Analysis Overview
SHA256
166fc117f762f70928200d37c24352583e1aca1aba54429975ac828452cf5ff0
Threat Level: Known bad
The file Rat.exe was found to be: Known bad.
Malicious Activity Summary
Silverrat family
SilverRat
Downloads MZ/PE file
Sets file to hidden
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Enumerates physical storage devices
Views/modifies file attributes
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-13 23:04
Signatures
Silverrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-13 23:04
Reported
2025-02-13 23:06
Platform
win10v2004-20250211-en
Max time kernel
94s
Max time network
150s
Command Line
Signatures
SilverRat
Silverrat family
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Rat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\zt-WD\\$77Windows Security Process.exe\"" | C:\Users\Admin\AppData\Local\Temp\Rat.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Rat.exe
"C:\Users\Admin\AppData\Local\Temp\Rat.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\zt-WD"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTIyMkJBMDktNjE3NC00OEJCLUJCNTYtRjU5NUZFNTI1MzI3fSIgdXNlcmlkPSJ7Q0E3QTRFOEYtNjNFMi00OEU1LUJDQTQtMTBEMzVENjUxNkE0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjJERDY0MTAtMzVDNS00NEFDLUFGNEEtREY3MDAwMTNFRDI0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Njg1OTkyNjgwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC65D.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
"C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77Windows Security Process.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77Windows Security Process.exe" /TR "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe \"\$77Windows Security Process.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77Windows Security Process.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| NL | 4.175.87.113:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | buying-magic.gl.at.ply.gg | udp |
| US | 147.185.221.25:17699 | buying-magic.gl.at.ply.gg | tcp |
Files
memory/4772-0-0x00007FFA673C3000-0x00007FFA673C5000-memory.dmp
memory/4772-1-0x0000000000820000-0x0000000000830000-memory.dmp
memory/4772-2-0x00007FFA673C0000-0x00007FFA67E81000-memory.dmp
memory/4772-4-0x00007FFA673C3000-0x00007FFA673C5000-memory.dmp
memory/4772-5-0x00007FFA673C0000-0x00007FFA67E81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC65D.tmp.bat
| MD5 | b14be60f6d9d5acaaad2ff624ea55d7f |
| SHA1 | eca1e268d910460c388c07998660e61a344d6a4e |
| SHA256 | 80486d85315059fb086739d987dfe65e183825d65bf297168bc0fe7a5ae56130 |
| SHA512 | 84facc3d687db35da699054c0b36637fc90edb83964397fc64a75df909e421979a1f59c3fab7895ade655a8387a866034e66807ac6876466e45de43cc60c2579 |
memory/4772-11-0x00007FFA673C0000-0x00007FFA67E81000-memory.dmp
C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
| MD5 | c41469be0e653ddb4552a3f1a16caba6 |
| SHA1 | d2e0c8d5bd49337b5cef1f325632ba6c356d5661 |
| SHA256 | 166fc117f762f70928200d37c24352583e1aca1aba54429975ac828452cf5ff0 |
| SHA512 | 0599b00efc97b7805679040903e9b5f7fdfa7c4e00e7b12fc0a79b89286dea6665efd87f817b9b9f8e2e165714df07e8dbe21b3121b0af3f6f3c87b10837c749 |
memory/4116-15-0x000001E3A95C0000-0x000001E3A95E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klqablso.uw5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-13 23:04
Reported
2025-02-13 23:06
Platform
win7-20240903-en
Max time kernel
121s
Max time network
151s
Command Line
Signatures
SilverRat
Silverrat family
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\zt-WD\\$77Windows Security Process.exe\"" | C:\Users\Admin\AppData\Local\Temp\Rat.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rat.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Rat.exe
"C:\Users\Admin\AppData\Local\Temp\Rat.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\zt-WD"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp648.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
"C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77Windows Security Process.exe
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77Windows Security Process.exe" /TR "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe \"\$77Windows Security Process.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77Windows Security Process.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | buying-magic.gl.at.ply.gg | udp |
| US | 147.185.221.25:17699 | buying-magic.gl.at.ply.gg | tcp |
Files
memory/2124-0-0x000007FEF5993000-0x000007FEF5994000-memory.dmp
memory/2124-1-0x000000013FA90000-0x000000013FAA0000-memory.dmp
memory/2124-2-0x000007FEF5990000-0x000007FEF637C000-memory.dmp
memory/2124-3-0x000007FEF5993000-0x000007FEF5994000-memory.dmp
memory/2124-4-0x000007FEF5990000-0x000007FEF637C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp648.tmp.bat
| MD5 | ccdcf3373f4fba1cb8760881819c3bd8 |
| SHA1 | 715c5320db163da1523e2d9b739ed9dfaf0b9b46 |
| SHA256 | 2d7dfb1bc0b90729c56fa958d12dc0edf8d6007ab79dc13ada597e6ce76a1ae6 |
| SHA512 | 4ad727c623d3af9214903faf5e94c458472792d441e1efcc143f832b4cf114d64b091b35b5e4f2eab8140fa4f98d9b2bdee721de8cfa65deb0d0b5e256462f9b |
memory/2124-14-0x000007FEF5990000-0x000007FEF637C000-memory.dmp
\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
| MD5 | c41469be0e653ddb4552a3f1a16caba6 |
| SHA1 | d2e0c8d5bd49337b5cef1f325632ba6c356d5661 |
| SHA256 | 166fc117f762f70928200d37c24352583e1aca1aba54429975ac828452cf5ff0 |
| SHA512 | 0599b00efc97b7805679040903e9b5f7fdfa7c4e00e7b12fc0a79b89286dea6665efd87f817b9b9f8e2e165714df07e8dbe21b3121b0af3f6f3c87b10837c749 |
memory/656-19-0x000000013FA40000-0x000000013FA50000-memory.dmp
memory/2204-24-0x000000001B5A0000-0x000000001B882000-memory.dmp
memory/2204-25-0x0000000002690000-0x0000000002698000-memory.dmp