Analysis Overview
SHA256
319fb56f8db50bcf490d25f374acf3d7199e66ec1a8d192a97eb5ca7e767bd6b
Threat Level: Known bad
The file SilverClient.exe was found to be: Known bad.
Malicious Activity Summary
Silverrat family
SilverRat
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Checks computer location settings
Modifies WinLogon
Command and Scripting Interpreter: PowerShell
Hide Artifacts: Hidden Users
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-23 16:03
Signatures
Silverrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-23 16:03
Reported
2025-02-23 16:05
Platform
win7-20240903-en
Max time kernel
119s
Max time network
155s
Command Line
Signatures
SilverRat
Silverrat family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Durios = "0" | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Durios = "0" | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN SilverClient.exe
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "SilverClient.exe" /TR "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe \"\SilverClient.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN SilverClient.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command Enable-NetFirewallRule -DisplayGroup 'Remote Desktop' & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell –ExecutionPolicy Bypass -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath %ProgramFiles%\RDP Wrapper & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass -WindowStyle Hidden -Command Enable-NetFirewallRule -DisplayGroup 'Remote Desktop'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Program Files\RDP Wrapper
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paul-nw.gl.at.ply.gg | udp |
| US | 147.185.221.25:51413 | paul-nw.gl.at.ply.gg | tcp |
| US | 147.185.221.25:51413 | paul-nw.gl.at.ply.gg | tcp |
| US | 147.185.221.25:51413 | paul-nw.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | softwares500.000webhostapp.com | udp |
| US | 8.8.8.8:53 | softwares500.000webhostapp.com | udp |
Files
memory/2896-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp
memory/2896-1-0x000000013FBE0000-0x000000013FBEE000-memory.dmp
memory/2896-2-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp
memory/2264-7-0x000000001B720000-0x000000001BA02000-memory.dmp
memory/2264-8-0x0000000002870000-0x0000000002878000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabAF64.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2896-25-0x000007FEF5583000-0x000007FEF5584000-memory.dmp
memory/2896-26-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp
memory/2896-27-0x0000000000900000-0x0000000000910000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarCF17.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2896-46-0x0000000000990000-0x00000000009A0000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 0e90715f68b966caeabf1de7d3762d10 |
| SHA1 | 421f3a92223715bac6a27e20e104130ec5c08f67 |
| SHA256 | 26566369ea2ef1a537ea865d1b15c8307cb84e938aee93ac29a29d5fdd6453a4 |
| SHA512 | 12f5718d7ae6bbb178d87d244fa175c5173bf9c5d319bb5b76caeccf8a5b758003c47bd79d775ac523459fbafdea1c917bc2fccd06ec35f0bbd22e6d5c19d3d8 |
memory/1748-71-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/1748-70-0x000000001B4B0000-0x000000001B792000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 360e757366851586d274e51f909933ac |
| SHA1 | 5f5a2c0e45ccf5b36e984dd0f7fde5fdcdcee076 |
| SHA256 | fd83b56009a0c1d5f95f3f3a6c0315fd0b06407ebaf7d275a29cd46cb0b4689b |
| SHA512 | e0dba8b35d33790c199daed97ed0bf8cbe93cd76b84380a21ad09a206234fc1c20c89a04dad4cc9a3008209564d7add9d783351af1047c7b063301f7e48c931f |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-23 16:03
Reported
2025-02-23 16:05
Platform
win10v2004-20250217-en
Max time kernel
96s
Max time network
148s
Command Line
Signatures
SilverRat
Silverrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
"C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN SilverClient.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "SilverClient.exe" /TR "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe \"\SilverClient.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN SilverClient.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paul-nw.gl.at.ply.gg | udp |
| US | 147.185.221.25:51413 | paul-nw.gl.at.ply.gg | tcp |
Files
memory/2092-0-0x00007FFFD06F3000-0x00007FFFD06F5000-memory.dmp
memory/2092-1-0x0000000000360000-0x000000000036E000-memory.dmp
memory/2092-2-0x00007FFFD06F0000-0x00007FFFD11B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ah4cwzci.aq3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2224-8-0x000001F2CDE10000-0x000001F2CDE32000-memory.dmp
memory/2092-15-0x00007FFFD06F3000-0x00007FFFD06F5000-memory.dmp
memory/2092-16-0x00007FFFD06F0000-0x00007FFFD11B1000-memory.dmp