Analysis
-
max time kernel
88s -
max time network
84s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 10:09
Behavioral task
behavioral1
Sample
SilverRat V1.5 [Re Lab]/Fixer.exe
Resource
win11-20240611-en
Behavioral task
behavioral2
Sample
SilverRat V1.5 [Re Lab]/SilverRat.exe
Resource
win11-20240508-en
General
-
Target
SilverRat V1.5 [Re Lab]/Fixer.exe
-
Size
45KB
-
MD5
545d64cc91e4da6339a70d54a2443c5d
-
SHA1
f03344ab824c7cf0f73dcc86aa34cab36e2e54e7
-
SHA256
04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f
-
SHA512
733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681
-
SSDEEP
768:OarX4D9pmZGOXnXhEk75rVeZtxbuRULQj9SEQf9B6SbuDFvr1/xf:OarID9pVU5rVe3xCGsj9O9oQ2Fx/xf
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4156 attrib.exe 3600 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
$77Runtime Broker.exepid process 4664 $77Runtime Broker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Fixer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\hgfdfd\\$77Runtime Broker.exe\"" Fixer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4932 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4616 schtasks.exe 2940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Fixer.exepowershell.exe$77Runtime Broker.exepid process 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 2480 Fixer.exe 4648 powershell.exe 4648 powershell.exe 4664 $77Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
vssvc.exeFixer.exe$77Runtime Broker.exepowershell.exedescription pid process Token: SeBackupPrivilege 3740 vssvc.exe Token: SeRestorePrivilege 3740 vssvc.exe Token: SeAuditPrivilege 3740 vssvc.exe Token: SeDebugPrivilege 2480 Fixer.exe Token: SeDebugPrivilege 4664 $77Runtime Broker.exe Token: SeDebugPrivilege 4648 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$77Runtime Broker.exepid process 4664 $77Runtime Broker.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Fixer.execmd.exe$77Runtime Broker.exedescription pid process target process PID 2480 wrote to memory of 4156 2480 Fixer.exe attrib.exe PID 2480 wrote to memory of 4156 2480 Fixer.exe attrib.exe PID 2480 wrote to memory of 3600 2480 Fixer.exe attrib.exe PID 2480 wrote to memory of 3600 2480 Fixer.exe attrib.exe PID 2480 wrote to memory of 4872 2480 Fixer.exe cmd.exe PID 2480 wrote to memory of 4872 2480 Fixer.exe cmd.exe PID 4872 wrote to memory of 4932 4872 cmd.exe timeout.exe PID 4872 wrote to memory of 4932 4872 cmd.exe timeout.exe PID 4872 wrote to memory of 4664 4872 cmd.exe $77Runtime Broker.exe PID 4872 wrote to memory of 4664 4872 cmd.exe $77Runtime Broker.exe PID 4664 wrote to memory of 1692 4664 $77Runtime Broker.exe schtasks.exe PID 4664 wrote to memory of 1692 4664 $77Runtime Broker.exe schtasks.exe PID 4664 wrote to memory of 4616 4664 $77Runtime Broker.exe schtasks.exe PID 4664 wrote to memory of 4616 4664 $77Runtime Broker.exe schtasks.exe PID 4664 wrote to memory of 5048 4664 $77Runtime Broker.exe schtasks.exe PID 4664 wrote to memory of 5048 4664 $77Runtime Broker.exe schtasks.exe PID 4664 wrote to memory of 4648 4664 $77Runtime Broker.exe powershell.exe PID 4664 wrote to memory of 4648 4664 $77Runtime Broker.exe powershell.exe PID 4664 wrote to memory of 2940 4664 $77Runtime Broker.exe schtasks.exe PID 4664 wrote to memory of 2940 4664 $77Runtime Broker.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4156 attrib.exe 3600 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SilverRat V1.5 [Re Lab]\Fixer.exe"C:\Users\Admin\AppData\Local\Temp\SilverRat V1.5 [Re Lab]\Fixer.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9FAB.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77Runtime Broker.exe4⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77Runtime Broker.exe4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:004⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ewq35fl.rz4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp9FAB.tmp.batFilesize
196B
MD5b10e8e0129fbb85e74445758493dd362
SHA19894e7317dff1eb51da474a2531a9cd965419d50
SHA2568815a99373d8676588d546bc06c6a6d902b7b99de2341610ac9ea3d8f8410fc0
SHA512e11256e1a71c46ec9bbe27253b5c7fb0de46dcc20ff43c833599ce5e9420763fbe06f5dbb7be62fabaae31799ff3659ad3b22dff6602b606b2995d36e4f0dce4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exeFilesize
45KB
MD5545d64cc91e4da6339a70d54a2443c5d
SHA1f03344ab824c7cf0f73dcc86aa34cab36e2e54e7
SHA25604109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f
SHA512733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681
-
memory/2480-0-0x0000000000FA0000-0x0000000000FB0000-memory.dmpFilesize
64KB
-
memory/2480-1-0x00007FF962673000-0x00007FF962675000-memory.dmpFilesize
8KB
-
memory/2480-2-0x00007FF962670000-0x00007FF963132000-memory.dmpFilesize
10.8MB
-
memory/2480-8-0x00007FF962670000-0x00007FF963132000-memory.dmpFilesize
10.8MB
-
memory/4648-17-0x00000147ECC60000-0x00000147ECC82000-memory.dmpFilesize
136KB