Malware Analysis Report

2024-11-30 18:52

Sample ID 240317-xadzsscg25
Target Silver Rat [Re Lab](1).7z
SHA256 a384bad25740a4b783eaadd6ade53d96e878e1313c34321ddfb23149fbf6366d
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a384bad25740a4b783eaadd6ade53d96e878e1313c34321ddfb23149fbf6366d

Threat Level: Shows suspicious behavior

The file Silver Rat [Re Lab](1).7z was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 18:38

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

159s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\Newtonsoft.Json.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\Newtonsoft.Json.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 92.123.128.180:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 180.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 184.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 65.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
GB 96.17.178.198:80 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win7-20240221-en

Max time kernel

118s

Max time network

131s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000007d6061edf5c06954fed6da79be707ac20995f31fe50594544a852d4d1be8a200000000000e8000000002000020000000a0975721242cc7a43c5e98a7a95e6b83147312f04c66032613f8bdd957376126900000004a3aec3eeab690d7bd402fc451200f03360a178d5a527132d0c172ee7c9bdef72fe666f640568493fcdd0ec2152ef9d75257d67a1c0dca9eac86b480d325a2e16e558635ed0ad4f86d7a6d93db186261311560860c1e4ea1931605789ce43bf5fb4f4478fe2c592d78cc9d353387389395d9f52a5a891a8fd179878a3ff24c7927df4d180afb699ec33653bad6434ae340000000769a86ff9e08a3eec7b3bf2fa666d973b0235f7c1428211e280a5a6c97648c216b739d9dd43799f16348ec28ae1d837c35bf70a6e19a996f8d6c5e234eb2d068 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80b146bb9a78da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416862730" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000070909440d515e29c7149c6af15c5d8253eb782aad4bd3fde1395394aa844932c000000000e80000000020000200000008a280b6fa4d6501b4157fd11ca13d8f4d195795e5237c4b795a34ab44cfc58e120000000fe2f3229d83d2789eefada4dac40f6dee18437c8f644b2ff9aed11eaf2ffcaaf400000004933ab9706a0afd8e2d2ee6f80aa954a88c027f330e17bf28a23d4a54dec1d717b5ab3e0bcff470af6c997ea02c41daf6fbeca4f60628bef13c3c3890bda8e2a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6CA7E41-E48D-11EE-B937-729E5AF85804} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2076 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1700 wrote to memory of 2076 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1700 wrote to memory of 2076 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1700 wrote to memory of 2076 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2076 wrote to memory of 2976 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2076 wrote to memory of 2976 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2076 wrote to memory of 2976 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2076 wrote to memory of 2976 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2976 wrote to memory of 2564 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2976 wrote to memory of 2564 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2976 wrote to memory of 2564 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2976 wrote to memory of 2564 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar2969.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0dcaf2c69e1e107d036185f22bb7d124
SHA1 37eff964f2a742afc7243397e5ed2c5aa45c00f2
SHA256 3dd16815e2433ddd95963e0246e33108eecc37bd0ddfa11751ba3a640d0c0c7d
SHA512 ce5d34d0d6c3a10d7ca271a24123c1d3148fcac8d8f316e9362761e718ea220af6752b417379f152f20d8b555fc883d7076158595eb4f5c4680dae08a8ff5f7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c43321103673f75821a9b7f5cfb6c1b3
SHA1 5ee55eae640eecda0f1735db8244f3f8ebc1542a
SHA256 03b61380472549bb5c56ea2161fff8db5c8e7e6738585cff6098021be9462ac2
SHA512 2c17e64e2d26182fccd55408f734996c0c31dfcaf0bae968a2e561c6e58cba5a15b7b73e11dc6c076059e7e2c68bd3cd4c91356ce02b8681ad903600d0a9aeb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3efc941c0fbebc90c6f52c472e8a8aa
SHA1 ff6b588106f255ef2f11a7dffb913a8d7d7a05f2
SHA256 578f1cb190c3ad5c731ccad2f9f1813637564b37e6bb33a4302ba8b7906ef8d7
SHA512 0a225373fc173a03586ebaaae8cb56dee3f3472b6ae1c07b4c68bb72c34626fa8a0b42c0435a6e80d5b902dd2708cdb6cdf9060283fae715e01c48673ac53137

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20de123aa3890a548c9dddec3467b4a9
SHA1 8970a5e9d26f810745d5c43c5f507c4b2a828aad
SHA256 99e89f2f48808c4d4769a7a2f648e00a8ceb588133634fea0ebe2a10ccd2a93d
SHA512 12c6b0eaaf4e30c3b725a4504da206502a6c7a2579725de167eddafaa8b3d07a6ba1c152a82deacc26e5a6505c3abb09b0a30f43e11fb02fb77421b53e95738f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e06b3a8662acfcb5dcfa18c8807388c
SHA1 73dc16e9127e2fda4cead9b2aedb9c718c149048
SHA256 a6b35bcdfcaa9d7732fae5c2acc7f1907598c2a69cf212fe4e3d8dd3df103d14
SHA512 f10a1d5b9337720c16cd96c61ef3e2c9a7fb99927578db8fcaaf4a67b58ee8606246eb118a8a6ceabc2b0612ee133595e16ab1b8b5d17ac4989c6bef34c12fcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15dfd49e9888adb3d8f3eb7ef307ee92
SHA1 de7b0c18384bed82e00a0189c4fc9a78bc20195d
SHA256 1380458e11423c14ae332592788bf79681ea613d0cd5d41c8b41d9ce3d78f319
SHA512 c1453bc0d49788ca516bcd9fac6dcea27e7a4fbc905cdb1c1b17e28c23dbd1f70f99a6ef5f16bc2eece38887968bdd4c9bf783de7129585a5f0ac1163104c8ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56c3f8bd4b994969e73f6c9ad0a60cce
SHA1 96b9d9829e656953720f19b6b39c03138d28c14d
SHA256 d81acff64067e3688516007507398cbd3984826310d5af1b7624b558e46dcd41
SHA512 2261d33c7baff983ace38538a4404a281f6034930cf45fd1cd28d162965ad2dbc1f4b3aec8bcdaee797f9b8da2e395412aca94f4faa77b40bc8bb4154ce841af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e3afbde85582695a58cc15c0af89fe2
SHA1 4616a450c787475bb7ce4e89f1cfeabf4514d69f
SHA256 4292f7875062559f76d5f6a15ab2fed2eb7c8565a75ee2f01a351f1ebe292d99
SHA512 ac6dac454ca35a463d874b3c271f9dcb8ec0eb43074d62a9c87c29b0ef5192c93bbd132f9f0589877f6d61f462bb1e12f5c90262bc85f3bba780d65646a225b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4804764e6820d6103ab306ac4121271
SHA1 4a1dae03efa0d99a1db5915a3f773450c23c9148
SHA256 156511103f4847fc4ec2f479499de16f7ebd35a43e202794d06c74e9d79b5e7e
SHA512 192403646a5b140d89cf8a79ed9e1e59b5ed5042e30b0244ac28430b169ab19946d5ad589b214d9ebc17df3baea79616e02060c7682671707bac8e32136f66cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89b31cc02d7f7df9ff563f7e8b70c731
SHA1 df49a84ea0d3f1cceb251612660752821e433a1a
SHA256 72dd8bbe72e64bbaa78f27d57d76d36b7483e28338c3df4c255710877b0372ad
SHA512 337b692eb8bad1d305a0c1983d935541ca23879a09717590ff326602cf53355635ffc51453fa57722c26c86206629306aa7b629dd1530a5d192734e9d94313ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca7894fc51e6fbe20d304d2a1c93ecc9
SHA1 cd55b492d240354c43160e5ce3ff9e420fc4fc17
SHA256 d153d6a82c955774230ea5c8e6abb0f9478e0f7320e96ce1502fef47331c6d82
SHA512 3f13b22daf2459a6737960ba6a67d3def4bf39ab40b3ec16766ceff858e8ec8035a40da6731f8951ad7e71dae23f2628a87b2445424363a586e1a0d489d00445

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9721a86657b657e5abcc6beadf6b981b
SHA1 d8ec9d912a775ae93d50a537fe2f00266db714fc
SHA256 b1e8ef6e3bae3ce13a3524dac3fdebc69d589c595ef6bab3502c9039a298c3a4
SHA512 8e15feb2d96b69ebf21433ae7eb08ee6bab626e4ddc7783358c60dc3a8a1a808f6158b41ee565f96cb04c0b61a49659ab8b139ecbfe89f1cd17fc4b844bc027e

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 80.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.204:80 tcp

Files

memory/1436-1-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/1436-0-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/1436-2-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/1436-3-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

memory/1436-4-0x00007FFCD9A00000-0x00007FFCD9CC9000-memory.dmp

memory/1436-5-0x00007FFC9C070000-0x00007FFC9C080000-memory.dmp

memory/1436-6-0x00007FFCDBFF0000-0x00007FFCDC1E5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab](1).7z"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2740 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2740 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab](1).7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab](1).7z"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

157s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab](1).7z"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2712 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab](1).7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab](1).7z"

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\Bunifu.Licensing.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\Bunifu.Licensing.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\Newtonsoft.Json.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\Newtonsoft.Json.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win7-20240215-en

Max time kernel

118s

Max time network

119s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\stub.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\stub.js"

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

117s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\stub.js"

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\stub.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:44

Platform

win10v2004-20240226-en

Max time kernel

156s

Max time network

177s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\Bunifu.Licensing.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\Bunifu.Licensing.dll",#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 172.217.18.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 80.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win7-20240220-en

Max time kernel

121s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000e5c61ae5163c191a4b9ca2b35ba71b645eade1cb60105d43802fe802ae2e0d00000000000e8000000002000020000000bbc5e21b4074fa41db374867fd6be8ce15e4d2be817dbde4e60273dbd0b7cd8990000000ac0c4e309b4f93fa99363eed2baeec616f64af09b4f98231bab99d30d307394931cccf6f4e7059115e79b8aa8f4129a9655244af54fbe0fb92a7fee50271abf4c257b7b10726c0fef61990858cc681be0f9536287596f7a9b3ac15a232cf3909eb026100519d4bbafc81b01e495ff1d3bcc53638a544cf53ca8cfa1269ec780197cf33a5afd792d6479e6bd3c72af45e400000002237f6509b6d200f71049f39e99eeb7117b91ca7302b9d7ac89b96e07ec972bd36f9fb98e79641cf85f3d963d845981b872d804558386abab2375c8eac9c52b9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EA491DB1-E48D-11EE-A1AD-46837A41B3D6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1025f7c09a78da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416862739" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000336c3f68b2a38f33bc75de48c11fd616cca6a0737c73966d160beba76d6bb31a000000000e80000000020000200000006b01cdeb9a983ac0a0399683ca404697bea839df02f1d49dacc9d987b47f9b8120000000b6354195a34212ccd885dd7cfc50b4952658c6e2ba051974a9380f12e0a8c9b340000000ca252c9c36054f6fdaafee8b6a51a5b3e0ec377d6ae3b2031e4f67e8bb32839fb67caebfc6538fb4f12c98178cdfb9bfcdae9b974ed6979d47ce226a13a034e2 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe

"C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=SilverRat.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:768 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar3164.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbd2d4dd0d3f2c7a0f90d984013e400c
SHA1 1787bb734f89c35d9e9b28a60ed948a8529f342b
SHA256 7cf94a3639a53b95bf5cbd858956117a7c5f235b0d88778eca54649bcb3de550
SHA512 1a8c96188485d9dc837ffe921e1e8f150eb2059346a06d10cb93d5c3864e4775d5a9021bc009826081d8abe33b450695a458ea648f9fe4de82e517096d7f9b09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95b5cfd584bc4558fc34f0fdf455ebd9
SHA1 1a75d4fc97f7a50c4513bc711b72b94e48e314aa
SHA256 ce139fe9fd6f2bf2a0d9b1498e74f4ccd5984b13316828ce421867a3b0646b2b
SHA512 eb69ac3dd77c553ea315d942dc9e2ffcb5b125192650395d34167d146df33ce56fbd7256f6b91ac902795a38c5355fb2498c56415a6e39831a5d062b9fce1e5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a40593209323f3d9f35e5b0739736282
SHA1 d08585939f73e7252273067f3a9943d46624846f
SHA256 b1df935b6a2c72b7bb8f9e6c4ca3db15cc89e5f02d4330e02b3c28f6c78c8bc3
SHA512 213c2da8109a62e3d91a5c7d30dfa0fc7b7e0a5b2ffd6805ee06b03e20b48a468952de303d2ae0d9da3b0e6950908a1de294e05fb10ce0fddbd3d12e35c8bccb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d754c2155d6a3ffca2dc96b48976fca7
SHA1 5ab62772705186c900514eaf60e5510e8f7ed39d
SHA256 5feb4e38f0ae18e7b5e0f15a148eb3344c7af4026ca8acd69e97a32d63e4836d
SHA512 a1e3960a18d9946a237d5f3172ef596381bb596bc63d79a15cdd1804a36e60957faf70cd5b399a37b44eadda59de24e5bc804d477d97fc3add3ae40c3b1c782c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a00ffee797dfa559ec28aabd0c5cae5
SHA1 d23ac6672eccd60363dbbad7f5627178cd870424
SHA256 de5afda20d6e3ed5a281a4748292ec6608d51fc36a4729739791750f3c320eba
SHA512 20108f8e74fcaa144189cb3a5d611e910d2828cf0ead56e3e6367ffa40848191eb4a51df364b2c4ce92db2c55df9a1a62413f013cbf1a76cefd08ff0c61f5712

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 321ade296ebb1fa2ffeb2c30dbe41464
SHA1 8446af96af1bb3c2835ce505d64586d3542b5f94
SHA256 19830b140858fdf56b241d0d6fefeec8adae74b02f2a4e0104bb2f084fbeeaad
SHA512 e5b3fd053d9e9e4c0e19eb35e1572cb9bc5578688b24a80efe21b7dd5ef4f5b5685b9f1ffaa89bc1a4d8fdabb9cd406a21343204905018ac3575b342c08424ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5cb242be24da28afa790d219e2918a2
SHA1 d1591cfdf113276081094b91251c4f0981846ab8
SHA256 87eff93673fbc1f96ff2fa41e96ae8f5ebe74698c017f453c28595cd6783cb21
SHA512 ec8cc3e61c8d74acf6522eca55bcf69c8ea21d43364aa82c07e6a7803df9e90f9f92aa53d13b108e7cdd67087d21aadd60509659c1d08693c749fb917cd59e1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a8db3fe0f13f8b31ebee7f3b42a962f
SHA1 31e0d401acef08a672fe7de0cca7cf100eb83553
SHA256 4d33782948333c3db78f5c0fe82ea437d0605b442c7966fc3093b69feedf86a6
SHA512 71f9a0437e35a537cf323531db8bcdef5040c4c00194814b56155b0416a0c847dc7a0c29b16166c6182f4b65596e8cd3a32cae76b33342d5f4494ac7d744c29f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57cd6da27dfacf6160f33958e39ff783
SHA1 7e50a9e969326bb422fead53f7a8ddaec6ca2f94
SHA256 7623829bffee4fb5044cfeecf9e84043627a002e2815e6d5edde79fc9d417090
SHA512 f4b9952e1310dd63cc71c57721678e98b891b64525289ee20cf5ae8300520a6345414be2acef9b9f26fa09bd5cf323c6585c12dc2a709f98efa6b8037de53f01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b977b88d38c2e3d1510ed7c42f8969e7
SHA1 3b73787fdce16804a196601cb0ef377871b6050e
SHA256 385ef0ea1b9f7adcd887caee885f38595be7cb542b4f84d06043a183d24b5b5f
SHA512 ce8179b543bee21497caaf3cf53907ccf58f76112f928a9616f135a6671ee00af8e41407e20000767ccb0c41b8be7643337e7f367956245ab4b1e7d08d6700fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e09d6682b0546daf1b77621f15521c68
SHA1 b7d4d9c69846268caeb888585981308790d24783
SHA256 30d5b028ce0e2e6c172779fa352b8c53cfe74ced49bcf50ad373dfe5a84aeac1
SHA512 5db0f2d10d7cb0831f418acc28065c0e72d72e8372346f554ff354002174389d09ddcd75a58681e2dda3a8ba21df62d512799a98a61a22ef415d43753da9680e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04fe7489a952812cad45d90b88cc772c
SHA1 0fa3a91c3ea1beca616520163379eb4b93c323a9
SHA256 5b27f25d49776054ac7312f3443c3a1d4f6ed8c1ef73f7d0ca536cefa2c4bda5
SHA512 1de5ab1dd29f6a4b36db7acdc7ed637dd677be76bf8aefaa88419a086f30f65a291babc563b32a1468215f9d32a53e1f97abe82324ff9baab60b9648dab9be68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c4c2742256be948ec52300c9292728a
SHA1 3a8e3eed4eab5f6dc3ee37ce2c052377da684182
SHA256 90ce00fc70372dce755653e1e22ffbd22fb9c10c463a091275df143dcbc7df84
SHA512 bb579de3bcd517bb1bab30bec7308c73e189e2bdbc21bef172d6d9f683662c0ca20682c428b17e8256cdcd2d99990b961af07cc19ed50d3bef98e096bb34cdb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8258a61787bcc21beb4de8b435359f26
SHA1 043c497829d007a6e9238525634a78b570f63553
SHA256 90d57202ce4febeb11cda4c746c8df545f3bed9f5a8bc99d9e84ed5dd3c92d0e
SHA512 316b41fa5813cbda8878bb51172514dd4a2fe772b9db75af17f31fc67a26a6debbf4396ecb1968d56477771a007020d4a97ba5e1d7dac136e089a943314b09e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 065220866aec952ae099ffde2a5488d9
SHA1 e54aa0b97126f348ea408bb4cd8990b047e1b9b1
SHA256 ddaaff8177d58360c7e5a22dec7bf1568640924de1eea32787b4502257d111ab
SHA512 1e7427319a98bb5285b5d42545d2a0678b9d18f1e9a60b113b740f7e8f2a14660dee216d8e0a6300945c835f2d8453e3f930a40a017950c5904eecef3e706aac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f07112fd452289483d60f140dea37c55
SHA1 e5a1a75509b9ffb345a359612c8f990ddbc9eb6c
SHA256 cd59d31d7ce0d83060dbff5578d9edc6ee31e02a27c563c876544dfb81a000c5
SHA512 093b72b1337d7823a180dce27227079121b919694a3f17c559ead62289caf8f16789350a3a237728f3e0e3b8917baf5c21bb7482a4573d72610b37ae65389128

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eae0baeb8e2f7079f94fd39c8e8b6f17
SHA1 8307ab2cf2a8615e713fd5ca022ebeff7ebd9419
SHA256 72c4693add360ebccd050f66785617e73c5a72609eefe9b2162cb1d93767545f
SHA512 148ab8d303c59023d9268cdd475781f06ec0e3643bab80179a085ba6daec6048db0b1d7446a88d9fbc6f21f978c42be01e188a37eb8745de0936a73df2a12042

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a7442dce3d86b26a4ef25f91eb56936
SHA1 5d1de7ddb849b2eceffa81f1b818fb8f5ed6be1e
SHA256 6ef13822c3d9e3243041ca992c73da05dd092bb4c3214af1b9842f7b4ffc924a
SHA512 534983832846d5db4500ffa04ead96c404cb58634e8dcb119a7c0d7fbb641c899f5dfd0d70a45ee623f178c5b93f9c994d2f5da7f62fc4979992feca2ab9a7b3

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-17 18:38

Reported

2024-03-17 18:43

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe

"C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4880 -ip 4880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4880 -ip 4880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1260

Network

Country Destination Domain Proto
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.181:80 tcp

Files

memory/4880-0-0x0000000074FA0000-0x0000000075750000-memory.dmp

memory/4880-1-0x00000000004E0000-0x0000000001E0E000-memory.dmp

memory/4880-2-0x0000000006E40000-0x00000000073E4000-memory.dmp

memory/4880-3-0x0000000006890000-0x0000000006922000-memory.dmp

memory/4880-4-0x00000000073F0000-0x0000000007566000-memory.dmp

memory/4880-5-0x00000000076C0000-0x0000000007810000-memory.dmp

memory/4880-6-0x00000000075C0000-0x000000000760E000-memory.dmp

memory/4880-7-0x0000000007B30000-0x0000000007D82000-memory.dmp

memory/4880-8-0x0000000006B50000-0x0000000006B60000-memory.dmp

memory/4880-9-0x0000000007B10000-0x0000000007B1A000-memory.dmp

memory/4880-10-0x00000000089E0000-0x0000000008A12000-memory.dmp

memory/4880-11-0x0000000008B40000-0x0000000008BDC000-memory.dmp

memory/4880-12-0x0000000009050000-0x000000000919E000-memory.dmp

memory/4880-13-0x0000000074FA0000-0x0000000075750000-memory.dmp