3f42688027964833072e16ebd523406819d90db0169f36bcc87ed69c68b63e86

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SeroXen/bin/SeroXen.exe
Size

50.9MB
MD5

08312e99bc5094a458cc5189f3a70524
SHA1

016e187d249ddecbeee6aaae2685b5404a23ecae
SHA256

146fbd8fca9d32613dd1eda7d85de1d29d7108289a1fe2a463ebcf13aa2e93e7
SHA512

36d297192ed2622335fef0613214cd73c8689b9ee27809e501731490f44aee6cb8ca9f23f9ba36b34f307d3a3b37f440fc7103291b533776c089cdf026ff5f9a
SSDEEP

786432:ftrtWJi9Ui9MA8VFoBZ0RMUNtKxwi99+Y:frWJi9Ui9MA8VFoD0GUvK2i9P

Score

6^/10

defense_evasion execution

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	pastebin.com
19	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2872	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2092	SeroXen.exe
2092	SeroXen.exe
2872	powershell.exe
2872	powershell.exe
2140	powershell.exe
2140	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeIncreaseQuotaPrivilege	1964	wmic.exe
Token: SeSecurityPrivilege	1964	wmic.exe
Token: SeTakeOwnershipPrivilege	1964	wmic.exe
Token: SeLoadDriverPrivilege	1964	wmic.exe
Token: SeSystemProfilePrivilege	1964	wmic.exe
Token: SeSystemtimePrivilege	1964	wmic.exe
Token: SeProfSingleProcessPrivilege	1964	wmic.exe
Token: SeIncBasePriorityPrivilege	1964	wmic.exe
Token: SeCreatePagefilePrivilege	1964	wmic.exe
Token: SeBackupPrivilege	1964	wmic.exe
Token: SeRestorePrivilege	1964	wmic.exe
Token: SeShutdownPrivilege	1964	wmic.exe
Token: SeDebugPrivilege	1964	wmic.exe
Token: SeSystemEnvironmentPrivilege	1964	wmic.exe
Token: SeRemoteShutdownPrivilege	1964	wmic.exe
Token: SeUndockPrivilege	1964	wmic.exe
Token: SeManageVolumePrivilege	1964	wmic.exe
Token: 33	1964	wmic.exe
Token: 34	1964	wmic.exe
Token: 35	1964	wmic.exe
Token: 36	1964	wmic.exe
Token: SeIncreaseQuotaPrivilege	1964	wmic.exe
Token: SeSecurityPrivilege	1964	wmic.exe
Token: SeTakeOwnershipPrivilege	1964	wmic.exe
Token: SeLoadDriverPrivilege	1964	wmic.exe
Token: SeSystemProfilePrivilege	1964	wmic.exe
Token: SeSystemtimePrivilege	1964	wmic.exe
Token: SeProfSingleProcessPrivilege	1964	wmic.exe
Token: SeIncBasePriorityPrivilege	1964	wmic.exe
Token: SeCreatePagefilePrivilege	1964	wmic.exe
Token: SeBackupPrivilege	1964	wmic.exe
Token: SeRestorePrivilege	1964	wmic.exe
Token: SeShutdownPrivilege	1964	wmic.exe
Token: SeDebugPrivilege	1964	wmic.exe
Token: SeSystemEnvironmentPrivilege	1964	wmic.exe
Token: SeRemoteShutdownPrivilege	1964	wmic.exe
Token: SeUndockPrivilege	1964	wmic.exe
Token: SeManageVolumePrivilege	1964	wmic.exe
Token: 33	1964	wmic.exe
Token: 34	1964	wmic.exe
Token: 35	1964	wmic.exe
Token: 36	1964	wmic.exe
Token: SeDebugPrivilege	2140	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2872	2092	SeroXen.exe	86
PID 2092 wrote to memory of 2872	2092	SeroXen.exe	86
PID 2092 wrote to memory of 1964	2092	SeroXen.exe	88
PID 2092 wrote to memory of 1964	2092	SeroXen.exe	88
PID 2092 wrote to memory of 2140	2092	SeroXen.exe	90
PID 2092 wrote to memory of 2140	2092	SeroXen.exe	90
PID 2140 wrote to memory of 2052	2140	powershell.exe	91
PID 2140 wrote to memory of 2052	2140	powershell.exe	91
PID 2052 wrote to memory of 2816	2052	csc.exe	93
PID 2052 wrote to memory of 2816	2052	csc.exe	93
PID 2092 wrote to memory of 2100	2092	SeroXen.exe	94
PID 2092 wrote to memory of 2100	2092	SeroXen.exe	94

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2100	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe
"C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" csproduct get uuid /value
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pxxzr5ir\pxxzr5ir.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp" "c:\Users\Admin\AppData\Local\Temp\pxxzr5ir\CSC9A3ECA8212EC417FA8383C32F6CB592C.TMP"
      4⤵
      PID:2816
- C:\Windows\SYSTEM32\attrib.exe
  "attrib" +h C:\WindowsGraphics
  2⤵
  - Views/modifies file attributes
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp

Filesize
1KB

MD5
1a7bda4ddea76765cb0f6c59feccf863

SHA1
e74bf40641d14a4d5d6926fe3aacd66a62fc1943

SHA256
836b6af969c2acc2d2256006f92c73206a45ffad20f4b93b6bb18116388722e6

SHA512
149130d53548ada010c43ff20230872768ac114e1fd23b44f78486fdc6149333ea7d27cfc38ad97952b07186914bc5abddbdf2869a51a54fe8b2b512cdd3ccb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ou35dxb.qy3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxxzr5ir\pxxzr5ir.dll

Filesize
3KB

MD5
abe03afd88da3b7e367a7056b5fe8ae7

SHA1
4ae66c9bd8c5b78de47ea91f5e7e656d529da77b

SHA256
f2c727aef908581125b77480d703d7ff2f83f1d74ce106f4334c4be20fd9d553

SHA512
1b2f53efae00590d567205fd92a347522a769b7a414015b0de27d102ef7eb46d80eed5ad1ad0efe55490a257c0f7b37cc6a119a68ea9295c5c1d7860220212ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pxxzr5ir\CSC9A3ECA8212EC417FA8383C32F6CB592C.TMP

Filesize
652B

MD5
0824330dd31c58fa6dd7d51a28b3f558

SHA1
fef04b8eeed43a0c58590f8cf4fc7506f0903ab8

SHA256
443ee4f1cac823c2c0800add68458f29b6404f937e3d676729ea1eb2d3f984ca

SHA512
bccefe27193508d4f59ecd6a737024d30fa1a92503fdcddd88edae84dc15c5cbfd25c5939fd9afafe7f29ffdeaf9b4cff43703f6b0e7ffb4227e9b55d57bd00e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pxxzr5ir\pxxzr5ir.0.cs

Filesize
353B

MD5
379570600f5439dda873eda8f0ce4a79

SHA1
2023b772101aff5b12ab53f24a69742a4b9c394f

SHA256
2c058658252d0f5a4613dc846d56329797e86033e3c61b9b68537ae167000072

SHA512
70ad464f11597e9677a757c59a79a27650487d0f59cbb35d88e9775236e2dbf3cb78413b10eac3e9a33e2cba7fb1fb85ef7755b1d25e1c7d9513615ea4daf152

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pxxzr5ir\pxxzr5ir.cmdline

Filesize
369B

MD5
bcea97101b47eb3f64dded36b4f35b71

SHA1
702518f6688a027a6fb058db6c893b5bae737c6f

SHA256
73ee0d349f7ac0483471fe1736e4d09b4097126423523eeeea1eafb602766a4c

SHA512
6d5fd2b19a3376409d8566b470ada75207fc1039e9094fd360595958672296243cf529cdf38c532885bcd2244318c014ae3bef6ea528d9932523f88b80f480c5

Download Submit
memory/2140-31-0x00000135FAEF0000-0x00000135FB0B2000-memory.dmp

Filesize
1.8MB

Download
memory/2140-32-0x00000135FB5F0000-0x00000135FBB18000-memory.dmp

Filesize
5.2MB

Download
memory/2140-45-0x00000135FA970000-0x00000135FA978000-memory.dmp

Filesize
32KB

Download
memory/2872-1-0x00007FFD68EC3000-0x00007FFD68EC5000-memory.dmp

Filesize
8KB

Download
memory/2872-17-0x00007FFD68EC0000-0x00007FFD69981000-memory.dmp

Filesize
10.8MB

Download
memory/2872-13-0x00007FFD68EC0000-0x00007FFD69981000-memory.dmp

Filesize
10.8MB

Download
memory/2872-11-0x00000206282E0000-0x0000020628302000-memory.dmp

Filesize
136KB

Download
memory/2872-12-0x00007FFD68EC0000-0x00007FFD69981000-memory.dmp

Filesize
10.8MB

Download