Analysis
-
max time kernel
581s -
max time network
866s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28-04-2024 03:29
Static task
static1
Behavioral task
behavioral1
Sample
SilverClient.exe
Resource
win10-20240404-en
General
-
Target
SilverClient.exe
-
Size
41KB
-
MD5
fabd8535478bee89be312833f6089099
-
SHA1
e14e26e8f6d05929e9a24a3b523d0a8ec2535f11
-
SHA256
47ba6b08c23ebfa7813dcd10cebe93876e7c972718151a018b11ff51085c4382
-
SHA512
6b12403e742230504a543c7135b4a20af31be1c21649904463bd0cee00fd9e0e08953f0b854089619cc0abba96cd8f1831e4799f7dc81ab600529e3f3a00c04b
-
SSDEEP
768:bXbSqna7XKuvHWVcxMX0RhiCpme8d3XHQPRsrZ9PDexz1QB6SED0vrmljlE:bXbSqduvH+cPRhBMe8d3XCCZ9+1Qo/D4
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5060-70-0x0000000001870000-0x000000000189A000-memory.dmp family_stormkitty -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 200 attrib.exe 236 attrib.exe -
Drops startup file 1 IoCs
Processes:
$77svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YOUR FILES HAS BEEN ENCRYPTED!!!.txt $77svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
$77svchost.exepid process 5060 $77svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SilverClient.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\UserProfile\\$77svchost.exe\"" SilverClient.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
$77svchost.exedescription ioc process File opened for modification \??\c:\users\admin\downloads\desktop.ini $77svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
$77svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BHlMMJJGED.jpg" $77svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3896 schtasks.exe 5004 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2148 timeout.exe -
Modifies registry class 1 IoCs
Processes:
$77svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings $77svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 3000 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SilverClient.exepowershell.exe$77svchost.exePowerShell.exepid process 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 3188 SilverClient.exe 5044 powershell.exe 5044 powershell.exe 5044 powershell.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 856 PowerShell.exe 856 PowerShell.exe 856 PowerShell.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe 5060 $77svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 3000 vlc.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
SilverClient.exe$77svchost.exepowershell.exePowerShell.exedescription pid process Token: SeDebugPrivilege 3188 SilverClient.exe Token: SeDebugPrivilege 5060 $77svchost.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeIncreaseQuotaPrivilege 5044 powershell.exe Token: SeSecurityPrivilege 5044 powershell.exe Token: SeTakeOwnershipPrivilege 5044 powershell.exe Token: SeLoadDriverPrivilege 5044 powershell.exe Token: SeSystemProfilePrivilege 5044 powershell.exe Token: SeSystemtimePrivilege 5044 powershell.exe Token: SeProfSingleProcessPrivilege 5044 powershell.exe Token: SeIncBasePriorityPrivilege 5044 powershell.exe Token: SeCreatePagefilePrivilege 5044 powershell.exe Token: SeBackupPrivilege 5044 powershell.exe Token: SeRestorePrivilege 5044 powershell.exe Token: SeShutdownPrivilege 5044 powershell.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeSystemEnvironmentPrivilege 5044 powershell.exe Token: SeRemoteShutdownPrivilege 5044 powershell.exe Token: SeUndockPrivilege 5044 powershell.exe Token: SeManageVolumePrivilege 5044 powershell.exe Token: 33 5044 powershell.exe Token: 34 5044 powershell.exe Token: 35 5044 powershell.exe Token: 36 5044 powershell.exe Token: SeDebugPrivilege 856 PowerShell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
vlc.exepid process 3000 vlc.exe 3000 vlc.exe 3000 vlc.exe 3000 vlc.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
vlc.exepid process 3000 vlc.exe 3000 vlc.exe 3000 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 3000 vlc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
SilverClient.execmd.exe$77svchost.exedescription pid process target process PID 3188 wrote to memory of 200 3188 SilverClient.exe attrib.exe PID 3188 wrote to memory of 200 3188 SilverClient.exe attrib.exe PID 3188 wrote to memory of 236 3188 SilverClient.exe attrib.exe PID 3188 wrote to memory of 236 3188 SilverClient.exe attrib.exe PID 3188 wrote to memory of 1356 3188 SilverClient.exe cmd.exe PID 3188 wrote to memory of 1356 3188 SilverClient.exe cmd.exe PID 1356 wrote to memory of 2148 1356 cmd.exe timeout.exe PID 1356 wrote to memory of 2148 1356 cmd.exe timeout.exe PID 1356 wrote to memory of 5060 1356 cmd.exe $77svchost.exe PID 1356 wrote to memory of 5060 1356 cmd.exe $77svchost.exe PID 5060 wrote to memory of 2700 5060 $77svchost.exe schtasks.exe PID 5060 wrote to memory of 2700 5060 $77svchost.exe schtasks.exe PID 5060 wrote to memory of 3896 5060 $77svchost.exe schtasks.exe PID 5060 wrote to memory of 3896 5060 $77svchost.exe schtasks.exe PID 5060 wrote to memory of 4248 5060 $77svchost.exe schtasks.exe PID 5060 wrote to memory of 4248 5060 $77svchost.exe schtasks.exe PID 5060 wrote to memory of 5044 5060 $77svchost.exe powershell.exe PID 5060 wrote to memory of 5044 5060 $77svchost.exe powershell.exe PID 5060 wrote to memory of 5004 5060 $77svchost.exe schtasks.exe PID 5060 wrote to memory of 5004 5060 $77svchost.exe schtasks.exe PID 5060 wrote to memory of 1248 5060 $77svchost.exe NOTEPAD.EXE PID 5060 wrote to memory of 1248 5060 $77svchost.exe NOTEPAD.EXE PID 5060 wrote to memory of 4976 5060 $77svchost.exe Cmd.exe PID 5060 wrote to memory of 4976 5060 $77svchost.exe Cmd.exe PID 5060 wrote to memory of 856 5060 $77svchost.exe PowerShell.exe PID 5060 wrote to memory of 856 5060 $77svchost.exe PowerShell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 200 attrib.exe 236 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\UserProfile"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\UserProfile\$77svchost.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB594.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\UserProfile\$77svchost.exe"C:\Users\Admin\UserProfile\$77svchost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77svchost.exe4⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77svchost.exe" /TR "C:\Users\Admin\UserProfile\$77svchost.exe \"\$77svchost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77svchost.exe4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svchost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:004⤵
- Creates scheduled task(s)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YOUR FILES HAS BEEN ENCRYPTED!!!.txt4⤵
-
C:\Windows\SYSTEM32\Cmd.exe"Cmd"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\TestComplete.m4v"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cykgxcwd.q3t.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\tmpB594.tmp.batFilesize
150B
MD58d88e82f52cf8f1f1d616e864fb6924d
SHA1050ee5fc9b565db20fadb71608f7c3b82ad32bde
SHA256cb726a8755e86adaf7b495a227ac7199a779c243cd4a3a6e859788b3820aa68c
SHA51220c84ec49681fd2f839e83c3c80bfce1c78eb8b6bb0844c558739dbb13a1cbc9bb02120a9a2e2b685d680dca75f9e1018e9d5be74fd279f7c85441c9b8aa5fe0
-
C:\Users\Admin\UserProfile\$77svchost.exeFilesize
41KB
MD5fabd8535478bee89be312833f6089099
SHA1e14e26e8f6d05929e9a24a3b523d0a8ec2535f11
SHA25647ba6b08c23ebfa7813dcd10cebe93876e7c972718151a018b11ff51085c4382
SHA5126b12403e742230504a543c7135b4a20af31be1c21649904463bd0cee00fd9e0e08953f0b854089619cc0abba96cd8f1831e4799f7dc81ab600529e3f3a00c04b
-
memory/856-128-0x00000243ED4B0000-0x00000243ED4EC000-memory.dmpFilesize
240KB
-
memory/3000-91-0x000001D74D970000-0x000001D74EA20000-memory.dmpFilesize
16.7MB
-
memory/3000-90-0x00007FFF004A0000-0x00007FFF00756000-memory.dmpFilesize
2.7MB
-
memory/3000-89-0x00007FFF19D10000-0x00007FFF19D44000-memory.dmpFilesize
208KB
-
memory/3000-88-0x00007FF7F9650000-0x00007FF7F9748000-memory.dmpFilesize
992KB
-
memory/3188-9-0x00007FFF04D80000-0x00007FFF0576C000-memory.dmpFilesize
9.9MB
-
memory/3188-0-0x0000000000F20000-0x0000000000F2E000-memory.dmpFilesize
56KB
-
memory/3188-4-0x00007FFF04D80000-0x00007FFF0576C000-memory.dmpFilesize
9.9MB
-
memory/3188-2-0x000000001CA50000-0x000000001CA60000-memory.dmpFilesize
64KB
-
memory/3188-1-0x00007FFF04D80000-0x00007FFF0576C000-memory.dmpFilesize
9.9MB
-
memory/5044-20-0x000001B5BC0A0000-0x000001B5BC116000-memory.dmpFilesize
472KB
-
memory/5044-17-0x000001B5BBD70000-0x000001B5BBD92000-memory.dmpFilesize
136KB
-
memory/5060-68-0x00000000036E0000-0x0000000003700000-memory.dmpFilesize
128KB
-
memory/5060-69-0x00000000016A0000-0x0000000001826000-memory.dmpFilesize
1.5MB
-
memory/5060-70-0x0000000001870000-0x000000000189A000-memory.dmpFilesize
168KB
-
memory/5060-71-0x00000000018A0000-0x00000000018AE000-memory.dmpFilesize
56KB
-
memory/5060-92-0x00000000018C0000-0x00000000018D0000-memory.dmpFilesize
64KB
-
memory/5060-93-0x0000000000010000-0x0000000000066000-memory.dmpFilesize
344KB