Malware Analysis Report

2025-03-15 01:14

Sample ID 250213-bnc4rs1nez
Target SilverRat.V1.5.rar
SHA256 bef64e21cbc611550b7ac61d9323858cdb845f1307d6466b93b6bc7a1088c4eb
Tags
silverrat defense_evasion discovery trojan execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bef64e21cbc611550b7ac61d9323858cdb845f1307d6466b93b6bc7a1088c4eb

Threat Level: Known bad

The file SilverRat.V1.5.rar was found to be: Known bad.

Malicious Activity Summary

silverrat defense_evasion discovery trojan execution

Silverrat family

SilverRat

Sets file to hidden

Downloads MZ/PE file

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Browser Information Discovery

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies registry class

Delays execution with timeout.exe

Enumerates system info in registry

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-13 01:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-13 01:17

Reported

2025-02-13 01:19

Platform

win11-20250211-en

Max time kernel

98s

Max time network

105s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.rar"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.rar"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qzc4OUVGRUMtNzM2OC00MkRDLUE5NTQtMjJERDg0RDZGREVCfSIgdXNlcmlkPSJ7MjUzREE4RUMtNEI0Ny00QzdDLTkwMTYtNDNDMDczMjA0ODFFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0QzOURBNTEtRkEwQS00NkZFLUEyOEUtMkM2MDFDQTY0RkM2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ3NzUxNjE3MTYiLz48L2FwcD48L3JlcXVlc3Q-

C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe

"C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe

MD5 545d64cc91e4da6339a70d54a2443c5d
SHA1 f03344ab824c7cf0f73dcc86aa34cab36e2e54e7
SHA256 04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f
SHA512 733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681

memory/872-13-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-13 01:17

Reported

2025-02-13 01:19

Platform

win11-20250210-en

Max time kernel

89s

Max time network

110s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\PASSWORD.txt

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1505343591-821288467-4101320450-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 3356 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\PASSWORD.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\PASSWORD.txt

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RERCNERDMjUtOUY2Qi00NENGLUI1MkUtQzZGMDIzQjA2QkIzfSIgdXNlcmlkPSJ7Q0YwRDI0MUUtODcyMS00NEMxLTgyNDEtQzUzQzdFQjQ0NkZDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjI5RTEyREQtRkFCMy00REZGLTlFNzMtN0ZFQ0VERTdENUEzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjIiIGluc3RhbGxkYXRldGltZT0iMTczOTE4Mzk2NiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjQwMTY2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4NjIxNzU3MDgiLz48L2FwcD48L3JlcXVlc3Q-

Network

Country Destination Domain Proto
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 96.17.179.145:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-13 01:17

Reported

2025-02-13 01:19

Platform

win11-20250211-en

Max time kernel

106s

Max time network

111s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab.rar"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zG.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zG.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zG.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zG.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 1524 N/A C:\Program Files\7-Zip\7zFM.exe C:\Program Files\7-Zip\7zG.exe
PID 4288 wrote to memory of 1524 N/A C:\Program Files\7-Zip\7zFM.exe C:\Program Files\7-Zip\7zG.exe
PID 4288 wrote to memory of 4064 N/A C:\Program Files\7-Zip\7zFM.exe C:\Program Files\7-Zip\7zG.exe
PID 4288 wrote to memory of 4064 N/A C:\Program Files\7-Zip\7zFM.exe C:\Program Files\7-Zip\7zG.exe
PID 2380 wrote to memory of 2372 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\System32\attrib.exe
PID 2380 wrote to memory of 2372 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\System32\attrib.exe
PID 2380 wrote to memory of 3080 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\System32\attrib.exe
PID 2380 wrote to memory of 3080 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\System32\attrib.exe
PID 4592 wrote to memory of 2036 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\System32\attrib.exe
PID 4592 wrote to memory of 2036 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\System32\attrib.exe
PID 4592 wrote to memory of 2092 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4592 wrote to memory of 2092 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4592 wrote to memory of 1416 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4592 wrote to memory of 1416 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4592 wrote to memory of 1380 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4592 wrote to memory of 1380 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4592 wrote to memory of 996 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4592 wrote to memory of 996 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4592 wrote to memory of 4324 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\System32\schtasks.exe
PID 4592 wrote to memory of 4324 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Windows\System32\schtasks.exe
PID 4328 wrote to memory of 4352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 4352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 3388 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 2184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4328 wrote to memory of 2184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab.rar"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjM5MjAwNjQtQ0Y3QS00NUE5LUFGNkEtQTNGOURCRUYxRDhFfSIgdXNlcmlkPSJ7QTQyQTFCODItQzdDRi00QTY1LUExMEYtODFFQ0ZBMzNDODM0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkY1Q0M5QkMtOUJCQi00NTAzLUIwRUQtNjgyQTAzMjZGRTc4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4MDc5MjM5NjEiLz48L2FwcD48L3JlcXVlc3Q-

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab\" -ad -an -ai#7zMap13694:122:7zEvent31153

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab\" -ad -an -ai#7zMap4399:122:7zEvent23754

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe

"C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"

C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe

"C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN SilverRat.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "SilverRat.exe" /TR "C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe \"\SilverRat.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN SilverRat.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.hackingvip.com/rat-and-botnet-settings-configurations-and-tutorials/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffd21463cb8,0x7ffd21463cc8,0x7ffd21463cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"

Network

Country Destination Domain Proto
US 52.252.28.242:443 msedge.api.cdp.microsoft.com tcp
GB 96.17.179.150:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 162.159.136.232:443 discord.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 8.8.8.8:53 www.hackingvip.com udp
BG 93.123.73.160:443 www.hackingvip.com tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
BG 93.123.73.160:443 www.hackingvip.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 216.58.213.14:443 www.youtube.com tcp
GB 216.58.213.14:443 www.youtube.com udp
GB 216.58.204.86:443 i.ytimg.com tcp
US 104.18.40.68:443 pro.fontawesome.com tcp
US 104.18.40.68:443 pro.fontawesome.com tcp
US 104.18.40.68:443 pro.fontawesome.com tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
GB 216.58.204.68:443 www.google.com tcp
GB 142.250.180.6:443 static.doubleclick.net tcp
GB 216.58.201.106:443 jnn-pa.googleapis.com tcp
GB 142.250.187.193:443 yt3.ggpht.com tcp
GB 216.58.201.106:443 jnn-pa.googleapis.com udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp

Files

C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe

MD5 545d64cc91e4da6339a70d54a2443c5d
SHA1 f03344ab824c7cf0f73dcc86aa34cab36e2e54e7
SHA256 04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f
SHA512 733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681

C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe.config

MD5 d6f1152d647b57f64494c3e1d32ede94
SHA1 a35bd77be82c79a034660df07270467ee109f5ac
SHA256 a47f3f83cdb9816f03632833dc361ac5e7a4c5c923af1fdebfa16303f9d68a72
SHA512 699b5ad93d3497348f8aad8e15d54ddd789bbac43f11a7fb629f19cda3749bee0ae06dc83f4e6246df631488169fda5d15c48585581d3a96d2523b8b45e639bd

memory/2380-92-0x0000000000730000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ud4yuqo.lmd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/996-102-0x0000027368E50000-0x0000027368E72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ca9db6aa94730283d8a369e08f8f710c
SHA1 c1ef5c3b08fa3ee3edec4155a31cd20312cb7b09
SHA256 60ac735f5b28b26af18d6f5b4cbaa8b81a01ada539c946bfd8ec32379b0c3b33
SHA512 27d982e3f854ee4e6eaba491679ecda3f60aa086bd5a75ee7aac61d01db177a68d9f1185e7039c623793974ae478cd1b3d35b5df4cade0204d5c0eaec4ab9d06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3a14c2ec70a0175c20aceee2cf4d425f
SHA1 47d680bf85143e5a941b9a2e459bca4c9f8e51f8
SHA256 8e424c207cf0e2e4780c5fd51143b92e9e7a8ad36a9477a8a6819e4b3d4c8d79
SHA512 b9c2dd9927a4fbf1628537235178fdc98f849a30ade35607cff43f479011ab82cff20ce21df9ac3e9d6aceda4d8481e30de973a12451d9ee05a091d9098c11df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6aa7f98432bfc067a5dfb4fa65e6d535
SHA1 141dd5723c4039f8334abdb832fce09c234dc297
SHA256 35670e8d683c61adb54de7db2a1464c545747980df8f034a7fc39a5d29fe87d4
SHA512 b65e043049a2f9af5c3b87888066c40d81f312488176dade17e832008a332431f079de1fea7dae6b417c711c7765197344f0cf89017faef84c9efea3629e1b73

\??\pipe\LOCAL\crashpad_4328_RJXPEPRGRFQIYMGV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.bat

MD5 11937c577d47348990e4816062d0c209
SHA1 a7bc33b4aadd599ba389094f4e11dcfa08383dff
SHA256 d3df40754b99a8d6b1a0bbd1eb126e0a4ac86f50487a75e9325935b6fcfd784f
SHA512 b0ae8c57f9fe907fb55a5bc748310fff1d75ec8039fd6b23c46ff0b41539607b3b1db5f0977caa7d5fb719055038c7ed8e418f3499cb3f1f042cd8e382e9ad95

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 26541f76efcea9a599fa8f9235294723
SHA1 bf21799721b76d75aeacaf4e66c72372960022b2
SHA256 115d27578016de7aafc6887e59f32ea4f035013344c6d92bb2b9ac904ef8de7d
SHA512 0a019438071fa252842067f2fd3d99a8594db9927c70aad0a27752f0db485325b4bb0c273c51942c67696502e7fdd97c7af7f6fba26856a53a28d425f1e0f838

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 09c6c5b50a780b24fd3e100b028b81ad
SHA1 f6697a0aac8e57f611d8a165ac299fbb9041b9d9
SHA256 1474792d33f948a556c34134010f93b1f6ae9c1ec0fb85c4a8ad979334b8e7cb
SHA512 a275e4a31d2d5ff4b5d62edc7f9402c3a02728fc0541bc850f742eac3c34009683066f20501ddc3dc9158391edd2c187a82a9aedd0f3d7cec64333086131e05b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fed72e82cf860a51b4062e3bb146b1be
SHA1 69c0f8a0575ee7ef163071ba6cd473ae57851ed3
SHA256 cdaa4e281eb4230210dc28bfdf7317ac962062e6790284707f5bfde843646410
SHA512 bafa05b68171b142a6154c8405465b5c966197ab3f491e4220bad2927921928909c20ee46f5724c3b5a7b9de15e02ce92712a0bc30e6f27b7a21747d3bf2c770

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6cff9695dbec31477f95ce955ab4293d
SHA1 396b2a343e5664a93cf0a61f126f6129dc49e0f8
SHA256 3919773e5b37dbf24bb7472641eb4822dfc3dc80652fcb0fc928818fe846b53c
SHA512 c098d028bb055df35bcdaff456648ba729abc11612f33d969185cfa6571e8b20be70b547933baf8df04df16ab699d59c01804a21760a898462f7e3875e1c388e