sliver | 924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TDOMAN_CV.doc
Size

59KB
MD5

0aa07c58cdcaf9953eacd916e4f61973
SHA1

17570423d85a315fffac747d3c669848824b1d5c
SHA256

924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb
SHA512

97f158e62a113e2db679203b4a0cd3cfbe65ea990c2b77dab1a204b9b2be8cdaeedf617758892503b6779464fe2466302f06fa821e41aa2d2d58d562c3d12397
SSDEEP

1536:RandM9Ql1gcEdJRUwlPnGoBvpgq4eJEV:8n26HgcEdJRUwVGCyqlJE

Score

10^/10

sliver backdoor trojan

Malware Config

Signatures

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral2/memory/4652-144-0x00007FFED71E0000-0x00007FFED8346000-memory.dmp	SliverRAT_v2

SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 4 IoCs

flow	pid	Process
76	4652	rundll32.exe
77	4652	rundll32.exe
79	4652	rundll32.exe
123	4652	rundll32.exe

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
4652	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll	EXCEL.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4000	WINWORD.EXE
4000	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
3504	EXCEL.EXE
3504	EXCEL.EXE
3504	EXCEL.EXE
3504	EXCEL.EXE
3504	EXCEL.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TDOMAN_CV.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll,update_grandfrais
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5C33D0C2-43C3-4C53-BD2F-354932654DC9

Filesize
169KB

MD5
c7f7aafd16b61678071612e6db8f0a74

SHA1
2129c3de6ae15807aca572482a8699ede845a03a

SHA256
5a241e959d125d010071b0ed9d81049d5146d17ffc22b47489d777a5fc0690be

SHA512
7f67e57dfae56b4814235904e504fff685c24f9ece292dc1c88b491800694d23a5d4a209d76a983dc5b76ca97d06b3d935ecdff0a3ea2417bd674a7bf501c2f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
c4aaf4c24711f383050ea3da636b8683

SHA1
93bd8a19a56a0602d47ef0a51a7310c53540ecbe

SHA256
e2300498582fbc3f3420fa126b74b8846793858189fda05add35305c93e9afbe

SHA512
9a3fdf4dff4c4fd293a23c308a4656d3d7b3048a0bccf49f2b87bf1e2488724b4e0e9b8f8f0a7c746625de07fdff531b13a93e0916b0fda042655d6cb7c2045d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
deb12cf8e64f882564b5f50ae4eb8a70

SHA1
a175a68be07212189508c4b63bb5e9b08c16d56c

SHA256
17437d4ff15f914fe8641a09f31835ddd3db8bcf5912726df4e47c7ed790ec80

SHA512
822605b402fed9ef5d8477678cc6883836d407772ab75727ec569dbd7578f1493034c20fdf1fac8bfeaf33573144d58a72677a9c21c1628a17662d78a4b6f582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
009305d29c8853b5847a9544c99dfebf

SHA1
6c92cee0093582f81941f40e372c282add3cefa1

SHA256
9c2c5a7cd23ae83e502fb9302a2ef5e08d450b115440ea4df7f5fecab1571cb8

SHA512
dfa6cbfe05870121b808a8ddbb593eccaa73af6aa1db84b7f76acc5d6357802c4c1d69933fc0c2389a9cc53bf9628d7e16d7cacde4903e8fc14b69f1b8cdb29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA512.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
567e99254c8e7722ca44fb82d21c7b2d

SHA1
1ce3eac6328bbf9340788c2613156a5050268999

SHA256
86f9daedbcaf350d4601671d80675932d5c2796a306b67336e626d0fc441b0eb

SHA512
c295832dbbab13cca963ba05e01990e644ce4e59dc1188cd233cf8d5d40d2c8ddfa85990fb4ed2820e216fa2d635a635f5a1772665f5930cafe138d726057e7e

Download Submit
C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll

Filesize
17.4MB

MD5
5615d287207d970765bf9bdef701eb92

SHA1
a261d552ea77c96db5202b7a5f3d2fcfb3ce348b

SHA256
4742371ba458a52733a2b8991ab9a24615108215ff623730403f21e7dd228a7b

SHA512
f8d8633f7f189cefa15070442cfed8383fdf31d7750afa05c2a4ec142a24e23d593bd8cbad634233c9c15cf2da36fae5a4920cc1d24c81c23b3b5d0a75277f02

Download Submit
memory/3504-130-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

Filesize
64KB

Download
memory/3504-131-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

Filesize
64KB

Download
memory/3504-132-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

Filesize
64KB

Download
memory/3504-133-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

Filesize
64KB

Download
memory/4000-13-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-122-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-17-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-18-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-16-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-15-0x00007FFEC1B10000-0x00007FFEC1B20000-memory.dmp

Filesize
64KB

Download
memory/4000-14-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-38-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-51-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-52-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-50-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-2-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

Filesize
64KB

Download
memory/4000-11-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-10-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-9-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-7-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-8-0x00007FFEC1B10000-0x00007FFEC1B20000-memory.dmp

Filesize
64KB

Download
memory/4000-12-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-6-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-0-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

Filesize
64KB

Download
memory/4000-1-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

Filesize
64KB

Download
memory/4000-3-0x00007FFF03B8D000-0x00007FFF03B8E000-memory.dmp

Filesize
4KB

Download
memory/4000-5-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

Filesize
64KB

Download
memory/4000-297-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-4-0x00007FFEC3B70000-0x00007FFEC3B80000-memory.dmp

Filesize
64KB

Download
memory/4000-155-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-150-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-145-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-146-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4000-149-0x00007FFF03AF0000-0x00007FFF03CE5000-memory.dmp

Filesize
2.0MB

Download
memory/4652-147-0x00000181B8AD0000-0x00000181B9BD9000-memory.dmp

Filesize
17.0MB

Download
memory/4652-143-0x00000181B8AD0000-0x00000181B9BD9000-memory.dmp

Filesize
17.0MB

Download
memory/4652-144-0x00007FFED71E0000-0x00007FFED8346000-memory.dmp

Filesize
17.4MB

Download
memory/4652-141-0x00000181B8AD0000-0x00000181B9BD9000-memory.dmp

Filesize
17.0MB

Download
memory/4652-142-0x00000181B8AD0000-0x00000181B9BD9000-memory.dmp

Filesize
17.0MB

Download
memory/4652-140-0x00000181B8AD0000-0x00000181B9BD9000-memory.dmp

Filesize
17.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads