Analysis Overview
SHA256
fd8f6f8301f87bba9241fd4777c6b25ad9a1b1268c00e8893175074a7392bc6c
Threat Level: Known bad
The file SeroXen.exe was found to be: Known bad.
Malicious Activity Summary
Silverrat family
SilverRat
Sets file to hidden
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-23 15:28
Signatures
Silverrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-23 15:28
Reported
2025-02-23 15:29
Platform
win7-20250207-en
Max time kernel
27s
Max time network
35s
Command Line
Signatures
SilverRat
Silverrat family
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Windows\$77xdwd.dll.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\Windows\\$77xdwd.dll.exe\"" | C:\Users\Admin\AppData\Local\Temp\SeroXen.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SeroXen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SeroXen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SeroXen.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SeroXen.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Windows\$77xdwd.dll.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SeroXen.exe
"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Windows"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Windows\$77xdwd.dll.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE38C.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\Windows\$77xdwd.dll.exe
"C:\Users\Admin\Windows\$77xdwd.dll.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77xdwd.dll.exe
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77xdwd.dll.exe" /TR "C:\Users\Admin\Windows\$77xdwd.dll.exe \"\$77xdwd.dll.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77xdwd.dll.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
Files
memory/2640-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp
memory/2640-1-0x000000013FE90000-0x000000013FEA0000-memory.dmp
memory/2640-2-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp
memory/2640-3-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp
memory/2640-4-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE38C.tmp.bat
| MD5 | b4b5a4a5a5edcf8b80a76b861d02da3b |
| SHA1 | b025343f44e92e75de09d6ee00d6a80fcd47d72e |
| SHA256 | 3b390eb5e67760a9574cba1197541753405f3a6961a3ecfeb66eda5642fe9599 |
| SHA512 | 81fb948ee647d4d63e253fea915d9297db518c3064c47bbb360cab3c51836793c051b8b7e373fba656f8478b7c1c34cc958262179c492ecd9ac50621288a4f8c |
memory/2640-14-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp
\Users\Admin\Windows\$77xdwd.dll.exe
| MD5 | 7ec1d25ce5cd0afe104ee2e4389e4cf6 |
| SHA1 | fa31da5f424f7c106ff0701aab70f789cd4e445b |
| SHA256 | fd8f6f8301f87bba9241fd4777c6b25ad9a1b1268c00e8893175074a7392bc6c |
| SHA512 | 78c196c0aba6afc8426edfe013b889bca62e172d597b39e887dcd14aaa99bdcce8be65d4055722d34328c341b1c4b14107d0b8d5a6ff9e7f0afa5b29326675b1 |
memory/2144-19-0x000000013F850000-0x000000013F860000-memory.dmp
memory/1416-24-0x000000001B520000-0x000000001B802000-memory.dmp
memory/1416-25-0x0000000002A60000-0x0000000002A68000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-23 15:28
Reported
2025-02-23 15:31
Platform
win10v2004-20250217-en
Max time kernel
130s
Max time network
153s
Command Line
Signatures
SilverRat
Silverrat family
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SeroXen.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Windows\$77xdwd.dll.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Windows\$77xdwd.dll.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\Windows\\$77xdwd.dll.exe\"" | C:\Users\Admin\AppData\Local\Temp\SeroXen.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SeroXen.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Windows\$77xdwd.dll.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Windows\$77xdwd.dll.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SeroXen.exe
"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Windows"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Windows\$77xdwd.dll.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF66.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\Windows\$77xdwd.dll.exe
"C:\Users\Admin\Windows\$77xdwd.dll.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77xdwd.dll.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77xdwd.dll.exe" /TR "C:\Users\Admin\Windows\$77xdwd.dll.exe \"\$77xdwd.dll.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77xdwd.dll.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 172.221.202.55:3321 | tcp | |
| US | 172.221.202.55:3321 | tcp | |
| US | 172.221.202.55:3321 | tcp | |
| US | 172.221.202.55:3321 | tcp | |
| US | 172.221.202.55:3321 | tcp | |
| US | 172.221.202.55:3321 | tcp |
Files
memory/4308-0-0x00007FFA803D3000-0x00007FFA803D5000-memory.dmp
memory/4308-1-0x0000000000B40000-0x0000000000B50000-memory.dmp
memory/4308-2-0x00007FFA803D0000-0x00007FFA80E91000-memory.dmp
memory/4308-3-0x00007FFA803D0000-0x00007FFA80E91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCF66.tmp.bat
| MD5 | 83bd0c81d042aea6b8f046870211fb4f |
| SHA1 | 80a2aac607c3f11c5356ac48f7c8d545d44a1712 |
| SHA256 | 7a8f00c5618b42edcc02039364e3898782e5ba614c55f50c57fd71be3ada0d8a |
| SHA512 | 4502a8a85b0af726f97084065283e3ebaf5f92d80d934f7698b882dffce2f07d81814b3ab4a6f46e10fd87375bb4a769e68a60c5d787d940f8114c4afa086b0f |
memory/4308-9-0x00007FFA803D0000-0x00007FFA80E91000-memory.dmp
C:\Users\Admin\Windows\$77xdwd.dll.exe
| MD5 | 7ec1d25ce5cd0afe104ee2e4389e4cf6 |
| SHA1 | fa31da5f424f7c106ff0701aab70f789cd4e445b |
| SHA256 | fd8f6f8301f87bba9241fd4777c6b25ad9a1b1268c00e8893175074a7392bc6c |
| SHA512 | 78c196c0aba6afc8426edfe013b889bca62e172d597b39e887dcd14aaa99bdcce8be65d4055722d34328c341b1c4b14107d0b8d5a6ff9e7f0afa5b29326675b1 |
memory/4752-13-0x00007FFA80623000-0x00007FFA80625000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ee5tywy2.cds.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1716-23-0x000001C9BDD50000-0x000001C9BDD72000-memory.dmp