Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/02/2025, 16:03
Behavioral task
behavioral1
Sample
SilverClient.exe
Resource
win7-20240903-en
General
-
Target
SilverClient.exe
-
Size
39KB
-
MD5
395b240b5cd6b855a5c61526d4fe8601
-
SHA1
db746420e325b1866873ec70292bab04e35240d0
-
SHA256
319fb56f8db50bcf490d25f374acf3d7199e66ec1a8d192a97eb5ca7e767bd6b
-
SHA512
4e38b27906ff28ad6f6e642703e9a36e9a5cf83a8e56b089dfbd31230561f8342adf36746d41567559af5d73dfd8611b42d7e9df6cc41c2c5cd04cdecb724581
-
SSDEEP
768:lL4/TuKeFbuNlItAvzWNCgLUDXVF/cyIKRU69l9Tz1QB6SexU4ja1E:lLRGIJNCFcyIKG69Dn1QoVxU4ja1E
Malware Config
Extracted
silverrat
1.0.0.0
paul-nw.gl.at.ply.gg:51413
lAxDBRhAFu
-
certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
-
decrypted_key
-|S.S.S|-
-
key
yy6zDjAUmbB09pKvo5Hhug==
-
key_x509
b0FGeVZNcFRMWVloVHR6Z0VESU5RdlpZUmxZbUFE
-
reconnect_delay
4
-
server_signature
t9H0tGywaq23QHywsvniYlva2DUEoHwEX4RZOKw6QYOUUUEs6+qPhkwL0ziJc2nYj2yd5E4o3kMJj8NRpRTkpZcyIg/ljsBjIY4uuTgySYNYShSJRrNgQc/XiUXjH546feRdpS3EuZPWH15iNA3U89kmdXU1BOtms28guz5MUZ/jdeGBHbjPJULpyM8EgGGdK3ajqJ+NWQxPHql47XGQFXqJ5PauE0xmpcMKt+LU7fe+NS0Yx11uv+tRwSlMmFhYU9pSYoS8zZ7Lyeaw8rcxs06oecNxLKcmbSH3H5QWo4qYq/Y7HAeBmLEHHB5t8+bCVeDMfccmct8s+aZpljSceGlri2HJsxEjZ7FYmh4+o8bhacTmqQyE99P1kSa4FAWPLn59j5s1nO91Sb/rMvcNUApgatm6ZRZjc+Ninv7rXwFncnT7eRSRvldp7PohX6bsJEJRMnfLT4YxM0TzqV9POSK0hjrRojbiRQWahccxQRKfg3TcVxNnNjCQWMOJ0YzNuQ0ZSTLPO3QA4v/0cwD5nBhPdhowAnMUb4j61HsPdaQnKXvlx377vbMOowWJFqGC1ES1rKn843GMu81HL7FJsfrpqglmmFTddG3IwkeJU7umxj41+anidgCco7Jzbii9D9e4l2DF3EuhYg+qIuiwNw4ACh3olxSGStXl952V/dY=
Signatures
-
Silverrat family
-
pid Process 2264 powershell.exe 1748 powershell.exe 924 powershell.exe 2792 powershell.exe 2792 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 444 netsh.exe -
Modifies WinLogon 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList SilverClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts SilverClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Durios = "0" SilverClient.exe -
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Durios = "0" SilverClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2260 schtasks.exe 2156 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2896 SilverClient.exe 2264 powershell.exe 2896 SilverClient.exe 2896 SilverClient.exe 1748 powershell.exe 924 powershell.exe 2792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2896 SilverClient.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeDebugPrivilege 2792 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2896 SilverClient.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2564 2896 SilverClient.exe 28 PID 2896 wrote to memory of 2564 2896 SilverClient.exe 28 PID 2896 wrote to memory of 2564 2896 SilverClient.exe 28 PID 2896 wrote to memory of 2260 2896 SilverClient.exe 30 PID 2896 wrote to memory of 2260 2896 SilverClient.exe 30 PID 2896 wrote to memory of 2260 2896 SilverClient.exe 30 PID 2896 wrote to memory of 2108 2896 SilverClient.exe 32 PID 2896 wrote to memory of 2108 2896 SilverClient.exe 32 PID 2896 wrote to memory of 2108 2896 SilverClient.exe 32 PID 2896 wrote to memory of 2264 2896 SilverClient.exe 34 PID 2896 wrote to memory of 2264 2896 SilverClient.exe 34 PID 2896 wrote to memory of 2264 2896 SilverClient.exe 34 PID 2896 wrote to memory of 2156 2896 SilverClient.exe 36 PID 2896 wrote to memory of 2156 2896 SilverClient.exe 36 PID 2896 wrote to memory of 2156 2896 SilverClient.exe 36 PID 2896 wrote to memory of 1088 2896 SilverClient.exe 41 PID 2896 wrote to memory of 1088 2896 SilverClient.exe 41 PID 2896 wrote to memory of 1088 2896 SilverClient.exe 41 PID 2896 wrote to memory of 1608 2896 SilverClient.exe 43 PID 2896 wrote to memory of 1608 2896 SilverClient.exe 43 PID 2896 wrote to memory of 1608 2896 SilverClient.exe 43 PID 2896 wrote to memory of 868 2896 SilverClient.exe 45 PID 2896 wrote to memory of 868 2896 SilverClient.exe 45 PID 2896 wrote to memory of 868 2896 SilverClient.exe 45 PID 1608 wrote to memory of 1748 1608 cmd.exe 47 PID 1608 wrote to memory of 1748 1608 cmd.exe 47 PID 1608 wrote to memory of 1748 1608 cmd.exe 47 PID 1088 wrote to memory of 924 1088 cmd.exe 48 PID 1088 wrote to memory of 924 1088 cmd.exe 48 PID 1088 wrote to memory of 924 1088 cmd.exe 48 PID 868 wrote to memory of 2792 868 cmd.exe 49 PID 868 wrote to memory of 2792 868 cmd.exe 49 PID 868 wrote to memory of 2792 868 cmd.exe 49 PID 1748 wrote to memory of 444 1748 powershell.exe 50 PID 1748 wrote to memory of 444 1748 powershell.exe 50 PID 1748 wrote to memory of 444 1748 powershell.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"1⤵
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN SilverClient.exe2⤵PID:2564
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /Create /SC ONCE /TN "SilverClient.exe" /TR "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe \"\SilverClient.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /query /TN SilverClient.exe2⤵PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:002⤵
- Scheduled Task/Job: Scheduled Task
PID:2156
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command Enable-NetFirewallRule -DisplayGroup 'Remote Desktop' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:444
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath %ProgramFiles%\RDP Wrapper & exit2⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50e90715f68b966caeabf1de7d3762d10
SHA1421f3a92223715bac6a27e20e104130ec5c08f67
SHA25626566369ea2ef1a537ea865d1b15c8307cb84e938aee93ac29a29d5fdd6453a4
SHA51212f5718d7ae6bbb178d87d244fa175c5173bf9c5d319bb5b76caeccf8a5b758003c47bd79d775ac523459fbafdea1c917bc2fccd06ec35f0bbd22e6d5c19d3d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5360e757366851586d274e51f909933ac
SHA15f5a2c0e45ccf5b36e984dd0f7fde5fdcdcee076
SHA256fd83b56009a0c1d5f95f3f3a6c0315fd0b06407ebaf7d275a29cd46cb0b4689b
SHA512e0dba8b35d33790c199daed97ed0bf8cbe93cd76b84380a21ad09a206234fc1c20c89a04dad4cc9a3008209564d7add9d783351af1047c7b063301f7e48c931f