Overview

overview

8

Static

static

3

SilverClient.exe

windows7-x64

8

SilverClient.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/09/2024, 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SilverClient.exe

  • Size

    43KB

  • MD5

    16edc9184a4f2e4c18200304594d43d9

  • SHA1

    9328f1016cf247a13b110d6ece2826ba4ad5a8cf

  • SHA256

    be652d4e5771a47651e037776bbd47e90d3ab7de28e61e3c86abfc4b76c813dd

  • SHA512

    196f4c9b55d2883b4c7364aca90741a9e606952e2c798b2c4075a661768dab274b5b6683280404ff31eed98a11003991c67f7af4d61cf48dd131e7365a3cf74d

  • SSDEEP

    768:UsvI7cIxr7BcD1wjWxYQ4xJNHVR8kq/5h34vCvZPxaxP4RULQv9S6HPz1QB6Si/o:UsvwcIxrgwkbcrq/5xcl4Gsv9j71QoJg

Score
8/10
evasionexecutionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
    "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Loader"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:4912
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Loader\$77WindowsDefender.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:3532
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF4B6.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3504
      • C:\Users\Admin\Loader\$77WindowsDefender.exe
        "C:\Users\Admin\Loader\$77WindowsDefender.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4936
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks.exe" /query /TN $77WindowsDefender.exe
          4⤵
            PID:4368
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks.exe" /Create /SC ONCE /TN "$77WindowsDefender.exe" /TR "C:\Users\Admin\Loader\$77WindowsDefender.exe \"\$77WindowsDefender.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1152
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks.exe" /query /TN $77WindowsDefender.exe
            4⤵
              PID:1968
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2032
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "WindowsDefender_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4500
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3052

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_msvtr5j3.vc3.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpF4B6.tmp.bat
        Filesize

        153B

        MD5

        5d6d91838a62ea8e2cb3fe18394b8505

        SHA1

        0eac8de615489f071bfc5787103adbdf70988c17

        SHA256

        1e20a64f47aef81ce2216aaf5c9e3df7ae9923be3c40a4e8ed194aa8d961b5e9

        SHA512

        c1f2cbd131412dee486bf0e2f2ed164f7b1de55e549518cac0e258265f120a2d39bd110f0fddf3b93bac35adc9dc0df2c0f748f290e138d390ba8756345cac77

        Download Submit

      • C:\Users\Admin\Loader\$77WindowsDefender.exe
        Filesize

        43KB

        MD5

        16edc9184a4f2e4c18200304594d43d9

        SHA1

        9328f1016cf247a13b110d6ece2826ba4ad5a8cf

        SHA256

        be652d4e5771a47651e037776bbd47e90d3ab7de28e61e3c86abfc4b76c813dd

        SHA512

        196f4c9b55d2883b4c7364aca90741a9e606952e2c798b2c4075a661768dab274b5b6683280404ff31eed98a11003991c67f7af4d61cf48dd131e7365a3cf74d

        Download Submit

      • memory/2032-14-0x000002546E910000-0x000002546E932000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3500-0-0x00007FFAF6973000-0x00007FFAF6975000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3500-1-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3500-2-0x00007FFAF6970000-0x00007FFAF7431000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3500-3-0x00007FFAF6973000-0x00007FFAF6975000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3500-4-0x00007FFAF6970000-0x00007FFAF7431000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3500-10-0x00007FFAF6970000-0x00007FFAF7431000-memory.dmp

        Filesize

        10.8MB

        Download