Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Silver.exe

windows7-x64

10

Silver.exe

windows10-2004-x64

10

Resubmissions

22/11/2024, 16:16

241122-tq4zdatpg1 10

31/01/2024, 15:15

240131-sm8mqaggbj 8

Analysis

  • max time kernel
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • submitted
    31/01/2024, 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Silver.exe

  • Size

    40KB

  • MD5

    c99c7d1673abd0499e508de4c2445523

  • SHA1

    e7333eb204147ac867cc06b597fb858fd29db2cc

  • SHA256

    6ccf17da9d1511886987f459d7524af6c195e853dff405ec211d9ae89163469c

  • SHA512

    62db95fe4f8ecb2da45afea01241886e6f97b3e9ad3b56ac5b1d8c0eea335a4dbf1c32d584ef844fb38e259625b330cde1a6cb63cf6b98c26098f9dcae97a3d1

  • SSDEEP

    768:00sNbahnB/yoF3Yvz/DZM4snnnn71A+RUbB489ZYzb8hdB6Sc4xO:07RPL+Gt9ZYXooB4xO

Score
10/10
silverratevasionpersistencetrojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

haffasdqa.duckdns.org:6070

Mutex

SilverMutex_ZAISHXAYQR

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    WmZhaWZHSlJEU1NHQ2lSQUdFck95dGxpQVVOd0lE

  • reconnect_delay

    4

  • server_signature

    HC2ULa6twD52xavc2rWxq104x9i9ua3uAkLjm/TTH+rd9oi9wtsTSsLgZjxM9qkzgjBDOr1rGDGfhDS9VlD68zjx1mKkaMbYqbSRSdHiTM2yLH9MaB8sCaoXVcZdmPp16EJI0bAVNI/fsQpaoNNyrwgbQT19D2H5knN/ZpTqY3wwXLHyXzSm3Sz882AmeZfZi0cb+Gn/Z8enptEox36hZJPIDCEs9FfPtTd0KRTx9lLwk48m/6gk0YltRrv/JhwoBwhw8QnG0zr69KNrawZCT2UKO5UUQvqoeaCdMOnc/5juMRWhnH3dgGuRtqpoxaZ3JyYqb555SX5M4U+CmRTM4lhB1B4jGEkJM97th0vGkfpczD4S7V5vH2CuPRhDlTuxesDpy4pSCBeStkh/nSNAagF8LyfdXaXXN+RFQCEZIYkn4ydXe/RhihsceeDe+AGlJsA3LetVLQjvcqKtSwLeQZpkMr5klLNnjBFkSqCC5ijKexPnavCt3w5ID//JzJNr1dtooygnDQ0P+8Tkz91xCkgX3xGXG1UD0qY8al/ONVcAjDDGo6rRTj5Ac0TR7w1M5wqwNirSQvn0Ax1WaO9gIMI8wvwCbbOfKukGzSiZOKyIHLT7Ilv36Cytf/Deh6SIjq8GGHFlPNCaYPu62ZH9ekRPOFKjO72JYC4j7XZwBXU=

Signatures

  • SilverRat

    SilverRat is trojan written in C#.

    trojansilverrat
  • Silverrat family
    silverrat
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Silver.exe
    "C:\Users\Admin\AppData\Local\Temp\Silver.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\.cache"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2080
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\.cache\$77silver.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2836
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8F54.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:292
      • C:\Users\Admin\AppData\Roaming\.cache\$77silver.exe
        "C:\Users\Admin\AppData\Roaming\.cache\$77silver.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2904
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2708
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp8F54.tmp.bat
      Filesize

      160B

      MD5

      c49d846351533df06cdca02931ee3653

      SHA1

      6906c258207eb8084e72d8bfa6a37464e278ca0f

      SHA256

      f2a2258f021cc7691f00098783830abf4653762e732cb0b9877de868a7abb8c9

      SHA512

      6f11253ba923793d88bca58cbb44174108e36508553e44139285243b209cea3fa23f946c239fc8e00d8d1afd12a37eda96bee2d85af11938e646e5a502e0fb81

      Download Submit

    • C:\Users\Admin\AppData\Roaming\.cache\$77silver.exe
      Filesize

      40KB

      MD5

      c99c7d1673abd0499e508de4c2445523

      SHA1

      e7333eb204147ac867cc06b597fb858fd29db2cc

      SHA256

      6ccf17da9d1511886987f459d7524af6c195e853dff405ec211d9ae89163469c

      SHA512

      62db95fe4f8ecb2da45afea01241886e6f97b3e9ad3b56ac5b1d8c0eea335a4dbf1c32d584ef844fb38e259625b330cde1a6cb63cf6b98c26098f9dcae97a3d1

      Download Submit

    • memory/1104-1-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1104-2-0x000000001BB20000-0x000000001BBA0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1104-0-0x000000013FB40000-0x000000013FB4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1104-16-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1104-6-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1104-7-0x000000001BB20000-0x000000001BBA0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2708-4-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2708-5-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2708-20-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2904-19-0x000000013F510000-0x000000013F51E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2904-23-0x000007FEF4BB0000-0x000007FEF559C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2904-24-0x000007FEF4BB0000-0x000007FEF559C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2904-25-0x000000001B280000-0x000000001B300000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2904-31-0x000000001B280000-0x000000001B300000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2904-60-0x000000001B280000-0x000000001B300000-memory.dmp

      Filesize

      512KB

      Download