Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
4s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
23/02/2025, 16:59
Behavioral task
behavioral1
Sample
SeroXenBoost.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
SeroXenBoost.exe
Resource
win10v2004-20250217-en
General
-
Target
SeroXenBoost.exe
-
Size
44KB
-
MD5
8005773f97e8f5c44e2f12eab0141cc5
-
SHA1
c751dde5b44d985eebaeb9dc027867a9049d4d07
-
SHA256
0902f1d84a1c4ae0bd2c0dbb029240487332655a0d7ea5106013b7a2590b519b
-
SHA512
2e6b9cff1f281e4a3ce14c879349caf1794b465de48af9bd9e6fee28c75119546872a948b381d248ad46baae6b52a046a9df7ec865fb24df77cd05d9a2639e05
-
SSDEEP
768:9V2VRlzVhpvH2VNZZKkVnnn9tF6WRUT0dT9ws+be/1B6SNSlvrz/BB+l:9VGmfHtFBGAZ9gW1omSlH/f+l
Malware Config
Extracted
silverrat
1.0.0.0
172.221.202.55:4421
SilverMutex_dQhpoXJDyX
-
certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
-
decrypted_key
-|S.S.S|-
-
discord
https://discord.com/api/webhooks/1343008288949669961/TCucLQwwnBXuvu4Z6dJ60IcurXSQYorW9CafoG4F4z55ALbW4u2zJa__1PNCU81Kuh4g
-
key
yy6zDjAUmbB09pKvo5Hhug==
-
key_x509
UnJEUnNyTmxjY1FPVFJaUlNYaVl4VWxWREpmS0xj
-
payload_url
https://g.top4top.io/p_2522c7w8u1.png
-
reconnect_delay
4
-
server_signature
hUjI9BXw1YK1HLOSZwyUPLac+uyqxzMnoFlcvRmPjkUek1J1SQhyBv+Qln0vYJNkumI5Syoffxowg+Y7te+u+fNE9A2ASLoNO9zTGmLhkJVIDGuLRDyflwsZbrUsE3fbJ1heVmaXz/716OkGcBnojvADZLg7YKvwUxMZv3u2PkoNZGYTwZHNmgh979EmlKLg4Zc5W32srvWyjSvR48cixZ/2ySicpga4UhSNib7Mxwbk0dDMV8JauE5cf+ZNFhf2LzlUhL4VwU8vKg04wsndcUylrx89+7p/sD/Ea4BcTz44LRRd5Uw+aYjl9qYdZWLW2yq4gCgVWvCPOwNqNi8KV4Wt38Y0jndnyWJNxK7A7/kYsuMIT0Kq2WileN1wuXR3dnBSldVFoNt7ZfPqYa+VGK9kOg8drtF4AzkipOIazCj4Cl82FJ/ePtCSPzExNvUZcH7g/MzLSxyhURind2e33m5wH8PD4Flbmle/yOyipGrtadwKaGhLZjPyUjnOh5gyoHeM6dTEkWwSfz04N9jFUgRYgVQaXAh7w9SSPx0kHphtjZC85+/8h7mOz4Ed9vPN8aWFtR1pi40EaFfP74HPuHLaQC4hAvmYuet2MiJGsMop5DP/qF58u6YMfLgWjYog9eXZiL1uwg0u8Psa+WZwWrnpmIna6ZGkw8RbeD4RH3I=
Signatures
-
Silverrat family
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2232 attrib.exe 2532 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1280 SeroXenBoost.exe 1280 SeroXenBoost.exe 1280 SeroXenBoost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1280 SeroXenBoost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1280 wrote to memory of 2232 1280 SeroXenBoost.exe 30 PID 1280 wrote to memory of 2232 1280 SeroXenBoost.exe 30 PID 1280 wrote to memory of 2232 1280 SeroXenBoost.exe 30 PID 1280 wrote to memory of 2532 1280 SeroXenBoost.exe 31 PID 1280 wrote to memory of 2532 1280 SeroXenBoost.exe 31 PID 1280 wrote to memory of 2532 1280 SeroXenBoost.exe 31 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2232 attrib.exe 2532 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SeroXenBoost.exe"C:\Users\Admin\AppData\Local\Temp\SeroXenBoost.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Windows"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2232
-
-
C:\Windows\System32\attrib.exe"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Windows\$77xdwd.dll.exe"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2532
-