Analysis
-
max time kernel
139s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2024 14:05
Behavioral task
behavioral1
Sample
SeroXen.exe
Resource
win10v2004-20240802-en
General
-
Target
SeroXen.exe
-
Size
5.5MB
-
MD5
e3ea239194c4518d7fc8fb69334168ac
-
SHA1
473f96fa10a95f63463d38a62a0ae8248702fddf
-
SHA256
1d9af7c6da48e00d634679c064d4ec726c1feb303b2032bd2034c0e5a4626a86
-
SHA512
7a7a8d5a02b33ab1b20efb0fba4a9d67ff433684badc4a045ac55a76a11aeac958e70c69b0bf919985fd3729be1e5e568b80b497c6c0b961d7f183f1f6cef1a9
-
SSDEEP
98304:PJMhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:eg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
SeroXen.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SeroXen.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SeroXen.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SeroXen.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SeroXen.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SeroXen.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation SeroXen.exe -
Loads dropped DLL 1 IoCs
Processes:
SeroXen.exepid process 1700 SeroXen.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1700-1-0x00000246304D0000-0x0000024630A52000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\49979061-04bb-41a9-8625-de2d15652f02\AgileDotNetRT64.dll themida behavioral1/memory/1700-8-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp themida behavioral1/memory/1700-13-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp themida behavioral1/memory/1700-17-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp themida behavioral1/memory/1700-21-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp themida behavioral1/memory/1700-24-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp themida behavioral1/memory/1700-31-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp themida -
Processes:
SeroXen.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SeroXen.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
SeroXen.exepid process 1700 SeroXen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 1576 cmd.exe 4440 PING.EXE -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1988 taskkill.exe 4348 taskkill.exe 3912 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 4348 taskkill.exe Token: SeDebugPrivilege 3912 taskkill.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SeroXen.execmd.exedescription pid process target process PID 1700 wrote to memory of 1576 1700 SeroXen.exe cmd.exe PID 1700 wrote to memory of 1576 1700 SeroXen.exe cmd.exe PID 1576 wrote to memory of 4440 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 4440 1576 cmd.exe PING.EXE PID 1576 wrote to memory of 1988 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 1988 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 4348 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 4348 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 3912 1576 cmd.exe taskkill.exe PID 1576 wrote to memory of 3912 1576 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 4 > nul & taskill /F /IM "SeroXen.exe" & taskill /F /IM "SeroXen HWID Reset.exe" & taskill /F /IM "SeroXen Toolkit.exe" & rmdir /s /q %userprofile%\AppData\Local\SeroXen & rmdir /s /q %userprofile%\AppData\Local\SeroXen & del /f %userprofile%\Desktop\SeroXen.lnk & taskkill /F /IM "SeroXen.exe" & taskkill /F /IM "SeroXen HWID Reset.exe" & taskkill /F /IM "SeroXen Toolkit.exe" & rmdir /s /q "C:\Users\Admin\AppData\Local\Temp" & rmdir /s /q "C:\Users\Admin\AppData\Local\Temp" & exit2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 43⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4440 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "SeroXen.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "SeroXen HWID Reset.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4348 -
C:\Windows\system32\taskkill.exetaskkill /F /IM "SeroXen Toolkit.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5e3bd88b3c3e9b33dfa72c814f8826cff
SHA16d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA25628e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9