7A33F000-memory.dmp
    Filesize

    8.4MB

    Download
  • memory/4792-167-0x00007FFA79AE0000-0x00007FFA7A33F000-memory.dmp
    Filesize

    8.4MB

    Download
  • memory/4792-168-0x000001BB1D980000-0x000001BB1DAEA000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/4792-140-0x00007FFA79AE0000-0x00007FFA7A33F000-memory.dmp
    Filesize

    8.4MB

    Download