9e7f41fd174c2f47df52b296d99993f4210a87206bcb8f8a75407ba9e9ad18e9

Analysis

max time kernel
92s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
27-06-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silver Rat [Re Lab]/SilverRat.exe
Size

25.2MB
MD5

d6527f7d5f5152c3f5fff6786e5c1606
SHA1

e8da82b4a3d2b6bee04236162e5e46e636310ec6
SHA256

79a4605d24d32f992d8e144202e980bb6b52bf8c9925b1498a1da59e50ac51f9
SHA512

2b4eb9e66028d263c52b3da42fa3df256cf49cd7a7ebdf7c75da6a2dedfd2c22cb5f2071345b7016cd742539c74a801cad70c612330be79802fa19f860ea2d5f
SSDEEP

786432:SZYRGnGvovVvAuuglekvAR4vzHcv6lHGH9KdDmvQuLGgJMKV+n9n1vgvVv2jlv1S:Ik79a

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral4/memory/1832-6-0x0000000007330000-0x000000000737E000-memory.dmp agile_net
behavioral4/memory/1832-12-0x0000000008E30000-0x0000000008F7E000-memory.dmp agile_net
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4564 1832 WerFault.exe SilverRat.exe
1596 1832 WerFault.exe SilverRat.exe
1376 1196 WerFault.exe SilverRat.exe
1236 1196 WerFault.exe SilverRat.exe

resource	yara_rule
behavioral4/memory/1832-6-0x0000000007330000-0x000000000737E000-memory.dmp	agile_net
behavioral4/memory/1832-12-0x0000000008E30000-0x0000000008F7E000-memory.dmp	agile_net

pid	pid_target	process	target process
4564	1832	WerFault.exe	SilverRat.exe
1596	1832	WerFault.exe	SilverRat.exe
1376	1196	WerFault.exe	SilverRat.exe
1236	1196	WerFault.exe	SilverRat.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SilverRat.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SilverRat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SilverRat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SilverRat.exe

pid	process
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe
1832	SilverRat.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SilverRat.exeSilverRat.exeSilverRat.exe

description pid process

Token: SeDebugPrivilege 1832 SilverRat.exe
Token: SeDebugPrivilege 1196 SilverRat.exe
Token: SeDebugPrivilege 3464 SilverRat.exe

description	pid	process
Token: SeDebugPrivilege	1832	SilverRat.exe
Token: SeDebugPrivilege	1196	SilverRat.exe
Token: SeDebugPrivilege	3464	SilverRat.exe

C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1296
2⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1316
2⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1832 -ip 1832
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1832 -ip 1832
1⤵
PID:3120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1288
2⤵
- Program crash
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1288
2⤵
- Program crash
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1196 -ip 1196
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1196 -ip 1196
1⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe"
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1480

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tmp35A1.tmp
Filesize
4KB

MD5
e1a48ec781542ab4f0d3a3368b2a1d05

SHA1
a35670f07e5320a1591a55d903b35dcdd1d224a1

SHA256
f41d8818774f3ec0bf936e564f50008b46f5e4060edaab3bd72ffa389fb9ef21

SHA512
d3e756d8b321d38962a7b36af617d152e9bfd499b31f1630a24ada435715ad81a29ab73e4ab4aa21bbc9029b4177a943303e7df922bf375c2583607cb6f6566a

Download Submit
memory/1196-14-0x0000000074670000-0x0000000074E21000-memory.dmp

Filesize
7.7MB

Download
memory/1196-16-0x0000000074670000-0x0000000074E21000-memory.dmp

Filesize
7.7MB

Download
memory/1196-15-0x0000000074670000-0x0000000074E21000-memory.dmp

Filesize
7.7MB

Download
memory/1832-8-0x0000000074670000-0x0000000074E21000-memory.dmp

Filesize
7.7MB

Download
memory/1832-11-0x0000000008920000-0x00000000089BC000-memory.dmp

Filesize
624KB

Download
memory/1832-6-0x0000000007330000-0x000000000737E000-memory.dmp

Filesize
312KB

Download
memory/1832-7-0x00000000078E0000-0x0000000007B32000-memory.dmp

Filesize
2.3MB

Download
memory/1832-0-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/1832-9-0x0000000007740000-0x000000000774A000-memory.dmp

Filesize
40KB

Download
memory/1832-10-0x0000000007890000-0x00000000078C2000-memory.dmp

Filesize
200KB

Download
memory/1832-5-0x0000000007480000-0x00000000075D0000-memory.dmp

Filesize
1.3MB

Download
memory/1832-12-0x0000000008E30000-0x0000000008F7E000-memory.dmp

Filesize
1.3MB

Download
memory/1832-13-0x0000000074670000-0x0000000074E21000-memory.dmp

Filesize
7.7MB

Download
memory/1832-4-0x0000000006990000-0x0000000006B06000-memory.dmp

Filesize
1.5MB

Download
memory/1832-3-0x0000000006670000-0x0000000006702000-memory.dmp

Filesize
584KB

Download
memory/1832-2-0x0000000006B80000-0x0000000007126000-memory.dmp

Filesize
5.6MB

Download
memory/1832-1-0x00000000001D0000-0x0000000001AFE000-memory.dmp

Filesize
25.2MB

Download