Malware Analysis Report

2025-03-15 01:14

Sample ID 250213-22fpxswrbk
Target Rat.exe
SHA256 166fc117f762f70928200d37c24352583e1aca1aba54429975ac828452cf5ff0
Tags
silverrat defense_evasion discovery execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

166fc117f762f70928200d37c24352583e1aca1aba54429975ac828452cf5ff0

Threat Level: Known bad

The file Rat.exe was found to be: Known bad.

Malicious Activity Summary

silverrat defense_evasion discovery execution persistence trojan

Silverrat family

SilverRat

Downloads MZ/PE file

Sets file to hidden

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-13 23:04

Signatures

Silverrat family

silverrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-13 23:04

Reported

2025-02-13 23:06

Platform

win10v2004-20250211-en

Max time kernel

94s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Rat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\zt-WD\\$77Windows Security Process.exe\"" C:\Users\Admin\AppData\Local\Temp\Rat.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\System32\attrib.exe
PID 4772 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\System32\attrib.exe
PID 4772 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\System32\attrib.exe
PID 4772 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\System32\attrib.exe
PID 4772 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\system32\cmd.exe
PID 4772 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2688 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2688 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
PID 2688 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
PID 4704 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4704 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4704 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4704 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4704 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4704 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4704 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\zt-WD"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTIyMkJBMDktNjE3NC00OEJCLUJCNTYtRjU5NUZFNTI1MzI3fSIgdXNlcmlkPSJ7Q0E3QTRFOEYtNjNFMi00OEU1LUJDQTQtMTBEMzVENjUxNkE0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjJERDY0MTAtMzVDNS00NEFDLUFGNEEtREY3MDAwMTNFRDI0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Njg1OTkyNjgwIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC65D.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe

"C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77Windows Security Process.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77Windows Security Process.exe" /TR "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe \"\$77Windows Security Process.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77Windows Security Process.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
NL 4.175.87.113:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 buying-magic.gl.at.ply.gg udp
US 147.185.221.25:17699 buying-magic.gl.at.ply.gg tcp

Files

memory/4772-0-0x00007FFA673C3000-0x00007FFA673C5000-memory.dmp

memory/4772-1-0x0000000000820000-0x0000000000830000-memory.dmp

memory/4772-2-0x00007FFA673C0000-0x00007FFA67E81000-memory.dmp

memory/4772-4-0x00007FFA673C3000-0x00007FFA673C5000-memory.dmp

memory/4772-5-0x00007FFA673C0000-0x00007FFA67E81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC65D.tmp.bat

MD5 b14be60f6d9d5acaaad2ff624ea55d7f
SHA1 eca1e268d910460c388c07998660e61a344d6a4e
SHA256 80486d85315059fb086739d987dfe65e183825d65bf297168bc0fe7a5ae56130
SHA512 84facc3d687db35da699054c0b36637fc90edb83964397fc64a75df909e421979a1f59c3fab7895ade655a8387a866034e66807ac6876466e45de43cc60c2579

memory/4772-11-0x00007FFA673C0000-0x00007FFA67E81000-memory.dmp

C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe

MD5 c41469be0e653ddb4552a3f1a16caba6
SHA1 d2e0c8d5bd49337b5cef1f325632ba6c356d5661
SHA256 166fc117f762f70928200d37c24352583e1aca1aba54429975ac828452cf5ff0
SHA512 0599b00efc97b7805679040903e9b5f7fdfa7c4e00e7b12fc0a79b89286dea6665efd87f817b9b9f8e2e165714df07e8dbe21b3121b0af3f6f3c87b10837c749

memory/4116-15-0x000001E3A95C0000-0x000001E3A95E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klqablso.uw5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-13 23:04

Reported

2025-02-13 23:06

Platform

win7-20240903-en

Max time kernel

121s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\zt-WD\\$77Windows Security Process.exe\"" C:\Users\Admin\AppData\Local\Temp\Rat.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\System32\attrib.exe
PID 2124 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\System32\attrib.exe
PID 2124 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\System32\attrib.exe
PID 2124 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\System32\attrib.exe
PID 2124 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\System32\attrib.exe
PID 2124 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\System32\attrib.exe
PID 2124 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe C:\Windows\system32\cmd.exe
PID 768 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 768 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 768 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 768 wrote to memory of 656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
PID 768 wrote to memory of 656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
PID 768 wrote to memory of 656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
PID 656 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\system32\schtasks.exe
PID 656 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\system32\schtasks.exe
PID 656 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\system32\schtasks.exe
PID 656 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\system32\schtasks.exe
PID 656 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\system32\schtasks.exe
PID 656 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\system32\schtasks.exe
PID 656 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\system32\schtasks.exe
PID 656 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\system32\schtasks.exe
PID 656 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\system32\schtasks.exe
PID 656 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 656 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\zt-WD"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp648.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe

"C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN $77Windows Security Process.exe

C:\Windows\system32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77Windows Security Process.exe" /TR "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe \"\$77Windows Security Process.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN $77Windows Security Process.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 buying-magic.gl.at.ply.gg udp
US 147.185.221.25:17699 buying-magic.gl.at.ply.gg tcp

Files

memory/2124-0-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

memory/2124-1-0x000000013FA90000-0x000000013FAA0000-memory.dmp

memory/2124-2-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

memory/2124-3-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

memory/2124-4-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp648.tmp.bat

MD5 ccdcf3373f4fba1cb8760881819c3bd8
SHA1 715c5320db163da1523e2d9b739ed9dfaf0b9b46
SHA256 2d7dfb1bc0b90729c56fa958d12dc0edf8d6007ab79dc13ada597e6ce76a1ae6
SHA512 4ad727c623d3af9214903faf5e94c458472792d441e1efcc143f832b4cf114d64b091b35b5e4f2eab8140fa4f98d9b2bdee721de8cfa65deb0d0b5e256462f9b

memory/2124-14-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe

MD5 c41469be0e653ddb4552a3f1a16caba6
SHA1 d2e0c8d5bd49337b5cef1f325632ba6c356d5661
SHA256 166fc117f762f70928200d37c24352583e1aca1aba54429975ac828452cf5ff0
SHA512 0599b00efc97b7805679040903e9b5f7fdfa7c4e00e7b12fc0a79b89286dea6665efd87f817b9b9f8e2e165714df07e8dbe21b3121b0af3f6f3c87b10837c749

memory/656-19-0x000000013FA40000-0x000000013FA50000-memory.dmp

memory/2204-24-0x000000001B5A0000-0x000000001B882000-memory.dmp

memory/2204-25-0x0000000002690000-0x0000000002698000-memory.dmp