silverrat | ef948ec84c52a12fadc9597dd0b3234783da66a983aecf52a9ca7ad97d077605

General

Target

OneDrive.exe
Size

112KB
MD5

8265876f1419ac9f2789c779ca8756b7
SHA1

349c89b04a29da021401102888889ce7e593ada4
SHA256

ef948ec84c52a12fadc9597dd0b3234783da66a983aecf52a9ca7ad97d077605
SHA512

3f8f3b7da9f8a29080cb84f0b9a34170a1da63e39d91b6706a9b25d7f1b55033051601e04735ac482a57b4285c77d04bc5817aa15f7d8565541a2a2e4b5eb218
SSDEEP

1536:abiue98UKpsOUFGsI9x1Qom1VZs/iMeLWs8zNJf:qiu68Dq3FGsI9x1lSrfLWs8zNJf

Score

10^/10

silverrat evasion persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

reserved-compilation.gl.at.ply.gg:30333

Mutex

lAxDBRhAFu

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1309888185597427763/ETaHhLbZDsm-U9W1k9LnAs5qSHWvjnwQyurgXK_j1ZDoqixvf9wWgl7hA5cBSCQU7y7A
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
b0FGeVZNcFRMWVloVHR6Z0VESU5RdlpZUmxZbUFE
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
4
server_signature
t9H0tGywaq23QHywsvniYlva2DUEoHwEX4RZOKw6QYOUUUEs6+qPhkwL0ziJc2nYj2yd5E4o3kMJj8NRpRTkpZcyIg/ljsBjIY4uuTgySYNYShSJRrNgQc/XiUXjH546feRdpS3EuZPWH15iNA3U89kmdXU1BOtms28guz5MUZ/jdeGBHbjPJULpyM8EgGGdK3ajqJ+NWQxPHql47XGQFXqJ5PauE0xmpcMKt+LU7fe+NS0Yx11uv+tRwSlMmFhYU9pSYoS8zZ7Lyeaw8rcxs06oecNxLKcmbSH3H5QWo4qYq/Y7HAeBmLEHHB5t8+bCVeDMfccmct8s+aZpljSceGlri2HJsxEjZ7FYmh4+o8bhacTmqQyE99P1kSa4FAWPLn59j5s1nO91Sb/rMvcNUApgatm6ZRZjc+Ninv7rXwFncnT7eRSRvldp7PohX6bsJEJRMnfLT4YxM0TzqV9POSK0hjrRojbiRQWahccxQRKfg3TcVxNnNjCQWMOJ0YzNuQ0ZSTLPO3QA4v/0cwD5nBhPdhowAnMUb4j61HsPdaQnKXvlx377vbMOowWJFqGC1ES1rKn843GMu81HL7FJsfrpqglmmFTddG3IwkeJU7umxj41+anidgCco7Jzbii9D9e4l2DF3EuhYg+qIuiwNw4ACh3olxSGStXl952V/dY=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3564	attrib.exe
2768	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OneDrive.exe

Executes dropped EXE 1 IoCs

pid	Process
4880	$77OneDrive.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\Microsoft OneDrive\\$77OneDrive.exe\""	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2084	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
3420	OneDrive.exe
4880	$77OneDrive.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	4240	vssvc.exe
Token: SeRestorePrivilege	4240	vssvc.exe
Token: SeAuditPrivilege	4240	vssvc.exe
Token: SeDebugPrivilege	3420	OneDrive.exe
Token: SeDebugPrivilege	4880	$77OneDrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4880	$77OneDrive.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2768	3420	OneDrive.exe	87
PID 3420 wrote to memory of 2768	3420	OneDrive.exe	87
PID 3420 wrote to memory of 3564	3420	OneDrive.exe	89
PID 3420 wrote to memory of 3564	3420	OneDrive.exe	89
PID 3420 wrote to memory of 4488	3420	OneDrive.exe	104
PID 3420 wrote to memory of 4488	3420	OneDrive.exe	104
PID 4488 wrote to memory of 2084	4488	cmd.exe	106
PID 4488 wrote to memory of 2084	4488	cmd.exe	106
PID 4488 wrote to memory of 4880	4488	cmd.exe	107
PID 4488 wrote to memory of 4880	4488	cmd.exe	107
PID 4880 wrote to memory of 3468	4880	$77OneDrive.exe	109
PID 4880 wrote to memory of 3468	4880	$77OneDrive.exe	109
PID 4880 wrote to memory of 1928	4880	$77OneDrive.exe	111
PID 4880 wrote to memory of 1928	4880	$77OneDrive.exe	111
PID 4880 wrote to memory of 3168	4880	$77OneDrive.exe	113
PID 4880 wrote to memory of 3168	4880	$77OneDrive.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2768	attrib.exe
3564	attrib.exe

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Microsoft OneDrive"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2768
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Microsoft OneDrive\$77OneDrive.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF8E.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2084
- - C:\Users\Admin\Microsoft OneDrive\$77OneDrive.exe
    "C:\Users\Admin\Microsoft OneDrive\$77OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77OneDrive.exe
      4⤵
      PID:3468
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77OneDrive.exe" /TR "C:\Users\Admin\Microsoft OneDrive\$77OneDrive.exe \"\$77OneDrive.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1928
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77OneDrive.exe
      4⤵
      PID:3168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFF8E.tmp.bat

Filesize
158B

MD5
731f065a38a997443dd6b7c5f3afc7dd

SHA1
f570f03d04d8e7e0c6253e58c2c1793cf07d2ad4

SHA256
0a67e93113c8b425e110abc9c64dc57a13469b4926574e96e8e2e3adfdd6c887

SHA512
e0cda90bed0b0355ffa4db746200e0353e8366e1a223d10476bd494dd5ca86668bdc057ffbab0bef2da359dee34d9119488231ceecdfefe983f53488c5c58a07

Download Submit
C:\Users\Admin\Microsoft OneDrive\$77OneDrive.exe

Filesize
112KB

MD5
8265876f1419ac9f2789c779ca8756b7

SHA1
349c89b04a29da021401102888889ce7e593ada4

SHA256
ef948ec84c52a12fadc9597dd0b3234783da66a983aecf52a9ca7ad97d077605

SHA512
3f8f3b7da9f8a29080cb84f0b9a34170a1da63e39d91b6706a9b25d7f1b55033051601e04735ac482a57b4285c77d04bc5817aa15f7d8565541a2a2e4b5eb218

Download Submit
memory/3420-1-0x0000000000520000-0x0000000000540000-memory.dmp

Filesize
128KB

Download
memory/3420-0-0x00007FFC7BC93000-0x00007FFC7BC95000-memory.dmp

Filesize
8KB

Download
memory/3420-2-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/3420-3-0x00007FFC7BC93000-0x00007FFC7BC95000-memory.dmp

Filesize
8KB

Download
memory/3420-4-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/3420-10-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads