Overview

overview

10

Static

static

3

SilverClient.exe

windows7-x64

7

SilverClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1558s
  • max time network
    1563s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2024 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SilverClient.exe

  • Size

    42KB

  • MD5

    e32cc14226ce47c9342ed347c7a47438

  • SHA1

    a8ec8484eebdd76d38988007a21afe56cbeaf951

  • SHA256

    59dd74a25d62b758529d2a9bfd5fefde30077b26249116ceffd01ce16b2688fa

  • SHA512

    b164661ca40c386843b00cbeff8a86157a23f0e4c5e539fe596fad8786a1752ef50eaa65590a65ae1ca6512e720e3501fece61381b921f55e3ec4855f91bfc63

  • SSDEEP

    768:MiIsJJcPlV1csUxJRBN/l+cJn6590BcmSHrlruPXr7yaaxLEt0URohRULL9S+1fr:MiIsDctUBbn659XTkt0UQGf9Zr1QoE9W

Score
7/10
executionpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
    "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp196.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2964
      • C:\Users\Admin\test\$77test.exe
        "C:\Users\Admin\test\$77test.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3044
        • C:\Windows\system32\schtasks.exe
          "schtasks.exe" /query /TN $77test.exe
          4⤵
            PID:1680
          • C:\Windows\system32\schtasks.exe
            "schtasks.exe" /Create /SC ONCE /TN "$77test.exe" /TR "C:\Users\Admin\test\$77test.exe \"\$77test.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2268
          • C:\Windows\system32\schtasks.exe
            "schtasks.exe" /query /TN $77test.exe
            4⤵
              PID:1536
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2024
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "test_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1868
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "$77test_Task"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2756
              • C:\Windows\system32\schtasks.exe
                schtasks /delete /f /tn "$77test_Task"
                5⤵
                  PID:2776
              • C:\Windows\system32\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCE96.tmp.bat""
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2648
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  5⤵
                  • Delays execution with timeout.exe
                  PID:2748
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2760
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2012

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Cab1CC6.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar73AF.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp196.tmp.bat
          Filesize

          139B

          MD5

          286d58101458bf4b456387bfa89e4888

          SHA1

          9231c5f62c82b5dc8a7681bac897056ee93c6194

          SHA256

          3ccbf6e00680b163141c146961b15a92839a3a19daf821225b8e5f3d376f9cb8

          SHA512

          17d6fab7905292f9903ffca6ba172184a6212aff5efd51c9b1f14f6deff4062bb1a75e817345b2c20a78cabecc454eefbf79311e0a5e82019c3ff043ca41a668

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpCE96.tmp.bat
          Filesize

          213B

          MD5

          527ab2b2d797ae34e25df7417a3c7415

          SHA1

          ce2ddf068e34bb27772925af2416d1b6fac1b05e

          SHA256

          9a489f85b9e47291c19b5375583d898f886a952ed1ef761aeeb985f20aa1d706

          SHA512

          75eb4a2fd2fca117040ffe0a86853c2b4e78d77ef53daf7e04b3daaf456481c95f4057f1eb83ec57de6c44bf312418fe7f361e1d7348fa6cbdaff12335e56381

          Download Submit

        • \Users\Admin\test\$77test.exe
          Filesize

          42KB

          MD5

          e32cc14226ce47c9342ed347c7a47438

          SHA1

          a8ec8484eebdd76d38988007a21afe56cbeaf951

          SHA256

          59dd74a25d62b758529d2a9bfd5fefde30077b26249116ceffd01ce16b2688fa

          SHA512

          b164661ca40c386843b00cbeff8a86157a23f0e4c5e539fe596fad8786a1752ef50eaa65590a65ae1ca6512e720e3501fece61381b921f55e3ec4855f91bfc63

          Download Submit

        • memory/1908-1-0x000000013FDE0000-0x000000013FDF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1908-2-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1908-0-0x000007FEF64F3000-0x000007FEF64F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1908-5-0x000007FEF64F3000-0x000007FEF64F4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1908-6-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1908-16-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2012-4-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2012-3-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2024-27-0x00000000028D0000-0x00000000028D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2024-26-0x000000001B670000-0x000000001B952000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/3044-44-0x00000000023D0000-0x00000000023DE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3044-21-0x000000013FC30000-0x000000013FC40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3044-66-0x00000000023E0000-0x0000000002400000-memory.dmp

          Filesize

          128KB

          Download