3f42688027964833072e16ebd523406819d90db0169f36bcc87ed69c68b63e86

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2025, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SeroXen/bin/SeroXen.exe
Size

50.9MB
MD5

08312e99bc5094a458cc5189f3a70524
SHA1

016e187d249ddecbeee6aaae2685b5404a23ecae
SHA256

146fbd8fca9d32613dd1eda7d85de1d29d7108289a1fe2a463ebcf13aa2e93e7
SHA512

36d297192ed2622335fef0613214cd73c8689b9ee27809e501731490f44aee6cb8ca9f23f9ba36b34f307d3a3b37f440fc7103291b533776c089cdf026ff5f9a
SSDEEP

786432:ftrtWJi9Ui9MA8VFoBZ0RMUNtKxwi99+Y:frWJi9Ui9MA8VFoD0GUvK2i9P

Score

6^/10

defense_evasion execution

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com
16	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3128	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4840	SeroXen.exe
4840	SeroXen.exe
3128	powershell.exe
3128	powershell.exe
3124	powershell.exe
3124	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeIncreaseQuotaPrivilege	2380	wmic.exe
Token: SeSecurityPrivilege	2380	wmic.exe
Token: SeTakeOwnershipPrivilege	2380	wmic.exe
Token: SeLoadDriverPrivilege	2380	wmic.exe
Token: SeSystemProfilePrivilege	2380	wmic.exe
Token: SeSystemtimePrivilege	2380	wmic.exe
Token: SeProfSingleProcessPrivilege	2380	wmic.exe
Token: SeIncBasePriorityPrivilege	2380	wmic.exe
Token: SeCreatePagefilePrivilege	2380	wmic.exe
Token: SeBackupPrivilege	2380	wmic.exe
Token: SeRestorePrivilege	2380	wmic.exe
Token: SeShutdownPrivilege	2380	wmic.exe
Token: SeDebugPrivilege	2380	wmic.exe
Token: SeSystemEnvironmentPrivilege	2380	wmic.exe
Token: SeRemoteShutdownPrivilege	2380	wmic.exe
Token: SeUndockPrivilege	2380	wmic.exe
Token: SeManageVolumePrivilege	2380	wmic.exe
Token: 33	2380	wmic.exe
Token: 34	2380	wmic.exe
Token: 35	2380	wmic.exe
Token: 36	2380	wmic.exe
Token: SeIncreaseQuotaPrivilege	2380	wmic.exe
Token: SeSecurityPrivilege	2380	wmic.exe
Token: SeTakeOwnershipPrivilege	2380	wmic.exe
Token: SeLoadDriverPrivilege	2380	wmic.exe
Token: SeSystemProfilePrivilege	2380	wmic.exe
Token: SeSystemtimePrivilege	2380	wmic.exe
Token: SeProfSingleProcessPrivilege	2380	wmic.exe
Token: SeIncBasePriorityPrivilege	2380	wmic.exe
Token: SeCreatePagefilePrivilege	2380	wmic.exe
Token: SeBackupPrivilege	2380	wmic.exe
Token: SeRestorePrivilege	2380	wmic.exe
Token: SeShutdownPrivilege	2380	wmic.exe
Token: SeDebugPrivilege	2380	wmic.exe
Token: SeSystemEnvironmentPrivilege	2380	wmic.exe
Token: SeRemoteShutdownPrivilege	2380	wmic.exe
Token: SeUndockPrivilege	2380	wmic.exe
Token: SeManageVolumePrivilege	2380	wmic.exe
Token: 33	2380	wmic.exe
Token: 34	2380	wmic.exe
Token: 35	2380	wmic.exe
Token: 36	2380	wmic.exe
Token: SeDebugPrivilege	3124	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 3128	4840	SeroXen.exe	85
PID 4840 wrote to memory of 3128	4840	SeroXen.exe	85
PID 4840 wrote to memory of 2380	4840	SeroXen.exe	86
PID 4840 wrote to memory of 2380	4840	SeroXen.exe	86
PID 4840 wrote to memory of 3124	4840	SeroXen.exe	88
PID 4840 wrote to memory of 3124	4840	SeroXen.exe	88
PID 3124 wrote to memory of 2484	3124	powershell.exe	89
PID 3124 wrote to memory of 2484	3124	powershell.exe	89
PID 2484 wrote to memory of 3968	2484	csc.exe	90
PID 2484 wrote to memory of 3968	2484	csc.exe	90
PID 4840 wrote to memory of 4812	4840	SeroXen.exe	91
PID 4840 wrote to memory of 4812	4840	SeroXen.exe	91

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe
"C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" csproduct get uuid /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3cimetvn\3cimetvn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3B0.tmp" "c:\Users\Admin\AppData\Local\Temp\3cimetvn\CSCDA1060D0BF1A4D1EB2D9355C2C697095.TMP"
      4⤵
      PID:3968
- C:\Windows\SYSTEM32\attrib.exe
  "attrib" +h C:\WindowsGraphics
  2⤵
  - Views/modifies file attributes
  PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cimetvn\3cimetvn.dll

Filesize
3KB

MD5
205a2d24ee51db3991d10a3adae8c79d

SHA1
f2bebb2787439b3fae9b62f3a12071656f86e6a6

SHA256
3380f702a69621e036c3a05a709f0878c21e5cb2f3c916be942d823ddd7f737c

SHA512
13e585781e89f9226d4951dbbe778c26d18606859f724c37d280ce95ee522abcebf23a12eb9c9bdeed8d215230c0318d59de4941ad6391d110dbdcaa3c84ef2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB3B0.tmp

Filesize
1KB

MD5
c19016bece33e290ec5a48f83dc7984a

SHA1
438c7fca847ab0ee5ea7d2a339906530bbd66fa8

SHA256
6a73841eaa7fcf2f51b4d56701d463ac8e1a12ac8f545947f804e7d7b76c83a3

SHA512
df3667843b4fb1a6f1716dc459dfdd46dd21fa6fd418766fb424e79746d80510f76c42bb96f4bc1e738c1e81b53d08864112de1dfc487817647212158c45f966

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1stpvjq.ov5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3cimetvn\3cimetvn.0.cs

Filesize
353B

MD5
379570600f5439dda873eda8f0ce4a79

SHA1
2023b772101aff5b12ab53f24a69742a4b9c394f

SHA256
2c058658252d0f5a4613dc846d56329797e86033e3c61b9b68537ae167000072

SHA512
70ad464f11597e9677a757c59a79a27650487d0f59cbb35d88e9775236e2dbf3cb78413b10eac3e9a33e2cba7fb1fb85ef7755b1d25e1c7d9513615ea4daf152

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3cimetvn\3cimetvn.cmdline

Filesize
369B

MD5
7e17d4d7ccc428d2f098c7eb611181e7

SHA1
03f340777d1d2ecdc78997c0c949915b9148ad75

SHA256
25584c37c6bf142373a6df101e84fec4069526e2a092af5937f4ea217007e532

SHA512
a64687cb27f47af12fd117e4743eb33a3fb7efa07e0122d3ae36ca87a692dcf9afad16f4663c5ca320fe25b2ebf35a8e5001c1ad06a16211009779c624e4ff6a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3cimetvn\CSCDA1060D0BF1A4D1EB2D9355C2C697095.TMP

Filesize
652B

MD5
990f1e6d89e3252bf0ead0f731b1036f

SHA1
9667c388c60eb9c6f1ca94873f6373bbfb7c9fbe

SHA256
1cb7d040ec2230239e80ecf15353284cc1927d2584f4b4c7d652f2bbf312005e

SHA512
7ad7266437971d3aafc12c1b4a6dc59273de0b14f4169b8487e5829366847ecda5544a6881eddf8fd616fc75d1827874e1270a35256e42bef2ec5a65d0ddb982

Download Submit
memory/3124-31-0x000002B436120000-0x000002B4362E2000-memory.dmp

Filesize
1.8MB

Download
memory/3124-32-0x000002B436820000-0x000002B436D48000-memory.dmp

Filesize
5.2MB

Download
memory/3124-45-0x000002B433B00000-0x000002B433B08000-memory.dmp

Filesize
32KB

Download
memory/3128-1-0x00007FFEF3F33000-0x00007FFEF3F35000-memory.dmp

Filesize
8KB

Download
memory/3128-17-0x00007FFEF3F30000-0x00007FFEF49F1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-13-0x00007FFEF3F30000-0x00007FFEF49F1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-12-0x00007FFEF3F30000-0x00007FFEF49F1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-2-0x00000228F4740000-0x00000228F4762000-memory.dmp

Filesize
136KB

Download