File name:

SeroXen.zip

Full analysis: https://app.any.run/tasks/54cdcf13-0aa3-4299-9bf0-d31742e1297a
Verdict: Malicious activity
Analysis date: June 15, 2024, 10:19:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

02153FEBFDB4C44D05AA380C7D321DDE

SHA1:

04C2D0A3A9055E332684344E6A0F8F8AAE6A4D0D

SHA256:

F2A22A1B44253073CDA975E57EE937304A434538F4DF0942A65B25889F0FA24B

SSDEEP:

393216:OctvkuhTgeYUTVst+L3qtc4jXHG39FVYBdqUq06DW2RW+LQWtXum97:Ow1hTkqVY+LqnHGtFVYK10YRW+EWt+mZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4288)
      • SeroXen.exe (PID: 6296)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 6244)

    • Reads the BIOS version

      • SeroXen.exe (PID: 6296)

    • Executable content was dropped or overwritten

      • SeroXen.exe (PID: 6296)

    • Reads security settings of Internet Explorer

      • SeroXen.exe (PID: 6296)
      • WinRAR.exe (PID: 6244)

    • Checks Windows Trust Settings

      • SeroXen.exe (PID: 6296)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6244)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6244)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6244)

    • Manual execution by a user

      • WinRAR.exe (PID: 6244)

    • Reads the computer name

      • SeroXen.exe (PID: 6296)

    • Reads the software policy settings

      • SeroXen.exe (PID: 6296)

    • Create files in a temporary directory

      • SeroXen.exe (PID: 6296)

    • Checks supported languages

      • SeroXen.exe (PID: 6296)

    • Reads the machine GUID from the registry

      • SeroXen.exe (PID: 6296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2022:10:25 00:20:34
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: autoexec/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe seroxen.exe

Process information

PID
CMD
Path
Indicators
Parent process
4288"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\SeroXen.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6244"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SeroXen.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6296"C:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\SeroXen.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\SeroXen.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Quasar Server
Version:
1.4.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6244.15075\seroxen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
14 568
Read events
14 509
Write events
59
Delete events
0

Modification events

(PID) Process:(4288) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4288) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4288) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(4288) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\SeroXen.zip
(PID) Process:(4288) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4288) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4288) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4288) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4288) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(4288) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
28
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\client_obf.bin
MD5:
SHA256:
6244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\Cake.Core.dllexecutable
MD5:C547895E4F6A86BF9DB103260D5CE792
SHA256:25FCB11500BFFC21F1AE6CF3F5C4FF2E9450F41F01B6B02BCB5873F6F9B279F0
6244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\BouncyCastle.Crypto.dllexecutable
MD5:0B2AA376251567DBDC15B3A2A0D10C65
SHA256:E1B52566D7AA215EE5583D5A5D2CFBC6CFDCD881C47C7785318552BCB41B7CFF
6244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\dnlib.dllexecutable
MD5:C044F897673C5D72F631204D36D0DCAD
SHA256:6D6EF70286BDC71C9973AAE7069B038BB245FFB83234F98A56359B613810D392
6244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\Cake.Powershell.dllexecutable
MD5:271C0AD2A4F25C06D437254AD2D91D68
SHA256:D3494C0A006915C348D57CCE502A0E56D01D6DC1631907604E95E7C323D54112
6244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\SeroXen.exe
MD5:
SHA256:
6244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\C5VM.dllexecutable
MD5:37691C7533A9327F520EBE21FAA72191
SHA256:DE6F08708B8BC6562828C7787769D14752B2C1AB0B0E9B34B1ED44987BD2F842
6244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\Gma.System.MouseKeyHook.dllexecutable
MD5:0BF4660C28D0DDF365934C1333C62C2D
SHA256:A62784297FF461A71E549DD75D0437D37B1CF8D2B88305C6C028CED7555213F7
6244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.dllexecutable
MD5:C462573A9DD520CD2E03652CA0EC9396
SHA256:5BFC5ABE8BFCF35E4562D4782E5BABEB5708DB2D8714FD2170212384D2652D9B
6244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6244.15075\Microsoft.VisualStudio.CodeCoverage.Shim.dllexecutable
MD5:DFEFA869D2F7675DCBE00BEAAE68E35B
SHA256:1B0C98A0EF3AB84D4DAC3459BCDDE70928EECB02EF4D575D3F264FF054800529
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
32
DNS requests
12
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
23.211.242.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4856
RUXIMICS.exe
GET
200
23.211.242.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5576
svchost.exe
GET
200
23.211.242.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.205.37.177:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4856
RUXIMICS.exe
GET
200
23.205.37.177:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
23.211.242.197:443
https://r.bing.com/rb/17/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DygxdoIBhQGIAX95fLsBvgExrgExwQE&or=w
unknown
5576
svchost.exe
GET
200
23.205.37.177:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
POST
400
172.67.69.236:443
https://auth.patched.to/SeroXen
unknown
binary
16 b
GET
200
23.211.242.197:443
https://www.bing.com/dsb/scenario?name=TrendingSearchWithCache&cc=us&setlang=en-us
unknown
binary
614 b
POST
204
23.211.242.210:443
https://www.bing.com/threshold/xls.aspx
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4856
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4856
RUXIMICS.exe
23.211.242.138:80
crl.microsoft.com
Akamai International B.V.
US
unknown
5140
MoUsoCoreWorker.exe
23.211.242.138:80
crl.microsoft.com
Akamai International B.V.
US
unknown
5576
svchost.exe
23.211.242.138:80
crl.microsoft.com
Akamai International B.V.
US
unknown
5140
MoUsoCoreWorker.exe
23.205.37.177:80
www.microsoft.com
AKAMAI-AS
MX
unknown
4856
RUXIMICS.exe
23.205.37.177:80
www.microsoft.com
AKAMAI-AS
MX
unknown
5576
svchost.exe
23.205.37.177:80
www.microsoft.com
AKAMAI-AS
MX
unknown
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.211.242.138
  • 23.211.242.170
whitelisted
www.microsoft.com
  • 23.205.37.177
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
auth.patched.to
  • 172.67.69.236
  • 104.26.14.16
  • 104.26.15.16
unknown
www.bing.com
  • 23.211.242.197
  • 23.211.242.210
whitelisted
r.bing.com
  • 23.211.242.197
  • 23.211.242.210
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
b-ring.msedge.net
  • 13.107.6.254
whitelisted
dual-s-ring.msedge.net
  • 52.123.128.254
  • 52.123.129.254
unknown
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted

Threats

PID
Process
Class
Message
2184
svchost.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SeroXen.zip