seroxen | f8431dd48bff13d43e84636a28c6f718f94c3fbaabfdc4505ba1c49390410dd0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload_1.exe
Size

10.3MB
MD5

193c0f25237bf72feba33c0ac094633f
SHA1

49d04b78ac3abed78f63f2a417aaaa3b2df015d0
SHA256

f8431dd48bff13d43e84636a28c6f718f94c3fbaabfdc4505ba1c49390410dd0
SHA512

f876fe18aa868e6b5fcca10e8def67f65be948283234c09cce5ab87938b1e797567498f6cc30ce7cd9bff3dd31a98a382bd950e1d49e1d782cce667516e62dd8
SSDEEP

49152:AHZtA2qbxwSAKPbSZ8ncZSgiGrgXfaZAfCjCQquQplaoMc30D8zyYEF2SSmbUsr+:A54

Score

10^/10

seroxen trojan

Malware Config

Signatures

Seroxen family
seroxen
Seroxen, Ser0xen
Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
trojan seroxen

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2532 created 432	2532	payload_1.exe	5
PID 2532 created 432	2532	payload_1.exe	5
PID 2532 created 432	2532	payload_1.exe	5

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2532 set thread context of 2332	2532	payload_1.exe	31
PID 2532 set thread context of 2736	2532	payload_1.exe	32
PID 2532 set thread context of 1428	2532	payload_1.exe	35
PID 2532 set thread context of 568	2532	payload_1.exe	36
PID 2532 set thread context of 1364	2532	payload_1.exe	37
PID 2532 set thread context of 1660	2532	payload_1.exe	38

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$sxr-cmd.exe	payload_1.exe
File created	C:\Windows\$sxr-powershell.exe	payload_1.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	payload_1.exe
File created	C:\Windows\$sxr-mshta.exe	payload_1.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	payload_1.exe
File created	C:\Windows\$sxr-cmd.exe	payload_1.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2532	payload_1.exe
2332	dllhost.exe
2332	dllhost.exe
2332	dllhost.exe
2332	dllhost.exe
2736	dllhost.exe
2736	dllhost.exe
2736	dllhost.exe
2736	dllhost.exe
2532	payload_1.exe
2532	payload_1.exe
2532	payload_1.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
1428	dllhost.exe
568	dllhost.exe
568	dllhost.exe
568	dllhost.exe
568	dllhost.exe
2532	payload_1.exe
2532	payload_1.exe
2532	payload_1.exe
1364	dllhost.exe
1364	dllhost.exe
1364	dllhost.exe
1364	dllhost.exe
1660	dllhost.exe
1660	dllhost.exe
1660	dllhost.exe
1660	dllhost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	payload_1.exe
Token: SeDebugPrivilege	2532	payload_1.exe
Token: SeDebugPrivilege	2332	dllhost.exe
Token: SeDebugPrivilege	2736	dllhost.exe
Token: SeDebugPrivilege	2532	payload_1.exe
Token: SeDebugPrivilege	1428	dllhost.exe
Token: SeDebugPrivilege	568	dllhost.exe
Token: SeDebugPrivilege	2532	payload_1.exe
Token: SeDebugPrivilege	1364	dllhost.exe
Token: SeDebugPrivilege	1660	dllhost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2332	2532	payload_1.exe	31
PID 2532 wrote to memory of 2332	2532	payload_1.exe	31
PID 2532 wrote to memory of 2332	2532	payload_1.exe	31
PID 2532 wrote to memory of 2332	2532	payload_1.exe	31
PID 2532 wrote to memory of 2332	2532	payload_1.exe	31
PID 2532 wrote to memory of 2332	2532	payload_1.exe	31
PID 2532 wrote to memory of 2332	2532	payload_1.exe	31
PID 2532 wrote to memory of 2332	2532	payload_1.exe	31
PID 2532 wrote to memory of 2736	2532	payload_1.exe	32
PID 2532 wrote to memory of 2736	2532	payload_1.exe	32
PID 2532 wrote to memory of 2736	2532	payload_1.exe	32
PID 2532 wrote to memory of 2736	2532	payload_1.exe	32
PID 2532 wrote to memory of 2736	2532	payload_1.exe	32
PID 2532 wrote to memory of 2736	2532	payload_1.exe	32
PID 2532 wrote to memory of 2736	2532	payload_1.exe	32
PID 2532 wrote to memory of 2736	2532	payload_1.exe	32
PID 2532 wrote to memory of 2736	2532	payload_1.exe	32
PID 2532 wrote to memory of 2736	2532	payload_1.exe	32
PID 2532 wrote to memory of 1428	2532	payload_1.exe	35
PID 2532 wrote to memory of 1428	2532	payload_1.exe	35
PID 2532 wrote to memory of 1428	2532	payload_1.exe	35
PID 2532 wrote to memory of 1428	2532	payload_1.exe	35
PID 2532 wrote to memory of 1428	2532	payload_1.exe	35
PID 2532 wrote to memory of 1428	2532	payload_1.exe	35
PID 2532 wrote to memory of 1428	2532	payload_1.exe	35
PID 2532 wrote to memory of 1428	2532	payload_1.exe	35
PID 2532 wrote to memory of 568	2532	payload_1.exe	36
PID 2532 wrote to memory of 568	2532	payload_1.exe	36
PID 2532 wrote to memory of 568	2532	payload_1.exe	36
PID 2532 wrote to memory of 568	2532	payload_1.exe	36
PID 2532 wrote to memory of 568	2532	payload_1.exe	36
PID 2532 wrote to memory of 568	2532	payload_1.exe	36
PID 2532 wrote to memory of 568	2532	payload_1.exe	36
PID 2532 wrote to memory of 568	2532	payload_1.exe	36
PID 2532 wrote to memory of 568	2532	payload_1.exe	36
PID 2532 wrote to memory of 568	2532	payload_1.exe	36
PID 2532 wrote to memory of 1364	2532	payload_1.exe	37
PID 2532 wrote to memory of 1364	2532	payload_1.exe	37
PID 2532 wrote to memory of 1364	2532	payload_1.exe	37
PID 2532 wrote to memory of 1364	2532	payload_1.exe	37
PID 2532 wrote to memory of 1364	2532	payload_1.exe	37
PID 2532 wrote to memory of 1364	2532	payload_1.exe	37
PID 2532 wrote to memory of 1364	2532	payload_1.exe	37
PID 2532 wrote to memory of 1364	2532	payload_1.exe	37
PID 2532 wrote to memory of 1660	2532	payload_1.exe	38
PID 2532 wrote to memory of 1660	2532	payload_1.exe	38
PID 2532 wrote to memory of 1660	2532	payload_1.exe	38
PID 2532 wrote to memory of 1660	2532	payload_1.exe	38
PID 2532 wrote to memory of 1660	2532	payload_1.exe	38
PID 2532 wrote to memory of 1660	2532	payload_1.exe	38
PID 2532 wrote to memory of 1660	2532	payload_1.exe	38
PID 2532 wrote to memory of 1660	2532	payload_1.exe	38
PID 2532 wrote to memory of 1660	2532	payload_1.exe	38
PID 2532 wrote to memory of 1660	2532	payload_1.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{056a2260-7275-49ee-8d0a-061abe7efebd}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{eebcb83f-9f20-4783-aadd-edb84ef32b7c}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{018619ff-f5ee-457e-887c-5b9161f4d2ff}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364

C:\Users\Admin\AppData\Local\Temp\payload_1.exe
"C:\Users\Admin\AppData\Local\Temp\payload_1.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{e5aa3ec9-997d-4761-81dd-bf23e3412cd3}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{c6cc8260-0884-44ae-93e3-e8b56d54e0df}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{70b70b0a-5b84-4b08-bccb-b1effe44f4c9}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660

C:\Windows\system32\taskeng.exe
taskeng.exe {6FF1C236-2E9B-4118-9CEE-27AA6853F18F} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-48-0x0000000077090000-0x0000000077239000-memory.dmp

Filesize
1.7MB

Download
memory/568-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1428-49-0x0000000077090000-0x0000000077239000-memory.dmp

Filesize
1.7MB

Download
memory/1428-47-0x0000000077090000-0x0000000077239000-memory.dmp

Filesize
1.7MB

Download
memory/1660-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-11-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2332-20-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2532-33-0x0000000077091000-0x0000000077192000-memory.dmp

Filesize
1.0MB

Download
memory/2532-4-0x00000000007D0000-0x0000000000828000-memory.dmp

Filesize
352KB

Download
memory/2532-8-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-10-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/2532-7-0x0000000077090000-0x0000000077239000-memory.dmp

Filesize
1.7MB

Download
memory/2532-78-0x0000000077090000-0x0000000077239000-memory.dmp

Filesize
1.7MB

Download
memory/2532-6-0x00000000009B0000-0x00000000009D2000-memory.dmp

Filesize
136KB

Download
memory/2532-77-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-1-0x000000013FA00000-0x0000000140450000-memory.dmp

Filesize
10.3MB

Download
memory/2532-60-0x0000000077090000-0x0000000077239000-memory.dmp

Filesize
1.7MB

Download
memory/2532-59-0x0000000002280000-0x00000000022A2000-memory.dmp

Filesize
136KB

Download
memory/2532-2-0x0000000002430000-0x00000000024D6000-memory.dmp

Filesize
664KB

Download
memory/2532-9-0x0000000076E70000-0x0000000076F8F000-memory.dmp

Filesize
1.1MB

Download
memory/2532-31-0x0000000077090000-0x0000000077239000-memory.dmp

Filesize
1.7MB

Download
memory/2532-29-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2532-30-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-34-0x0000000077090000-0x0000000077239000-memory.dmp

Filesize
1.7MB

Download
memory/2532-32-0x0000000076E70000-0x0000000076F8F000-memory.dmp

Filesize
1.1MB

Download
memory/2532-5-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2532-3-0x0000000000660000-0x00000000006B6000-memory.dmp

Filesize
344KB

Download
memory/2532-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2736-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2736-13-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2736-14-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2736-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2736-16-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2736-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-22-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2736-18-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download