Malware Analysis Report

2025-03-15 01:14

Sample ID 250210-3hcplaslez
Target Silly.exe
SHA256 c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f
Tags
silverrat defense_evasion execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f

Threat Level: Known bad

The file Silly.exe was found to be: Known bad.

Malicious Activity Summary

silverrat defense_evasion execution persistence trojan

SilverRat

Silverrat family

Sets file to hidden

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Scheduled Task/Job: Scheduled Task

Uses Volume Shadow Copy service COM API

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-10 23:30

Signatures

Silverrat family

silverrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-10 23:30

Reported

2025-02-10 23:33

Platform

win7-20240903-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Silly.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WinTask\\$77Runtime Broker.exe\"" C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\System32\attrib.exe
PID 1632 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\System32\attrib.exe
PID 1632 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\System32\attrib.exe
PID 1632 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\System32\attrib.exe
PID 1632 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\System32\attrib.exe
PID 1632 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\System32\attrib.exe
PID 1632 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\system32\cmd.exe
PID 2752 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2752 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2752 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2752 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
PID 2752 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
PID 2752 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
PID 2360 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2360 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2360 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2360 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2360 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2360 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2360 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2360 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2360 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2360 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 2360 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 2360 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Silly.exe

"C:\Users\Admin\AppData\Local\Temp\Silly.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F22.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN $77Runtime Broker.exe

C:\Windows\system32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN $77Runtime Broker.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 if-eventually.gl.at.ply.gg udp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp

Files

memory/1632-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

memory/1632-1-0x000000013F880000-0x000000013F890000-memory.dmp

memory/1632-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/1632-3-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

memory/1632-4-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3F22.tmp.bat

MD5 d2cf5c103d4cb71912b015a33300fbca
SHA1 b3221500f099aaf0e0ae2f092ccaaa5a4f8a8748
SHA256 0f5b415798faa6c9aa4e68f3c293c799cd8b33e461cc4a05f625016fbba66652
SHA512 d2e646ff0d0a3cdd5a84a87ae428678d750a9f383370a5df14ddf05c4079613a1739b802d6729e35636923a84f78efbe8e27dee2c942e9a717fef0b0c14f46cc

memory/1632-14-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe

MD5 1cf8d6e0acaa084d9b4201f11a1a04a8
SHA1 7cc576ff7a096e14a6e83836bfd3cd29f7164392
SHA256 c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f
SHA512 de6889cffba397b9a95b02d3271b14c9abbe543fb2a4415182cb24e9a3cf152bfb1ae5d3237eacac613f411fc278d120191f45c5cb1c4ca5135f393b57c0527a

memory/2360-19-0x000000013F710000-0x000000013F720000-memory.dmp

memory/2028-24-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/2028-25-0x0000000001F50000-0x0000000001F58000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-10 23:30

Reported

2025-02-10 23:33

Platform

win10v2004-20250129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Silly.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WinTask\\$77Runtime Broker.exe\"" C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\System32\attrib.exe
PID 2344 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\System32\attrib.exe
PID 2344 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\System32\attrib.exe
PID 2344 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\System32\attrib.exe
PID 2344 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\Silly.exe C:\Windows\system32\cmd.exe
PID 1540 wrote to memory of 1184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1540 wrote to memory of 1184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1540 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
PID 1540 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
PID 3700 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3700 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3700 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3700 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3700 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3700 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3700 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3700 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3700 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 3700 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Silly.exe

"C:\Users\Admin\AppData\Local\Temp\Silly.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77Runtime Broker.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77Runtime Broker.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.16.153.206:443 www.bing.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 if-eventually.gl.at.ply.gg udp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
US 147.185.221.25:17094 if-eventually.gl.at.ply.gg tcp
N/A 20.189.173.17:443 tcp
US 8.8.8.8:53 udp
GB 104.78.173.167:80 tcp

Files

memory/2344-0-0x00007FFEE85C3000-0x00007FFEE85C5000-memory.dmp

memory/2344-1-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

memory/2344-2-0x00007FFEE85C0000-0x00007FFEE9081000-memory.dmp

memory/2344-3-0x00007FFEE85C3000-0x00007FFEE85C5000-memory.dmp

memory/2344-4-0x00007FFEE85C0000-0x00007FFEE9081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.bat

MD5 2384ead7ef511813641fb856023c4174
SHA1 b4fecb55f21dfbab18361a1ba79d9de93d4a2f19
SHA256 e45421e4cd5a9af1b6ff5d0bc10f86bee9f1748d068a738f140287f26e5d454e
SHA512 5990bac4890cbf15c957922998d648497dd2dfe9de57904de65b4439f23550f7c06f119c00d4e4e7c2005dfc8bb0578947029eda6495a21892c25cc5a90e83f8

memory/2344-10-0x00007FFEE85C0000-0x00007FFEE9081000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe

MD5 1cf8d6e0acaa084d9b4201f11a1a04a8
SHA1 7cc576ff7a096e14a6e83836bfd3cd29f7164392
SHA256 c7c78f431c21c05d2963fb7635b73d969b7dada294252ef1d2b634b030a2375f
SHA512 de6889cffba397b9a95b02d3271b14c9abbe543fb2a4415182cb24e9a3cf152bfb1ae5d3237eacac613f411fc278d120191f45c5cb1c4ca5135f393b57c0527a

memory/2940-14-0x00000163B9E10000-0x00000163B9E32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_se4hknz0.1oa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82