Analysis Overview
SHA256
df9fc08c25a7e1e6578a2a3a89d6c40210164f8090733a7b42c7b013b156eeef
Threat Level: Known bad
The file SilverClient.exe was found to be: Known bad.
Malicious Activity Summary
Silverrat family
SilverRat
Boot or Logon Autostart Execution: Active Setup
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Modifies WinLogon
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-23 15:26
Signatures
Silverrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-23 15:26
Reported
2025-02-23 15:29
Platform
win7-20241010-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
SilverRat
Silverrat family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\ctfmon.exe
ctfmon.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paul-nw.gl.at.ply.gg | udp |
| US | 147.185.221.25:51413 | paul-nw.gl.at.ply.gg | tcp |
| US | 147.185.221.25:51413 | paul-nw.gl.at.ply.gg | tcp |
| US | 147.185.221.25:51413 | paul-nw.gl.at.ply.gg | tcp |
| US | 147.185.221.25:51413 | paul-nw.gl.at.ply.gg | tcp |
| US | 147.185.221.25:51413 | paul-nw.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | softwares500.000webhostapp.com | udp |
Files
memory/2604-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp
memory/2604-1-0x000000013F4D0000-0x000000013F4DE000-memory.dmp
memory/2604-2-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/644-7-0x000000001B270000-0x000000001B552000-memory.dmp
memory/644-8-0x00000000022A0000-0x00000000022A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab95FB.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2604-25-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp
memory/2604-26-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/2604-27-0x000000001AD10000-0x000000001AD20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarD58D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2604-46-0x000000001B480000-0x000000001B490000-memory.dmp
memory/2604-66-0x000000001B490000-0x000000001B4A8000-memory.dmp
memory/2604-85-0x000000001B8C0000-0x000000001B8D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-23 15:26
Reported
2025-02-23 15:29
Platform
win10v2004-20250217-en
Max time kernel
93s
Max time network
152s
Command Line
Signatures
SilverRat
Silverrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2364 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2364 wrote to memory of 404 | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | C:\Windows\System32\schtasks.exe |
| PID 2364 wrote to memory of 404 | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paul-nw.gl.at.ply.gg | udp |
| US | 147.185.221.25:51413 | paul-nw.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
Files
memory/2364-0-0x00007FF894AA3000-0x00007FF894AA5000-memory.dmp
memory/2364-1-0x00000000007C0000-0x00000000007CE000-memory.dmp
memory/2364-2-0x00007FF894AA0000-0x00007FF895561000-memory.dmp
memory/4924-3-0x00007FF894AA0000-0x00007FF895561000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4iemgemd.1ly.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4924-9-0x0000018870D70000-0x0000018870D92000-memory.dmp
memory/4924-10-0x00007FF894AA0000-0x00007FF895561000-memory.dmp
memory/4924-15-0x00007FF894AA0000-0x00007FF895561000-memory.dmp
memory/4924-18-0x00007FF894AA0000-0x00007FF895561000-memory.dmp
memory/2364-19-0x00007FF894AA3000-0x00007FF894AA5000-memory.dmp
memory/2364-20-0x00007FF894AA0000-0x00007FF895561000-memory.dmp