Analysis Overview
SHA256
c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f
Threat Level: Known bad
The file Silly.exe was found to be: Known bad.
Malicious Activity Summary
SilverRat
Silverrat family
Sets file to hidden
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Scheduled Task/Job: Scheduled Task
Uses Volume Shadow Copy service COM API
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-10 23:30
Signatures
Silverrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-10 23:30
Reported
2025-02-10 23:33
Platform
win7-20240903-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
SilverRat
Silverrat family
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WinTask\\$77Runtime Broker.exe\"" | C:\Users\Admin\AppData\Local\Temp\Silly.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Silly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Silly.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Silly.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Silly.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Silly.exe
"C:\Users\Admin\AppData\Local\Temp\Silly.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F22.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | if-eventually.gl.at.ply.gg | udp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
Files
memory/1632-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp
memory/1632-1-0x000000013F880000-0x000000013F890000-memory.dmp
memory/1632-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp
memory/1632-3-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp
memory/1632-4-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3F22.tmp.bat
| MD5 | d2cf5c103d4cb71912b015a33300fbca |
| SHA1 | b3221500f099aaf0e0ae2f092ccaaa5a4f8a8748 |
| SHA256 | 0f5b415798faa6c9aa4e68f3c293c799cd8b33e461cc4a05f625016fbba66652 |
| SHA512 | d2e646ff0d0a3cdd5a84a87ae428678d750a9f383370a5df14ddf05c4079613a1739b802d6729e35636923a84f78efbe8e27dee2c942e9a717fef0b0c14f46cc |
memory/1632-14-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
| MD5 | 1cf8d6e0acaa084d9b4201f11a1a04a8 |
| SHA1 | 7cc576ff7a096e14a6e83836bfd3cd29f7164392 |
| SHA256 | c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f |
| SHA512 | de6889cffba397b9a95b02d3271b14c9abbe543fb2a4415182cb24e9a3cf152bfb1ae5d3237eacac613f411fc278d120191f45c5cb1c4ca5135f393b57c0527a |
memory/2360-19-0x000000013F710000-0x000000013F720000-memory.dmp
memory/2028-24-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/2028-25-0x0000000001F50000-0x0000000001F58000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-10 23:30
Reported
2025-02-10 23:33
Platform
win10v2004-20250129-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
SilverRat
Silverrat family
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Silly.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WinTask\\$77Runtime Broker.exe\"" | C:\Users\Admin\AppData\Local\Temp\Silly.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Silly.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Silly.exe
"C:\Users\Admin\AppData\Local\Temp\Silly.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.16.153.206:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | if-eventually.gl.at.ply.gg | udp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| N/A | 20.189.173.17:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 104.78.173.167:80 | tcp |
Files
memory/2344-0-0x00007FFEE85C3000-0x00007FFEE85C5000-memory.dmp
memory/2344-1-0x0000000000EB0000-0x0000000000EC0000-memory.dmp
memory/2344-2-0x00007FFEE85C0000-0x00007FFEE9081000-memory.dmp
memory/2344-3-0x00007FFEE85C3000-0x00007FFEE85C5000-memory.dmp
memory/2344-4-0x00007FFEE85C0000-0x00007FFEE9081000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.bat
| MD5 | 2384ead7ef511813641fb856023c4174 |
| SHA1 | b4fecb55f21dfbab18361a1ba79d9de93d4a2f19 |
| SHA256 | e45421e4cd5a9af1b6ff5d0bc10f86bee9f1748d068a738f140287f26e5d454e |
| SHA512 | 5990bac4890cbf15c957922998d648497dd2dfe9de57904de65b4439f23550f7c06f119c00d4e4e7c2005dfc8bb0578947029eda6495a21892c25cc5a90e83f8 |
memory/2344-10-0x00007FFEE85C0000-0x00007FFEE9081000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
| MD5 | 1cf8d6e0acaa084d9b4201f11a1a04a8 |
| SHA1 | 7cc576ff7a096e14a6e83836bfd3cd29f7164392 |
| SHA256 | c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f |
| SHA512 | de6889cffba397b9a95b02d3271b14c9abbe543fb2a4415182cb24e9a3cf152bfb1ae5d3237eacac613f411fc278d120191f45c5cb1c4ca5135f393b57c0527a |
memory/2940-14-0x00000163B9E10000-0x00000163B9E32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_se4hknz0.1oa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |