ebb23e2966d195bce807cbe2d06058402e010bc919d76819847644673bfdbce2

Analysis

max time kernel
66s
max time network
83s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SilverRat V1.5 [Re Lab]/SilverRat.exe
Size

45KB
MD5

545d64cc91e4da6339a70d54a2443c5d
SHA1

f03344ab824c7cf0f73dcc86aa34cab36e2e54e7
SHA256

04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f
SHA512

733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681
SSDEEP

768:OarX4D9pmZGOXnXhEk75rVeZtxbuRULQj9SEQf9B6SbuDFvr1/xf:OarID9pVU5rVe3xCGsj9O9oQ2Fx/xf

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

772 attrib.exe
2784 attrib.exe
Executes dropped EXE 1 IoCs

Processes:

$77Runtime Broker.exe

pid process

760 $77Runtime Broker.exe

pid	process
772	attrib.exe
2784	attrib.exe

pid	process
760	$77Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SilverRat.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\hgfdfd\\$77Runtime Broker.exe\""	SilverRat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 discord.com
2 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

104 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1264 schtasks.exe
1516 schtasks.exe

flow	ioc
1	discord.com
2	discord.com

pid	process
104	timeout.exe

pid	process
1264	schtasks.exe
1516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

SilverRat.exepowershell.exe$77Runtime Broker.exe

pid	process
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
1436	SilverRat.exe
4248	powershell.exe
4248	powershell.exe
760	$77Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vssvc.exeSilverRat.exe$77Runtime Broker.exepowershell.exe

description	pid	process
Token: SeBackupPrivilege	3420	vssvc.exe
Token: SeRestorePrivilege	3420	vssvc.exe
Token: SeAuditPrivilege	3420	vssvc.exe
Token: SeDebugPrivilege	1436	SilverRat.exe
Token: SeDebugPrivilege	760	$77Runtime Broker.exe
Token: SeDebugPrivilege	4248	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

$77Runtime Broker.exe

pid process

760 $77Runtime Broker.exe

pid	process
760	$77Runtime Broker.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

SilverRat.execmd.exe$77Runtime Broker.exe

description	pid	process	target process
PID 1436 wrote to memory of 772	1436	SilverRat.exe	attrib.exe
PID 1436 wrote to memory of 772	1436	SilverRat.exe	attrib.exe
PID 1436 wrote to memory of 2784	1436	SilverRat.exe	attrib.exe
PID 1436 wrote to memory of 2784	1436	SilverRat.exe	attrib.exe
PID 1436 wrote to memory of 2096	1436	SilverRat.exe	cmd.exe
PID 1436 wrote to memory of 2096	1436	SilverRat.exe	cmd.exe
PID 2096 wrote to memory of 104	2096	cmd.exe	timeout.exe
PID 2096 wrote to memory of 104	2096	cmd.exe	timeout.exe
PID 2096 wrote to memory of 760	2096	cmd.exe	$77Runtime Broker.exe
PID 2096 wrote to memory of 760	2096	cmd.exe	$77Runtime Broker.exe
PID 760 wrote to memory of 1480	760	$77Runtime Broker.exe	schtasks.exe
PID 760 wrote to memory of 1480	760	$77Runtime Broker.exe	schtasks.exe
PID 760 wrote to memory of 1264	760	$77Runtime Broker.exe	schtasks.exe
PID 760 wrote to memory of 1264	760	$77Runtime Broker.exe	schtasks.exe
PID 760 wrote to memory of 4784	760	$77Runtime Broker.exe	schtasks.exe
PID 760 wrote to memory of 4784	760	$77Runtime Broker.exe	schtasks.exe
PID 760 wrote to memory of 4248	760	$77Runtime Broker.exe	powershell.exe
PID 760 wrote to memory of 4248	760	$77Runtime Broker.exe	powershell.exe
PID 760 wrote to memory of 1516	760	$77Runtime Broker.exe	schtasks.exe
PID 760 wrote to memory of 1516	760	$77Runtime Broker.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

772 attrib.exe
2784 attrib.exe

pid	process
772	attrib.exe
2784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SilverRat V1.5 [Re Lab]\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\SilverRat V1.5 [Re Lab]\SilverRat.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:772

C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3EC.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:104

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
4⤵
PID:1480

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
4⤵
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
4⤵
PID:4784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
4⤵
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2baubkpd.j2a.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC3EC.tmp.bat
Filesize
196B

MD5
0f971c89af22ec4f4656a491107ce457

SHA1
e5b36648788c3b2ef00b77700cb3f623e6fb8762

SHA256
53f6162dabfac0b66311cedb4438ceb8eebf7b401292335a9adb983dca65b581

SHA512
148f7abea0cf07a3396092d7dac490798444e756d6b146291102a05b255c4b9f89f399252306926ce8f96f8be57cd1b5213e988d92bd5272f501ba28828d2dd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
Filesize
45KB

MD5
545d64cc91e4da6339a70d54a2443c5d

SHA1
f03344ab824c7cf0f73dcc86aa34cab36e2e54e7

SHA256
04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f

SHA512
733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681

Download Submit
memory/1436-1-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/1436-0-0x00007FFE06133000-0x00007FFE06135000-memory.dmp

Filesize
8KB

Download
memory/1436-2-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp

Filesize
10.8MB

Download
memory/1436-8-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp

Filesize
10.8MB

Download
memory/4248-17-0x0000020B70550000-0x0000020B70572000-memory.dmp

Filesize
136KB

Download