e0803fe76c83da3b24ae34f2862e08356b46d9046bf53947de8c1729e5dd18ee

Analysis

max time kernel
127s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SilverRat.exe
Size

31.4MB
MD5

117de8f14dc5c65e147710d3051349a9
SHA1

5017520d5db39435598e18093ebcd1f02ac59375
SHA256

a9bb2702e76300dd4ef6abd1d055b3bd49f59240b585cc33e9322b28fcf9a373
SHA512

57c1b7238dfad5f6cf4c520d79d7173dbff36184151c52d2b69104e1e37677fd9e37c63b43dd82cc0d5af183c91de21a15b2759b6770fae68618c9cf4b6ff680
SSDEEP

393216:Mk/S9SNoW/KQ4izbTFEAzSN+Wn/d/yzE6Ym4Ez6AyvmtUF5SiXybHl:HKmPxe+Wn/da4I4c6XoQSWyZ

Score

8^/10

agilenet execution persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

windowssdk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ThreadDriversFirewall\Parameters\ServiceDll = "C:\\Windows\\System32\\ThreadDriversFirewall.dll"	windowssdk.exe

Executes dropped EXE 2 IoCs

Processes:

windowssdk.exeSilverRatBuilder.exe

pid process

832 windowssdk.exe
4212 SilverRatBuilder.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4160 svchost.exe

pid	process
832	windowssdk.exe
4212	SilverRatBuilder.exe

pid	process
4160	svchost.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral20/memory/4212-38-0x00000000075C0000-0x000000000760E000-memory.dmp	agile_net
behavioral20/memory/4212-59-0x0000000009080000-0x00000000091CE000-memory.dmp	agile_net

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windowssdk.exe	upx
behavioral20/memory/832-7-0x00007FF6E5EA0000-0x00007FF6E6627000-memory.dmp	upx
behavioral20/memory/832-275-0x00007FF6E5EA0000-0x00007FF6E6627000-memory.dmp	upx
behavioral20/memory/832-309-0x00007FF6E5EA0000-0x00007FF6E6627000-memory.dmp	upx
behavioral20/memory/832-320-0x00007FF6E5EA0000-0x00007FF6E6627000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

windowssdk.exe

description ioc process

File created C:\Windows\System32\ThreadDriversFirewall.dll windowssdk.exe
Drops file in Windows directory 2 IoCs

Processes:

SilverRat.exewindowssdk.exe

description ioc process

File created C:\Windows\windowssdk.exe SilverRat.exe
File created C:\Windows\GUDWYKRW.bin windowssdk.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2264 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\System32\ThreadDriversFirewall.dll	windowssdk.exe

description	ioc	process
File created	C:\Windows\windowssdk.exe	SilverRat.exe
File created	C:\Windows\GUDWYKRW.bin	windowssdk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeSilverRatBuilder.exe

pid	process
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe
4212	SilverRatBuilder.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeSilverRatBuilder.exe

description pid process

Token: SeDebugPrivilege 2264 powershell.exe
Token: SeDebugPrivilege 4212 SilverRatBuilder.exe

description	pid	process
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	4212	SilverRatBuilder.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SilverRat.exe

description	pid	process	target process
PID 4192 wrote to memory of 2264	4192	SilverRat.exe	powershell.exe
PID 4192 wrote to memory of 2264	4192	SilverRat.exe	powershell.exe
PID 4192 wrote to memory of 2264	4192	SilverRat.exe	powershell.exe
PID 4192 wrote to memory of 832	4192	SilverRat.exe	windowssdk.exe
PID 4192 wrote to memory of 832	4192	SilverRat.exe	windowssdk.exe
PID 4192 wrote to memory of 4212	4192	SilverRat.exe	SilverRatBuilder.exe
PID 4192 wrote to memory of 4212	4192	SilverRat.exe	SilverRatBuilder.exe
PID 4192 wrote to memory of 4212	4192	SilverRat.exe	SilverRatBuilder.exe

C:\Users\Admin\AppData\Local\Temp\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\SilverRat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAbgBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAdQBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAaQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAYQBlACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\windowssdk.exe
"C:\Windows\windowssdk.exe"
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:832

C:\Users\Admin\AppData\Local\Temp\SilverRatBuilder.exe
"C:\Users\Admin\AppData\Local\Temp\SilverRatBuilder.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2012

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k threaddriversfirewall -s ThreadDriversFirewall
1⤵
- Loads dropped DLL
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SilverRatBuilder.exe

Filesize
25.2MB

MD5
d6527f7d5f5152c3f5fff6786e5c1606

SHA1
e8da82b4a3d2b6bee04236162e5e46e636310ec6

SHA256
79a4605d24d32f992d8e144202e980bb6b52bf8c9925b1498a1da59e50ac51f9

SHA512
2b4eb9e66028d263c52b3da42fa3df256cf49cd7a7ebdf7c75da6a2dedfd2c22cb5f2071345b7016cd742539c74a801cad70c612330be79802fa19f860ea2d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1A69.tmp

Filesize
4KB

MD5
e1a48ec781542ab4f0d3a3368b2a1d05

SHA1
a35670f07e5320a1591a55d903b35dcdd1d224a1

SHA256
f41d8818774f3ec0bf936e564f50008b46f5e4060edaab3bd72ffa389fb9ef21

SHA512
d3e756d8b321d38962a7b36af617d152e9bfd499b31f1630a24ada435715ad81a29ab73e4ab4aa21bbc9029b4177a943303e7df922bf375c2583607cb6f6566a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ornq525h.ifz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\windowssdk.exe

Filesize
6.2MB

MD5
e58b6dba9e96f3f015010a7796676153

SHA1
bae94a6035fe295f803c12b7dbc85cac2bf120a0

SHA256
9e8a91ecf50a0e4d9cda2f80380345d8edba197551a2bc5c797cb43007fd8181

SHA512
1b357abde0a7fa9dca1e4cb1d15f250800bedf80faa25b8b211f51527484af392ae9d6b47fa6c512eea42124f523654ba92ac6e40aa15fc71d5c98cbfbbdbe59

Download Submit
\??\c:\windows\system32\threaddriversfirewall.dll

Filesize
6.9MB

MD5
5012248d9b15f575a387921e8963264b

SHA1
2e7fc5ff0e8ca06eb173db4d7a44401756f982aa

SHA256
5777293a7f97869f56ca22438def80619bdfeeea9b4da35f2d0ff38aa7bf8baa

SHA512
7aec30119dbbd4db92130323ab195f051d26a213febdf7a77b117e1f40620625ec8fdf937fa88bf4545a4143ad159efce6e4af2e4fb4549831793acc736b308e

Download Submit
memory/832-304-0x0000000180000000-0x0000000180737000-memory.dmp

Filesize
7.2MB

Download
memory/832-320-0x00007FF6E5EA0000-0x00007FF6E6627000-memory.dmp

Filesize
7.5MB

Download
memory/832-275-0x00007FF6E5EA0000-0x00007FF6E6627000-memory.dmp

Filesize
7.5MB

Download
memory/832-7-0x00007FF6E5EA0000-0x00007FF6E6627000-memory.dmp

Filesize
7.5MB

Download
memory/832-309-0x00007FF6E5EA0000-0x00007FF6E6627000-memory.dmp

Filesize
7.5MB

Download
memory/2264-9-0x0000000004CA0000-0x0000000004CD6000-memory.dmp

Filesize
216KB

Download
memory/2264-60-0x0000000009860000-0x00000000098F4000-memory.dmp

Filesize
592KB

Download
memory/2264-22-0x0000000007CD0000-0x0000000007CEC000-memory.dmp

Filesize
112KB

Download
memory/2264-23-0x0000000008680000-0x00000000086CB000-memory.dmp

Filesize
300KB

Download
memory/2264-18-0x0000000007DF0000-0x0000000008140000-memory.dmp

Filesize
3.3MB

Download
memory/2264-25-0x0000000008470000-0x00000000084E6000-memory.dmp

Filesize
472KB

Download
memory/2264-11-0x00000000075E0000-0x0000000007C08000-memory.dmp

Filesize
6.2MB

Download
memory/2264-253-0x00000000086F0000-0x000000000870A000-memory.dmp

Filesize
104KB

Download
memory/2264-13-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-17-0x00000000074C0000-0x0000000007526000-memory.dmp

Filesize
408KB

Download
memory/2264-16-0x0000000007450000-0x00000000074B6000-memory.dmp

Filesize
408KB

Download
memory/2264-10-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-8-0x0000000072BCE000-0x0000000072BCF000-memory.dmp

Filesize
4KB

Download
memory/2264-15-0x00000000073B0000-0x00000000073D2000-memory.dmp

Filesize
136KB

Download
memory/2264-274-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-258-0x00000000086D0000-0x00000000086D8000-memory.dmp

Filesize
32KB

Download
memory/2264-51-0x0000000009330000-0x0000000009363000-memory.dmp

Filesize
204KB

Download
memory/2264-53-0x0000000009310000-0x000000000932E000-memory.dmp

Filesize
120KB

Download
memory/2264-52-0x0000000074060000-0x00000000740AB000-memory.dmp

Filesize
300KB

Download
memory/2264-58-0x00000000096B0000-0x0000000009755000-memory.dmp

Filesize
660KB

Download
memory/4160-315-0x0000000180000000-0x000000018069B000-memory.dmp

Filesize
6.6MB

Download
memory/4212-37-0x0000000007710000-0x0000000007860000-memory.dmp

Filesize
1.3MB

Download
memory/4212-59-0x0000000009080000-0x00000000091CE000-memory.dmp

Filesize
1.3MB

Download
memory/4212-46-0x0000000008A70000-0x0000000008B0C000-memory.dmp

Filesize
624KB

Download
memory/4212-45-0x0000000008980000-0x00000000089B2000-memory.dmp

Filesize
200KB

Download
memory/4212-44-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/4212-41-0x0000000007B80000-0x0000000007DD2000-memory.dmp

Filesize
2.3MB

Download
memory/4212-38-0x00000000075C0000-0x000000000760E000-memory.dmp

Filesize
312KB

Download
memory/4212-35-0x00000000069F0000-0x0000000006A82000-memory.dmp

Filesize
584KB

Download
memory/4212-36-0x0000000007340000-0x00000000074B6000-memory.dmp

Filesize
1.5MB

Download
memory/4212-34-0x0000000006E40000-0x000000000733E000-memory.dmp

Filesize
5.0MB

Download
memory/4212-24-0x0000000000820000-0x000000000214E000-memory.dmp

Filesize
25.2MB

Download