ebb23e2966d195bce807cbe2d06058402e010bc919d76819847644673bfdbce2

Analysis

max time kernel
88s
max time network
84s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SilverRat V1.5 [Re Lab]/Fixer.exe
Size

45KB
MD5

545d64cc91e4da6339a70d54a2443c5d
SHA1

f03344ab824c7cf0f73dcc86aa34cab36e2e54e7
SHA256

04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f
SHA512

733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681
SSDEEP

768:OarX4D9pmZGOXnXhEk75rVeZtxbuRULQj9SEQf9B6SbuDFvr1/xf:OarID9pVU5rVe3xCGsj9O9oQ2Fx/xf

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4156 attrib.exe
3600 attrib.exe
Executes dropped EXE 1 IoCs

Processes:

$77Runtime Broker.exe

pid process

4664 $77Runtime Broker.exe

pid	process
4156	attrib.exe
3600	attrib.exe

pid	process
4664	$77Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Fixer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\hgfdfd\\$77Runtime Broker.exe\""	Fixer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 discord.com
2 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4932 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4616 schtasks.exe
2940 schtasks.exe

flow	ioc
1	discord.com
2	discord.com

pid	process
4932	timeout.exe

pid	process
4616	schtasks.exe
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Fixer.exepowershell.exe$77Runtime Broker.exe

pid	process
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
2480	Fixer.exe
4648	powershell.exe
4648	powershell.exe
4664	$77Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vssvc.exeFixer.exe$77Runtime Broker.exepowershell.exe

description	pid	process
Token: SeBackupPrivilege	3740	vssvc.exe
Token: SeRestorePrivilege	3740	vssvc.exe
Token: SeAuditPrivilege	3740	vssvc.exe
Token: SeDebugPrivilege	2480	Fixer.exe
Token: SeDebugPrivilege	4664	$77Runtime Broker.exe
Token: SeDebugPrivilege	4648	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$77Runtime Broker.exe

pid process

4664 $77Runtime Broker.exe

pid	process
4664	$77Runtime Broker.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Fixer.execmd.exe$77Runtime Broker.exe

description	pid	process	target process
PID 2480 wrote to memory of 4156	2480	Fixer.exe	attrib.exe
PID 2480 wrote to memory of 4156	2480	Fixer.exe	attrib.exe
PID 2480 wrote to memory of 3600	2480	Fixer.exe	attrib.exe
PID 2480 wrote to memory of 3600	2480	Fixer.exe	attrib.exe
PID 2480 wrote to memory of 4872	2480	Fixer.exe	cmd.exe
PID 2480 wrote to memory of 4872	2480	Fixer.exe	cmd.exe
PID 4872 wrote to memory of 4932	4872	cmd.exe	timeout.exe
PID 4872 wrote to memory of 4932	4872	cmd.exe	timeout.exe
PID 4872 wrote to memory of 4664	4872	cmd.exe	$77Runtime Broker.exe
PID 4872 wrote to memory of 4664	4872	cmd.exe	$77Runtime Broker.exe
PID 4664 wrote to memory of 1692	4664	$77Runtime Broker.exe	schtasks.exe
PID 4664 wrote to memory of 1692	4664	$77Runtime Broker.exe	schtasks.exe
PID 4664 wrote to memory of 4616	4664	$77Runtime Broker.exe	schtasks.exe
PID 4664 wrote to memory of 4616	4664	$77Runtime Broker.exe	schtasks.exe
PID 4664 wrote to memory of 5048	4664	$77Runtime Broker.exe	schtasks.exe
PID 4664 wrote to memory of 5048	4664	$77Runtime Broker.exe	schtasks.exe
PID 4664 wrote to memory of 4648	4664	$77Runtime Broker.exe	powershell.exe
PID 4664 wrote to memory of 4648	4664	$77Runtime Broker.exe	powershell.exe
PID 4664 wrote to memory of 2940	4664	$77Runtime Broker.exe	schtasks.exe
PID 4664 wrote to memory of 2940	4664	$77Runtime Broker.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4156 attrib.exe
3600 attrib.exe

pid	process
4156	attrib.exe
3600	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SilverRat V1.5 [Re Lab]\Fixer.exe
"C:\Users\Admin\AppData\Local\Temp\SilverRat V1.5 [Re Lab]\Fixer.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4156

C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9FAB.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4932

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
4⤵
PID:1692

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
4⤵
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
4⤵
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
4⤵
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ewq35fl.rz4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9FAB.tmp.bat
Filesize
196B

MD5
b10e8e0129fbb85e74445758493dd362

SHA1
9894e7317dff1eb51da474a2531a9cd965419d50

SHA256
8815a99373d8676588d546bc06c6a6d902b7b99de2341610ac9ea3d8f8410fc0

SHA512
e11256e1a71c46ec9bbe27253b5c7fb0de46dcc20ff43c833599ce5e9420763fbe06f5dbb7be62fabaae31799ff3659ad3b22dff6602b606b2995d36e4f0dce4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
Filesize
45KB

MD5
545d64cc91e4da6339a70d54a2443c5d

SHA1
f03344ab824c7cf0f73dcc86aa34cab36e2e54e7

SHA256
04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f

SHA512
733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681

Download Submit
memory/2480-0-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/2480-1-0x00007FF962673000-0x00007FF962675000-memory.dmp

Filesize
8KB

Download
memory/2480-2-0x00007FF962670000-0x00007FF963132000-memory.dmp

Filesize
10.8MB

Download
memory/2480-8-0x00007FF962670000-0x00007FF963132000-memory.dmp

Filesize
10.8MB

Download
memory/4648-17-0x00000147ECC60000-0x00000147ECC82000-memory.dmp

Filesize
136KB

Download