Analysis
-
max time kernel
80s -
max time network
83s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-12-2024 23:37
General
-
Target
Windows Security Notification.exe
-
Size
86KB
-
MD5
434184cbd1ab6d8b3e6d04d69df75f4f
-
SHA1
39788e96ff6c0a7f1e7e257715e64b696198151b
-
SHA256
57ac4fcdd291af70d43b28025bbf95a4d4ac1d0955b075f159e97dcfe7685740
-
SHA512
4dcd69e84e8b031d83953a9165745c6daba6538cfebf4e76cf6f7f3f92aef4d334013be15d2b20bd4d126994059e1c1d1733ab444954ff3cf26e99f912c01c2c
-
SSDEEP
768:nMWKyi7didYfW/QdVXxRWl7H2+ZKJ7smhQpq/BRUT0fk9wGluB6SrDDv6/bB2Lj9:nMe2YVHYDCpwGAc9mokDDS/l2Lj9
Malware Config
Extracted
silverrat
1.0.0.0
policies-beside.gl.at.ply.gg:9967
xhhCQtIByF
-
certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
-
decrypted_key
-|S.S.S|-
-
discord
https://discord.com/api/webhooks/1307565056380108840/pkpOqO-Y8vruO8aeIu53yzS3l1IFMwpDSYDrGkNa1byaHAiKSa4-gLYX_DpLfjxLj0q9
-
key
yy6zDjAUmbB09pKvo5Hhug==
-
key_x509
RFNmZ1JPaXBaQXBxS05BdUdsQWNWU0VHREZSbmRK
-
payload_url
https://g.top4top.io/p_2522c7w8u1.png
-
reconnect_delay
4
-
server_signature
LU2wsiaOZ+/gZCLn0p/f7HnmbeuGF/B6ewFYcy0TAoCbL4cHqQZDETE02FQQQOpK0ycwb+sWB6hmbN5YVwd5kelF++2dUp3hd3yuGDK5LGIXWBz+kDFpcPCj87CLCJRnsV5khSfdXX9dLF5Iq0+fMAJb5S3M7kMYTsLsEP19/AWVP8WG1ZzsQMrjEZXfiXYvM1317wLwiXYPMy+spia0hVEZl7sXN7oM09PyHBVF2AYlmggjBUUkLVvhXasGKhBltrgdopTpGkPVUI1wr6Vaj0V55MG85DmcxRl6c99Tnn8/mi7xx1GOIki2wSrwXHf0LTW+EaPhc/JrdrZxlJtWZHRsGJGORjeN+sk4/p3rXWGvT3j8Wl44vyZAEmkJzOsWaDB6Mqnhf1BC+HfGjTayVUD+Rosklv3ZAwGhl4X9kN/Zv9oyfs0686LvfL5eGTRoidP0vr5NBsISTuJ6UFZ3qfIBaEVc97kNbntqIUj/jIy9AJr9/qgPCTLBPmaqiFYqlKcySYG9FcEvHosS08+vKgjs6tXypcocqOgacjWjg2/C/1RLqwrFSbucdNkvG0d5IFHHniydWX4aRcSpT1F3DRFW+uY1TpEPLpL/SZdgown4ZwlGCgkxjo/TPOADHZBYY1fqqqXbXO1nxQew+sspmqw4pz2Gb+XXUQmK2cq71xQ=
Signatures
-
SilverRat
SilverRat is trojan written in C#.
-
Silverrat family
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Windows Security Notification"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Windows Security Notification\$77Windows Security Notification.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEC06.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\Windows Security Notification\$77Windows Security Notification.exe"C:\Users\Admin\Windows Security Notification\$77Windows Security Notification.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77Windows Security Notification.exe4⤵
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77Windows Security Notification.exe" /TR "C:\Users\Admin\Windows Security Notification\$77Windows Security Notification.exe \"\$77Windows Security Notification.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN $77Windows Security Notification.exe4⤵
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
190B
MD53a6a190252266190999a5ccf41a90c21
SHA1129186a5474874440c2da34ccc728e94dcbd175f
SHA256be989fe6c86a00f2577b63821759b9c28bf4912427faaf7fc767db061141d171
SHA5123a7a4e77b4ca6756d79f1317970d4fbccd4f447f9272c3f85ab46c53d763ebb5df1dcbc3ea6f7ccf66a6708f85547a5759c476d34f2364948be2cd0511a23b89
-
Filesize
86KB
MD5434184cbd1ab6d8b3e6d04d69df75f4f
SHA139788e96ff6c0a7f1e7e257715e64b696198151b
SHA25657ac4fcdd291af70d43b28025bbf95a4d4ac1d0955b075f159e97dcfe7685740
SHA5124dcd69e84e8b031d83953a9165745c6daba6538cfebf4e76cf6f7f3f92aef4d334013be15d2b20bd4d126994059e1c1d1733ab444954ff3cf26e99f912c01c2c
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
104KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
128KB