Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1795s -
max time network
1800s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 00:34
Static task
static1
Behavioral task
behavioral1
Sample
SilverClient.exe
Resource
win10v2004-20240802-en
General
-
Target
SilverClient.exe
-
Size
42KB
-
MD5
e32cc14226ce47c9342ed347c7a47438
-
SHA1
a8ec8484eebdd76d38988007a21afe56cbeaf951
-
SHA256
59dd74a25d62b758529d2a9bfd5fefde30077b26249116ceffd01ce16b2688fa
-
SHA512
b164661ca40c386843b00cbeff8a86157a23f0e4c5e539fe596fad8786a1752ef50eaa65590a65ae1ca6512e720e3501fece61381b921f55e3ec4855f91bfc63
-
SSDEEP
768:MiIsJJcPlV1csUxJRBN/l+cJn6590BcmSHrlruPXr7yaaxLEt0URohRULL9S+1fr:MiIsDctUBbn659XTkt0UQGf9Zr1QoE9W
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation $77test.exe -
Executes dropped EXE 1 IoCs
pid Process 4288 $77test.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\test\\$77test.exe\"" SilverClient.exe -
pid Process 5076 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 1564 timeout.exe 936 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5104 schtasks.exe 3732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 3344 SilverClient.exe 4288 $77test.exe 4288 $77test.exe 5076 powershell.exe 5076 powershell.exe 5076 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 3788 vssvc.exe Token: SeRestorePrivilege 3788 vssvc.exe Token: SeAuditPrivilege 3788 vssvc.exe Token: SeDebugPrivilege 3344 SilverClient.exe Token: SeDebugPrivilege 4288 $77test.exe Token: SeDebugPrivilege 5076 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4288 $77test.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3344 wrote to memory of 4392 3344 SilverClient.exe 105 PID 3344 wrote to memory of 4392 3344 SilverClient.exe 105 PID 4392 wrote to memory of 1564 4392 cmd.exe 107 PID 4392 wrote to memory of 1564 4392 cmd.exe 107 PID 4392 wrote to memory of 4288 4392 cmd.exe 108 PID 4392 wrote to memory of 4288 4392 cmd.exe 108 PID 4288 wrote to memory of 2248 4288 $77test.exe 111 PID 4288 wrote to memory of 2248 4288 $77test.exe 111 PID 4288 wrote to memory of 5104 4288 $77test.exe 113 PID 4288 wrote to memory of 5104 4288 $77test.exe 113 PID 4288 wrote to memory of 3616 4288 $77test.exe 115 PID 4288 wrote to memory of 3616 4288 $77test.exe 115 PID 4288 wrote to memory of 5076 4288 $77test.exe 117 PID 4288 wrote to memory of 5076 4288 $77test.exe 117 PID 4288 wrote to memory of 3732 4288 $77test.exe 118 PID 4288 wrote to memory of 3732 4288 $77test.exe 118 PID 4288 wrote to memory of 2420 4288 $77test.exe 123 PID 4288 wrote to memory of 2420 4288 $77test.exe 123 PID 4288 wrote to memory of 660 4288 $77test.exe 125 PID 4288 wrote to memory of 660 4288 $77test.exe 125 PID 4288 wrote to memory of 2924 4288 $77test.exe 127 PID 4288 wrote to memory of 2924 4288 $77test.exe 127 PID 2924 wrote to memory of 936 2924 cmd.exe 129 PID 2924 wrote to memory of 936 2924 cmd.exe 129 PID 660 wrote to memory of 428 660 cmd.exe 130 PID 660 wrote to memory of 428 660 cmd.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp863.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1564
-
-
C:\Users\Admin\test\$77test.exe"C:\Users\Admin\test\$77test.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77test.exe4⤵PID:2248
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77test.exe" /TR "C:\Users\Admin\test\$77test.exe \"\$77test.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:5104
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77test.exe4⤵PID:3616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "test_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:004⤵
- Scheduled Task/Job: Scheduled Task
PID:3732
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77test.exe4⤵PID:2420
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "$77test_Task"4⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "$77test_Task"5⤵PID:428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC7C2.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:936
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:81⤵PID:3964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4048,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:81⤵PID:4904
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
139B
MD59cf77823ae2e50e1a1c8733e3121a75d
SHA1c7ebfead12bbb09a47367b788fd266706c170829
SHA256152c16b78b689512de9c97e71fee474ccc77f6aea73716257dd9ef93d9bf8355
SHA512d428063a6c256144789d096f9ce45037a0649bbea804751a6473635e2ac4e99a23a32a4b7c06da45142169b73c8457188161e46124a832053c7710703bd5ad20
-
Filesize
213B
MD5faed5d5ac1304c34f507a641eeb98f43
SHA1f368c11ddfff321f8a33ecce0e44ebaf5ff281e4
SHA2566c31b2dceb479c181e0f12c0208ecf289394805d642b9dd2b0af29abb4c3aa53
SHA512c502faf88f7989d93fc4e80819c44ac322ebd011abc1efe95b60e4712cd34e9d2667f2b0c5c2baaa4de4d3209626c8bf1b3ce0cf752b7e47f7215dfaad9ad9d6
-
Filesize
42KB
MD5e32cc14226ce47c9342ed347c7a47438
SHA1a8ec8484eebdd76d38988007a21afe56cbeaf951
SHA25659dd74a25d62b758529d2a9bfd5fefde30077b26249116ceffd01ce16b2688fa
SHA512b164661ca40c386843b00cbeff8a86157a23f0e4c5e539fe596fad8786a1752ef50eaa65590a65ae1ca6512e720e3501fece61381b921f55e3ec4855f91bfc63