Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/02/2025, 16:03

General

  • Target

    SilverClient.exe

  • Size

    39KB

  • MD5

    395b240b5cd6b855a5c61526d4fe8601

  • SHA1

    db746420e325b1866873ec70292bab04e35240d0

  • SHA256

    319fb56f8db50bcf490d25f374acf3d7199e66ec1a8d192a97eb5ca7e767bd6b

  • SHA512

    4e38b27906ff28ad6f6e642703e9a36e9a5cf83a8e56b089dfbd31230561f8342adf36746d41567559af5d73dfd8611b42d7e9df6cc41c2c5cd04cdecb724581

  • SSDEEP

    768:lL4/TuKeFbuNlItAvzWNCgLUDXVF/cyIKRU69l9Tz1QB6SexU4ja1E:lLRGIJNCFcyIKG69Dn1QoVxU4ja1E

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

paul-nw.gl.at.ply.gg:51413

Mutex

lAxDBRhAFu

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    b0FGeVZNcFRMWVloVHR6Z0VESU5RdlpZUmxZbUFE

  • reconnect_delay

    4

  • server_signature

    t9H0tGywaq23QHywsvniYlva2DUEoHwEX4RZOKw6QYOUUUEs6+qPhkwL0ziJc2nYj2yd5E4o3kMJj8NRpRTkpZcyIg/ljsBjIY4uuTgySYNYShSJRrNgQc/XiUXjH546feRdpS3EuZPWH15iNA3U89kmdXU1BOtms28guz5MUZ/jdeGBHbjPJULpyM8EgGGdK3ajqJ+NWQxPHql47XGQFXqJ5PauE0xmpcMKt+LU7fe+NS0Yx11uv+tRwSlMmFhYU9pSYoS8zZ7Lyeaw8rcxs06oecNxLKcmbSH3H5QWo4qYq/Y7HAeBmLEHHB5t8+bCVeDMfccmct8s+aZpljSceGlri2HJsxEjZ7FYmh4+o8bhacTmqQyE99P1kSa4FAWPLn59j5s1nO91Sb/rMvcNUApgatm6ZRZjc+Ninv7rXwFncnT7eRSRvldp7PohX6bsJEJRMnfLT4YxM0TzqV9POSK0hjrRojbiRQWahccxQRKfg3TcVxNnNjCQWMOJ0YzNuQ0ZSTLPO3QA4v/0cwD5nBhPdhowAnMUb4j61HsPdaQnKXvlx377vbMOowWJFqGC1ES1rKn843GMu81HL7FJsfrpqglmmFTddG3IwkeJU7umxj41+anidgCco7Jzbii9D9e4l2DF3EuhYg+qIuiwNw4ACh3olxSGStXl952V/dY=

Signatures

  • SilverRat

    SilverRat is trojan written in C#.

  • Silverrat family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Modifies WinLogon 2 TTPs 3 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
    "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
    1⤵
    • Modifies WinLogon
    • Hide Artifacts: Hidden Users
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN SilverClient.exe
      2⤵
        PID:2564
      • C:\Windows\system32\schtasks.exe
        "schtasks.exe" /Create /SC ONCE /TN "SilverClient.exe" /TR "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe \"\SilverClient.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2260
      • C:\Windows\system32\schtasks.exe
        "schtasks.exe" /query /TN SilverClient.exe
        2⤵
          PID:2108
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2264
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2156
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command Enable-NetFirewallRule -DisplayGroup 'Remote Desktop' & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:924
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1748
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
              4⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:444
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath %ProgramFiles%\RDP Wrapper & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:868
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2792

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\CabAF64.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\TarCF17.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        0e90715f68b966caeabf1de7d3762d10

        SHA1

        421f3a92223715bac6a27e20e104130ec5c08f67

        SHA256

        26566369ea2ef1a537ea865d1b15c8307cb84e938aee93ac29a29d5fdd6453a4

        SHA512

        12f5718d7ae6bbb178d87d244fa175c5173bf9c5d319bb5b76caeccf8a5b758003c47bd79d775ac523459fbafdea1c917bc2fccd06ec35f0bbd22e6d5c19d3d8

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        360e757366851586d274e51f909933ac

        SHA1

        5f5a2c0e45ccf5b36e984dd0f7fde5fdcdcee076

        SHA256

        fd83b56009a0c1d5f95f3f3a6c0315fd0b06407ebaf7d275a29cd46cb0b4689b

        SHA512

        e0dba8b35d33790c199daed97ed0bf8cbe93cd76b84380a21ad09a206234fc1c20c89a04dad4cc9a3008209564d7add9d783351af1047c7b063301f7e48c931f

      • memory/1748-70-0x000000001B4B0000-0x000000001B792000-memory.dmp

        Filesize

        2.9MB

      • memory/1748-71-0x0000000001D90000-0x0000000001D98000-memory.dmp

        Filesize

        32KB

      • memory/2264-8-0x0000000002870000-0x0000000002878000-memory.dmp

        Filesize

        32KB

      • memory/2264-7-0x000000001B720000-0x000000001BA02000-memory.dmp

        Filesize

        2.9MB

      • memory/2896-27-0x0000000000900000-0x0000000000910000-memory.dmp

        Filesize

        64KB

      • memory/2896-26-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

        Filesize

        9.9MB

      • memory/2896-46-0x0000000000990000-0x00000000009A0000-memory.dmp

        Filesize

        64KB

      • memory/2896-25-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

        Filesize

        4KB

      • memory/2896-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

        Filesize

        4KB

      • memory/2896-2-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

        Filesize

        9.9MB

      • memory/2896-1-0x000000013FBE0000-0x000000013FBEE000-memory.dmp

        Filesize

        56KB