Analysis

  • max time kernel
    114s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2024 02:23

General

  • Target

    b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe

  • Size

    85KB

  • MD5

    15cae69282880edaf7ca090ab51089a0

  • SHA1

    a0ce11fd82a53b9559a6f2f1c64e8764ee4ea475

  • SHA256

    b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252

  • SHA512

    85e4a8727267533e6dcfb2430c3fff48d897127efecd8d560ee3c5562e018f484de229b8dc48224490de177f336016330c2d00335a1ba0208311d297df170045

  • SSDEEP

    1536:lI76Wj54gtfoQggNPlcULTP9I7rB6embRdyVfkFHLXkFyxwdSn2OJ:lI7RgONc6T1/bkCHLXkFyxWs5J

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

147.185.221.17:32088

Mutex

SilverMutex_gRDGEIDSol

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • discord

    https://discord.com/api/webhooks/1317585089491767437/EBZbSF2FiNBbHexoCGKLxakpdgSZYjt6BQiH3BvbQugwGwkh8GiPw2PK5PuIKigfB8xR

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    VHdXZ3R2VEpOVWFNeEFGY0R0RlNIQVJSRFJrbm56

  • payload_url

    https://g.top4top.io/p_2522c7w8u1.png

  • reconnect_delay

    4

  • server_signature

    EqLtP1MXxIxEoV8yd5YO4JlBbncTxWM7/woqc4CmK4gYiqE3QMTFC072DSedA+bkdcWVdbVVTq4AIQjDkqnbSXzarj1L1XcYlKsUM3sOiuu3NR9yWE3i5YuqxjnNNL9KEQY5AeosJRdP4UUDmI8PPFehgWEcx4l54/Dk6gPyO9PcAGwiG1qplaC/tIX+xBzc6OXNQRI117livY35znCQjh+pK9ktzWEYPIuA8gyMTD/6iMOKTSLlxIBq+UTlkiUEonzvfYwMVYtTvjVxART32VOMXdtNGSHVS8IyOLVhxg3A/nZuyFILbXep3lNvnRBZfk8h1qG2FKE+7WZUJQEy+I+nDQ9A2hM/+D56M9WYKd0VyflFK2QvXjsm9KmOzSPLqIOdo8HTbOwIkBUc+btqEMwZ/k115UjfZcQJheFn3wxBr5RnlY81vPjzIyMscJZn539bhAChR0Fyb1z+IB0fkNtnKOl3xuJR5yk23Pt+iwxKxgDoj/T+2fQrpxWPZW1ZMWkt+8C/azVTNcIlbrCeGx+bdeKGpBP2qGW/g8q93jY2oG9IS+A8SA+gedA+s4DIOW9g2pUMSTwbwBpmKhQZ5ksK+V9ilPDK75+maERsYHdXi96o8Cl9ZniWfXl3vrXc+TOqGVVjw767CJ1+NKDNvu7RRh3wpWF6qVH5yBazoMI=

Signatures

  • SilverRat

    SilverRat is trojan written in C#.

  • Silverrat family
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe
    "C:\Users\Admin\AppData\Local\Temp\b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\bot"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2268
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\bot\$77bot.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2420
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBEDC.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:344
      • C:\Users\Admin\AppData\Roaming\bot\$77bot.exe
        "C:\Users\Admin\AppData\Roaming\bot\$77bot.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\system32\schtasks.exe
          "schtasks.exe" /query /TN $77bot.exe
          4⤵
            PID:2956
          • C:\Windows\system32\schtasks.exe
            "schtasks.exe" /Create /SC ONCE /TN "$77bot.exe" /TR "C:\Users\Admin\AppData\Roaming\bot\$77bot.exe \"\$77bot.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2948
          • C:\Windows\system32\schtasks.exe
            "schtasks.exe" /query /TN $77bot.exe
            4⤵
              PID:2308
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1092
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /sc weekly /d SUN /tn "bot_Task-WEEKLY-01" /tr "%MyFile%" /st 10:00
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2476
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2752

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpBEDC.tmp.bat

        Filesize

        154B

        MD5

        6dc6aa03833f9edaaf6bcab5fd228255

        SHA1

        04a2a83d8d60890cf0e3df976996b428ec18af4d

        SHA256

        67c7c35995929c8a079c978bbb5e260b561fce72d324f8c1da328a77cd331663

        SHA512

        32d326009ffbd80f7566f89fe681232ba8dbacf8665f64c387e8be9e1b6a2fe7f5557959865a9f887bff61e9393b5f0f366fdad339744bff9e5efc4e0dbc2494

      • \Users\Admin\AppData\Roaming\bot\$77bot.exe

        Filesize

        85KB

        MD5

        15cae69282880edaf7ca090ab51089a0

        SHA1

        a0ce11fd82a53b9559a6f2f1c64e8764ee4ea475

        SHA256

        b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252

        SHA512

        85e4a8727267533e6dcfb2430c3fff48d897127efecd8d560ee3c5562e018f484de229b8dc48224490de177f336016330c2d00335a1ba0208311d297df170045

      • memory/1092-25-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

        Filesize

        2.9MB

      • memory/1092-26-0x0000000002860000-0x0000000002868000-memory.dmp

        Filesize

        32KB

      • memory/1748-0-0x000007FEF52B3000-0x000007FEF52B4000-memory.dmp

        Filesize

        4KB

      • memory/1748-1-0x000000013F120000-0x000000013F13A000-memory.dmp

        Filesize

        104KB

      • memory/1748-2-0x0000000000560000-0x0000000000576000-memory.dmp

        Filesize

        88KB

      • memory/1748-3-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

        Filesize

        9.9MB

      • memory/1748-4-0x000007FEF52B3000-0x000007FEF52B4000-memory.dmp

        Filesize

        4KB

      • memory/1748-5-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

        Filesize

        9.9MB

      • memory/1748-15-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

        Filesize

        9.9MB

      • memory/2676-20-0x000000013F850000-0x000000013F86A000-memory.dmp

        Filesize

        104KB