Analysis
-
max time kernel
66s -
max time network
83s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 10:09
Behavioral task
behavioral1
Sample
SilverRat V1.5 [Re Lab]/Fixer.exe
Resource
win11-20240611-en
Behavioral task
behavioral2
Sample
SilverRat V1.5 [Re Lab]/SilverRat.exe
Resource
win11-20240508-en
General
-
Target
SilverRat V1.5 [Re Lab]/SilverRat.exe
-
Size
45KB
-
MD5
545d64cc91e4da6339a70d54a2443c5d
-
SHA1
f03344ab824c7cf0f73dcc86aa34cab36e2e54e7
-
SHA256
04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f
-
SHA512
733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681
-
SSDEEP
768:OarX4D9pmZGOXnXhEk75rVeZtxbuRULQj9SEQf9B6SbuDFvr1/xf:OarID9pVU5rVe3xCGsj9O9oQ2Fx/xf
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 772 attrib.exe 2784 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
$77Runtime Broker.exepid process 760 $77Runtime Broker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SilverRat.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\hgfdfd\\$77Runtime Broker.exe\"" SilverRat.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 104 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1264 schtasks.exe 1516 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
SilverRat.exepowershell.exe$77Runtime Broker.exepid process 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 1436 SilverRat.exe 4248 powershell.exe 4248 powershell.exe 760 $77Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
vssvc.exeSilverRat.exe$77Runtime Broker.exepowershell.exedescription pid process Token: SeBackupPrivilege 3420 vssvc.exe Token: SeRestorePrivilege 3420 vssvc.exe Token: SeAuditPrivilege 3420 vssvc.exe Token: SeDebugPrivilege 1436 SilverRat.exe Token: SeDebugPrivilege 760 $77Runtime Broker.exe Token: SeDebugPrivilege 4248 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$77Runtime Broker.exepid process 760 $77Runtime Broker.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
SilverRat.execmd.exe$77Runtime Broker.exedescription pid process target process PID 1436 wrote to memory of 772 1436 SilverRat.exe attrib.exe PID 1436 wrote to memory of 772 1436 SilverRat.exe attrib.exe PID 1436 wrote to memory of 2784 1436 SilverRat.exe attrib.exe PID 1436 wrote to memory of 2784 1436 SilverRat.exe attrib.exe PID 1436 wrote to memory of 2096 1436 SilverRat.exe cmd.exe PID 1436 wrote to memory of 2096 1436 SilverRat.exe cmd.exe PID 2096 wrote to memory of 104 2096 cmd.exe timeout.exe PID 2096 wrote to memory of 104 2096 cmd.exe timeout.exe PID 2096 wrote to memory of 760 2096 cmd.exe $77Runtime Broker.exe PID 2096 wrote to memory of 760 2096 cmd.exe $77Runtime Broker.exe PID 760 wrote to memory of 1480 760 $77Runtime Broker.exe schtasks.exe PID 760 wrote to memory of 1480 760 $77Runtime Broker.exe schtasks.exe PID 760 wrote to memory of 1264 760 $77Runtime Broker.exe schtasks.exe PID 760 wrote to memory of 1264 760 $77Runtime Broker.exe schtasks.exe PID 760 wrote to memory of 4784 760 $77Runtime Broker.exe schtasks.exe PID 760 wrote to memory of 4784 760 $77Runtime Broker.exe schtasks.exe PID 760 wrote to memory of 4248 760 $77Runtime Broker.exe powershell.exe PID 760 wrote to memory of 4248 760 $77Runtime Broker.exe powershell.exe PID 760 wrote to memory of 1516 760 $77Runtime Broker.exe schtasks.exe PID 760 wrote to memory of 1516 760 $77Runtime Broker.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 772 attrib.exe 2784 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SilverRat V1.5 [Re Lab]\SilverRat.exe"C:\Users\Admin\AppData\Local\Temp\SilverRat V1.5 [Re Lab]\SilverRat.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3EC.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77Runtime Broker.exe4⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77Runtime Broker.exe4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:004⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2baubkpd.j2a.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpC3EC.tmp.batFilesize
196B
MD50f971c89af22ec4f4656a491107ce457
SHA1e5b36648788c3b2ef00b77700cb3f623e6fb8762
SHA25653f6162dabfac0b66311cedb4438ceb8eebf7b401292335a9adb983dca65b581
SHA512148f7abea0cf07a3396092d7dac490798444e756d6b146291102a05b255c4b9f89f399252306926ce8f96f8be57cd1b5213e988d92bd5272f501ba28828d2dd4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exeFilesize
45KB
MD5545d64cc91e4da6339a70d54a2443c5d
SHA1f03344ab824c7cf0f73dcc86aa34cab36e2e54e7
SHA25604109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f
SHA512733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681
-
memory/1436-1-0x0000000000C00000-0x0000000000C10000-memory.dmpFilesize
64KB
-
memory/1436-0-0x00007FFE06133000-0x00007FFE06135000-memory.dmpFilesize
8KB
-
memory/1436-2-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmpFilesize
10.8MB
-
memory/1436-8-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmpFilesize
10.8MB
-
memory/4248-17-0x0000020B70550000-0x0000020B70572000-memory.dmpFilesize
136KB