Malware Analysis Report

2024-11-13 16:18

Sample ID 240825-rdvttsyajb
Target SeroXen.exe
SHA256 1d9af7c6da48e00d634679c064d4ec726c1feb303b2032bd2034c0e5a4626a86
Tags
agilenet discovery evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1d9af7c6da48e00d634679c064d4ec726c1feb303b2032bd2034c0e5a4626a86

Threat Level: Likely malicious

The file SeroXen.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet discovery evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 14:05

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 14:05

Reported

2024-08-25 14:07

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SeroXen.exe

"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 4 > nul & taskill /F /IM "SeroXen.exe" & taskill /F /IM "SeroXen HWID Reset.exe" & taskill /F /IM "SeroXen Toolkit.exe" & rmdir /s /q %userprofile%\AppData\Local\SeroXen & rmdir /s /q %userprofile%\AppData\Local\SeroXen & del /f %userprofile%\Desktop\SeroXen.lnk & taskkill /F /IM "SeroXen.exe" & taskkill /F /IM "SeroXen HWID Reset.exe" & taskkill /F /IM "SeroXen Toolkit.exe" & rmdir /s /q "C:\Users\Admin\AppData\Local\Temp" & rmdir /s /q "C:\Users\Admin\AppData\Local\Temp" & exit

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 4

C:\Windows\system32\taskkill.exe

taskkill /F /IM "SeroXen.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM "SeroXen HWID Reset.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM "SeroXen Toolkit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1700-0-0x00007FFACED13000-0x00007FFACED15000-memory.dmp

memory/1700-1-0x00000246304D0000-0x0000024630A52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49979061-04bb-41a9-8625-de2d15652f02\AgileDotNetRT64.dll

MD5 e3bd88b3c3e9b33dfa72c814f8826cff
SHA1 6d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA256 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512 fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

memory/1700-9-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

memory/1700-8-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp

memory/1700-10-0x00007FFADE5B0000-0x00007FFADE6FE000-memory.dmp

memory/1700-11-0x000002464AFE0000-0x000002464B01C000-memory.dmp

memory/1700-13-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp

memory/1700-12-0x000002464B020000-0x000002464B05E000-memory.dmp

memory/1700-14-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

memory/1700-15-0x00007FFACED13000-0x00007FFACED15000-memory.dmp

memory/1700-16-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

memory/1700-18-0x000002464B480000-0x000002464B629000-memory.dmp

memory/1700-17-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp

memory/1700-22-0x000002464B480000-0x000002464B629000-memory.dmp

memory/1700-21-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp

memory/1700-23-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

memory/1700-25-0x000002464B480000-0x000002464B629000-memory.dmp

memory/1700-24-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp

memory/1700-26-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

memory/1700-27-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

memory/1700-30-0x000002464B480000-0x000002464B629000-memory.dmp

memory/1700-31-0x00007FFACC230000-0x00007FFACCA8F000-memory.dmp

memory/1700-32-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 14:05

Reported

2024-08-25 14:07

Platform

win11-20240802-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeroXen.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\SeroXen.exe

"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1204-0-0x00007FFF796A3000-0x00007FFF796A5000-memory.dmp

memory/1204-1-0x0000019E39A60000-0x0000019E39FE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49979061-04bb-41a9-8625-de2d15652f02\AgileDotNetRT64.dll

MD5 e3bd88b3c3e9b33dfa72c814f8826cff
SHA1 6d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA256 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512 fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

memory/1204-8-0x00007FFF796A0000-0x00007FFF7A162000-memory.dmp

memory/1204-9-0x00007FFF76BC0000-0x00007FFF7741F000-memory.dmp

memory/1204-11-0x00007FFF796A0000-0x00007FFF7A162000-memory.dmp

memory/1204-13-0x0000019E549F0000-0x0000019E54A2E000-memory.dmp

memory/1204-12-0x0000019E549B0000-0x0000019E549EC000-memory.dmp

memory/1204-10-0x00007FFF8AA90000-0x00007FFF8ABDF000-memory.dmp

memory/1204-14-0x00007FFF796A0000-0x00007FFF7A162000-memory.dmp

memory/1204-15-0x00007FFF796A0000-0x00007FFF7A162000-memory.dmp

memory/1204-16-0x00007FFF796A3000-0x00007FFF796A5000-memory.dmp

memory/1204-18-0x00007FFF76BC0000-0x00007FFF7741F000-memory.dmp

memory/1204-20-0x00007FFF76BC0000-0x00007FFF7741F000-memory.dmp

memory/1204-22-0x00007FFF76BC0000-0x00007FFF7741F000-memory.dmp

memory/1204-23-0x00007FFF796A0000-0x00007FFF7A162000-memory.dmp

memory/1204-24-0x00007FFF76BC0000-0x00007FFF7741F000-memory.dmp

memory/1204-25-0x00007FFF796A0000-0x00007FFF7A162000-memory.dmp

memory/1204-28-0x00007FFF76BC0000-0x00007FFF7741F000-memory.dmp

memory/1204-33-0x00007FFF76BC0000-0x00007FFF7741F000-memory.dmp