Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 02:23
Static task
static1
Behavioral task
behavioral1
Sample
b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe
Resource
win10v2004-20241007-en
General
-
Target
b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe
-
Size
85KB
-
MD5
15cae69282880edaf7ca090ab51089a0
-
SHA1
a0ce11fd82a53b9559a6f2f1c64e8764ee4ea475
-
SHA256
b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252
-
SHA512
85e4a8727267533e6dcfb2430c3fff48d897127efecd8d560ee3c5562e018f484de229b8dc48224490de177f336016330c2d00335a1ba0208311d297df170045
-
SSDEEP
1536:lI76Wj54gtfoQggNPlcULTP9I7rB6embRdyVfkFHLXkFyxwdSn2OJ:lI7RgONc6T1/bkCHLXkFyxWs5J
Malware Config
Extracted
silverrat
1.0.0.0
147.185.221.17:32088
SilverMutex_gRDGEIDSol
-
certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
-
decrypted_key
-|S.S.S|-
-
discord
https://discord.com/api/webhooks/1317585089491767437/EBZbSF2FiNBbHexoCGKLxakpdgSZYjt6BQiH3BvbQugwGwkh8GiPw2PK5PuIKigfB8xR
-
key
yy6zDjAUmbB09pKvo5Hhug==
-
key_x509
VHdXZ3R2VEpOVWFNeEFGY0R0RlNIQVJSRFJrbm56
-
payload_url
https://g.top4top.io/p_2522c7w8u1.png
-
reconnect_delay
4
-
server_signature
EqLtP1MXxIxEoV8yd5YO4JlBbncTxWM7/woqc4CmK4gYiqE3QMTFC072DSedA+bkdcWVdbVVTq4AIQjDkqnbSXzarj1L1XcYlKsUM3sOiuu3NR9yWE3i5YuqxjnNNL9KEQY5AeosJRdP4UUDmI8PPFehgWEcx4l54/Dk6gPyO9PcAGwiG1qplaC/tIX+xBzc6OXNQRI117livY35znCQjh+pK9ktzWEYPIuA8gyMTD/6iMOKTSLlxIBq+UTlkiUEonzvfYwMVYtTvjVxART32VOMXdtNGSHVS8IyOLVhxg3A/nZuyFILbXep3lNvnRBZfk8h1qG2FKE+7WZUJQEy+I+nDQ9A2hM/+D56M9WYKd0VyflFK2QvXjsm9KmOzSPLqIOdo8HTbOwIkBUc+btqEMwZ/k115UjfZcQJheFn3wxBr5RnlY81vPjzIyMscJZn539bhAChR0Fyb1z+IB0fkNtnKOl3xuJR5yk23Pt+iwxKxgDoj/T+2fQrpxWPZW1ZMWkt+8C/azVTNcIlbrCeGx+bdeKGpBP2qGW/g8q93jY2oG9IS+A8SA+gedA+s4DIOW9g2pUMSTwbwBpmKhQZ5ksK+V9ilPDK75+maERsYHdXi96o8Cl9ZniWfXl3vrXc+TOqGVVjw767CJ1+NKDNvu7RRh3wpWF6qVH5yBazoMI=
Signatures
-
Silverrat family
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2268 attrib.exe 2420 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 2676 $77bot.exe -
Loads dropped DLL 1 IoCs
pid Process 1964 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\bot\\$77bot.exe\"" b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe -
pid Process 1092 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 discord.com 5 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 344 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2948 schtasks.exe 2476 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 1092 powershell.exe 2676 $77bot.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 2752 vssvc.exe Token: SeRestorePrivilege 2752 vssvc.exe Token: SeAuditPrivilege 2752 vssvc.exe Token: SeDebugPrivilege 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe Token: SeDebugPrivilege 2676 $77bot.exe Token: SeDebugPrivilege 1092 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2676 $77bot.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2268 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 34 PID 1748 wrote to memory of 2268 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 34 PID 1748 wrote to memory of 2268 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 34 PID 1748 wrote to memory of 2420 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 36 PID 1748 wrote to memory of 2420 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 36 PID 1748 wrote to memory of 2420 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 36 PID 1748 wrote to memory of 1964 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 38 PID 1748 wrote to memory of 1964 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 38 PID 1748 wrote to memory of 1964 1748 b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe 38 PID 1964 wrote to memory of 344 1964 cmd.exe 40 PID 1964 wrote to memory of 344 1964 cmd.exe 40 PID 1964 wrote to memory of 344 1964 cmd.exe 40 PID 1964 wrote to memory of 2676 1964 cmd.exe 41 PID 1964 wrote to memory of 2676 1964 cmd.exe 41 PID 1964 wrote to memory of 2676 1964 cmd.exe 41 PID 2676 wrote to memory of 2956 2676 $77bot.exe 43 PID 2676 wrote to memory of 2956 2676 $77bot.exe 43 PID 2676 wrote to memory of 2956 2676 $77bot.exe 43 PID 2676 wrote to memory of 2948 2676 $77bot.exe 45 PID 2676 wrote to memory of 2948 2676 $77bot.exe 45 PID 2676 wrote to memory of 2948 2676 $77bot.exe 45 PID 2676 wrote to memory of 2308 2676 $77bot.exe 47 PID 2676 wrote to memory of 2308 2676 $77bot.exe 47 PID 2676 wrote to memory of 2308 2676 $77bot.exe 47 PID 2676 wrote to memory of 1092 2676 $77bot.exe 49 PID 2676 wrote to memory of 1092 2676 $77bot.exe 49 PID 2676 wrote to memory of 1092 2676 $77bot.exe 49 PID 2676 wrote to memory of 2476 2676 $77bot.exe 51 PID 2676 wrote to memory of 2476 2676 $77bot.exe 51 PID 2676 wrote to memory of 2476 2676 $77bot.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2268 attrib.exe 2420 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe"C:\Users\Admin\AppData\Local\Temp\b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252N.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\bot"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2268
-
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\bot\$77bot.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2420
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBEDC.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:344
-
-
C:\Users\Admin\AppData\Roaming\bot\$77bot.exe"C:\Users\Admin\AppData\Roaming\bot\$77bot.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN $77bot.exe4⤵PID:2956
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "$77bot.exe" /TR "C:\Users\Admin\AppData\Roaming\bot\$77bot.exe \"\$77bot.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2948
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN $77bot.exe4⤵PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc weekly /d SUN /tn "bot_Task-WEEKLY-01" /tr "%MyFile%" /st 10:004⤵
- Scheduled Task/Job: Scheduled Task
PID:2476
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD56dc6aa03833f9edaaf6bcab5fd228255
SHA104a2a83d8d60890cf0e3df976996b428ec18af4d
SHA25667c7c35995929c8a079c978bbb5e260b561fce72d324f8c1da328a77cd331663
SHA51232d326009ffbd80f7566f89fe681232ba8dbacf8665f64c387e8be9e1b6a2fe7f5557959865a9f887bff61e9393b5f0f366fdad339744bff9e5efc4e0dbc2494
-
Filesize
85KB
MD515cae69282880edaf7ca090ab51089a0
SHA1a0ce11fd82a53b9559a6f2f1c64e8764ee4ea475
SHA256b57b6603c03bf53c7dd01806678f75ee6c4fe82f17a7abb5e7a0baf555d22252
SHA51285e4a8727267533e6dcfb2430c3fff48d897127efecd8d560ee3c5562e018f484de229b8dc48224490de177f336016330c2d00335a1ba0208311d297df170045