Overview

overview

10

Static

static

10

560953939f...d5.exe

windows7-x64

10

560953939f...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    45s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2025, 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    560953939f22102629a3b62f3468c5a13c6c25f25b2aeabda76bd0e0cf2d73d5.exe

  • Size

    45KB

  • MD5

    d3ccb3a1ecb388c950062855a916c827

  • SHA1

    f5d5ec3f4877819d41a2de66748d24347a00d1a1

  • SHA256

    560953939f22102629a3b62f3468c5a13c6c25f25b2aeabda76bd0e0cf2d73d5

  • SHA512

    0d67ad4f46ece4cdb2273255f4d614bcce89ca3758c96bd45c2a1d34fdd04c8214d0c3a97e79fa3acc47571af53fab7036789eaab563fbb3216896e53cffb9af

  • SSDEEP

    768:X6sg/BD9qVKOXnXhEk75rrmt1E+cXjA7RULQv9S8Q9hD1B6SEJvrl/xU:X6sgJD9q8U5rCwjA7Gsv9eF1oVJ5/xU

Score
10/10
silverratdefense_evasionexecutiontrojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

127.0.0.1:7777

Mutex

SilverMutex_rRFGGPWbDL

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • discord

    https://discordapp.com/api/webhooks/1354344972534550572/iYaCJzbXkLb3YT6yUhx_-NiWb1GadYyNw4eCuscw0WHsCZ3xCxErc2s6bSsEQ3LUa0nl

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    eWhTQVpxY2hiWVREZmZUVUdEckliYXlSdE9TTGNV

  • payload_url

    https://g.top4top.io/p_2522c7w8u1.png

  • reconnect_delay

    4

  • server_signature

    foqVuclxxbucQCJGnGnaPowuPSeeqUyaq3kwEhFvPGfEFrLBaWuCrPNaSC5A2VxPyGC1ViGOvKfX/6RtUM7AOg/J1nZGpVxg5PgHwe1zSRibEFxY7b5UvpoZfTXQw0Osf+GoKgaxo6HveZG5KL9AH1Zf/dn2Wu9VtgcAz8Qrl4LDi4e9AuC6/OKIJ4veKB5XW98voKPRa7tAULSIXi96R5h7ZZlxEU7rox+VXGYfkjIOMlsSOXhvuRptvyl1pfZ0XJsaoMQcot6rTrqQSNDBa0DJZ1VYE4nhWjjKnTmappiVpm+g08Z7NWW79TEC80ZHZQ9TX6jtMtPDN5Wn2juA7L84Mhh03GZrV53+OWaFyf4LhpCWiGPrKzUm+r2FtCmdfkG96emPLLqTR78AGk2DdM3V4ZSq+HTHhchqhdUe8EQ72UjGP3usUYzR1BBbRkeKvE6VwPhoj5FTCM1WBPqNlw2axfwYVMUJZnB0aWRWbzslMlJ4OKPxu5sdha2F5/dojN7O7hXJs8Pzt3ChzNlocnB2RgmQDWywT9WCpH0/uY2uc7kPXNm0RhtpyVLtsCsBoJe40TumlL6UNAtbtAYi/I2/sCJYQJKgNGJpQZAGUfDORFb0G199igd3Re4cpUOwNHC3kw12fQadwJdLrhW8T3DwtAFWj4+AgORs9Y9qhnI=

Signatures

  • SilverRat

    SilverRat is trojan written in C#.

    trojansilverrat
  • Silverrat family
    silverrat
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\560953939f22102629a3b62f3468c5a13c6c25f25b2aeabda76bd0e0cf2d73d5.exe
    "C:\Users\Admin\AppData\Local\Temp\560953939f22102629a3b62f3468c5a13c6c25f25b2aeabda76bd0e0cf2d73d5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5660
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\dw"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:1740
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\dw\$77sd.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:4720
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC65D.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3196
      • C:\Users\Admin\dw\$77sd.exe
        "C:\Users\Admin\dw\$77sd.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks.exe" /query /TN $77sd.exe
          4⤵
            PID:6064
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks.exe" /Create /SC ONCE /TN "$77sd.exe" /TR "C:\Users\Admin\dw\$77sd.exe \"\$77sd.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:436
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks.exe" /query /TN $77sd.exe
            4⤵
              PID:3060
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2296
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "sd_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2968
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:8

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbtgbcs0.t03.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpC65D.tmp.bat
        Filesize

        136B

        MD5

        983e9ee99c9593c0aa6cd6af509e10f5

        SHA1

        db45527b486e8f86388212ff9732f9f293b6a794

        SHA256

        2bbac5ec6a136b6b1a13d75f30341175ba5fd659e5ede9b186fdc49c58f15b28

        SHA512

        31037f59022e581fda848854c3acdab14dcd433af09c495c57c72a892dcc05bd9c93239943f9fba1e2cdc9f5fe45e67894e0bc1cf4427d172dcdb85c84d1df6b

        Download Submit

      • C:\Users\Admin\dw\$77sd.exe
        Filesize

        45KB

        MD5

        d3ccb3a1ecb388c950062855a916c827

        SHA1

        f5d5ec3f4877819d41a2de66748d24347a00d1a1

        SHA256

        560953939f22102629a3b62f3468c5a13c6c25f25b2aeabda76bd0e0cf2d73d5

        SHA512

        0d67ad4f46ece4cdb2273255f4d614bcce89ca3758c96bd45c2a1d34fdd04c8214d0c3a97e79fa3acc47571af53fab7036789eaab563fbb3216896e53cffb9af

        Download Submit

      • memory/2296-23-0x000002B1F9E00000-0x000002B1F9E22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5660-0-0x00007FFB2C0C3000-0x00007FFB2C0C5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/5660-1-0x00000000004D0000-0x00000000004E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5660-2-0x00007FFB2C0C0000-0x00007FFB2CB81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5660-3-0x00007FFB2C0C3000-0x00007FFB2C0C5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/5660-4-0x00007FFB2C0C0000-0x00007FFB2CB81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/5660-10-0x00007FFB2C0C0000-0x00007FFB2CB81000-memory.dmp

        Filesize

        10.8MB

        Download