sliver | 924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb.doc
Size

59KB
MD5

0aa07c58cdcaf9953eacd916e4f61973
SHA1

17570423d85a315fffac747d3c669848824b1d5c
SHA256

924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb
SHA512

97f158e62a113e2db679203b4a0cd3cfbe65ea990c2b77dab1a204b9b2be8cdaeedf617758892503b6779464fe2466302f06fa821e41aa2d2d58d562c3d12397
SSDEEP

1536:RandM9Ql1gcEdJRUwlPnGoBvpgq4eJEV:8n26HgcEdJRUwVGCyqlJE

Score

10^/10

sliver backdoor trojan

Malware Config

Signatures

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral2/memory/4492-142-0x00007FFBF80A0000-0x00007FFBF9206000-memory.dmp	SliverRAT_v2

SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 5 IoCs

flow	pid	Process
57	4492	rundll32.exe
59	4492	rundll32.exe
60	4492	rundll32.exe
119	4492	rundll32.exe
120	4492	rundll32.exe

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
4492	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll	EXCEL.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2336	WINWORD.EXE
2336	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
1132	EXCEL.EXE
1132	EXCEL.EXE
1132	EXCEL.EXE
1132	EXCEL.EXE
1132	EXCEL.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE
2336	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll,update_grandfrais
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
d53cb6492d223a49160013fa0944ed66

SHA1
97ecd670d2cdf90076be2ae3a226f1c5e006162b

SHA256
d98ba52164853c886d090129e388a8b47c42f26c266b477ee8abde0a98737d28

SHA512
cd5892d8c360ce30fdff331212169433e3800988e4363503ad5e1b6c8eb3e6b657fb137a44a704e12c0a3f7414bea36c9d1c42cb55ebbae9a62a778b4ad077e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
dd3dfe96587697c6553b37d1a95a7a62

SHA1
5b86c8239b95d4eecdec701524984b79402b0447

SHA256
215ab76e23dd589afb1b65f03e71d7388c17ce4ca0b34f67c975bdbd48b19694

SHA512
e380929921004159433cf0fa28d5f413fe6c549776c041e1753c81b21b4945dce2edb3c75460a6b73ec6849c2e564278a3ab74d3ee60e02ae9c80b2146d18452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\ABB3849A-2BC2-4453-AC5F-317A8B5FFDDD

Filesize
169KB

MD5
9ed821b10f65730a1648cb14daf7c741

SHA1
5930cce5597f924357779c57c04592c4f343b344

SHA256
1d9621960871e7416f421dfaa05733ff4e09d28a679a3b257bdbb7c1a9d907d2

SHA512
e691f5028461abf87804bff1614540c780427ab1884a8eeb1a6ff6403520b45ef7593a2ebb047ee852f28d87ac4ddc180d4f1c0746af5253cc72009e39245b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
6ce182a79d1b8cc7e9d3a7f44e071c20

SHA1
4d245a45f7c81ef0e4e87d1df28e5e1b742bc56f

SHA256
f304a21a5a342f08f18d772f2614f3758b937e188c5df2681d2560e735fbee71

SHA512
3c7d025e4d0ec1e0f4ea937197b775f2049dde73ca1d9199d56c500b502736a43be2478e73b4def288281f98b403df57976e1b0d8f872af57b80d8fd65c2044d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
e3a7879c1ba03b4d9681007a54438452

SHA1
f3dfd5b88513a13739d3582701bb7a1481cc032f

SHA256
a18b47807de1ba8df7a135fde8dd2e89a7cf099bf065310c34d6ba5e2da993ec

SHA512
c108d9ff23a0faa32afd2c8c0bda61cb00301bdd48dbb234488179b468af18d781f22263f414aca5856e3ed40ebbb2b05a50c54faff6f08413754d2100f93dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
249d49e4ddea647869b2dd1ea19eade5

SHA1
4e8a4c2268fc671b98775bdfb14bd6639e92918b

SHA256
820534f66a5ff08887dff61da48affd49371541b8e563bfda12bdf4f7e0a1ec0

SHA512
15d02c83c655ce4f1896e418b59b20b18fe5aa6588df56569364d422d2f3226c5b289b4118a2dd4f8682234795c5195ef34759dd814911268b6d5685eab3c4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF467.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
3d8d0f6f5cc3aa5f3a8ac4966df5e607

SHA1
c7ff0b7419dc43339538a14d7ec30bef6b43a984

SHA256
d52831dc22160105c50418b7656afe09f5b8533eb9c593eae40e974f8f7b02a4

SHA512
20353e365163913aa3644fa8e522997b2d515a690c1778fcc6619bd82f889814f1ad264ce125cc8d966d8476b0136c7fa5101b3b67e4918f6acd19c2b8e030c7

Download Submit
C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll

Filesize
17.4MB

MD5
5615d287207d970765bf9bdef701eb92

SHA1
a261d552ea77c96db5202b7a5f3d2fcfb3ce348b

SHA256
4742371ba458a52733a2b8991ab9a24615108215ff623730403f21e7dd228a7b

SHA512
f8d8633f7f189cefa15070442cfed8383fdf31d7750afa05c2a4ec142a24e23d593bd8cbad634233c9c15cf2da36fae5a4920cc1d24c81c23b3b5d0a75277f02

Download Submit
memory/1132-140-0x00007FFBE4ED0000-0x00007FFBE4EE0000-memory.dmp

Filesize
64KB

Download
memory/1132-139-0x00007FFBE4ED0000-0x00007FFBE4EE0000-memory.dmp

Filesize
64KB

Download
memory/1132-138-0x00007FFBE4ED0000-0x00007FFBE4EE0000-memory.dmp

Filesize
64KB

Download
memory/1132-137-0x00007FFBE4ED0000-0x00007FFBE4EE0000-memory.dmp

Filesize
64KB

Download
memory/2336-46-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-101-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-17-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-14-0x00007FFBE2800000-0x00007FFBE2810000-memory.dmp

Filesize
64KB

Download
memory/2336-20-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-19-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-18-0x00007FFBE2800000-0x00007FFBE2810000-memory.dmp

Filesize
64KB

Download
memory/2336-9-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-32-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-44-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-0-0x00007FFBE4ED0000-0x00007FFBE4EE0000-memory.dmp

Filesize
64KB

Download
memory/2336-45-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-15-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-13-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-12-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-11-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-10-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-6-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-7-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-16-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-102-0x00007FFC24EED000-0x00007FFC24EEE000-memory.dmp

Filesize
4KB

Download
memory/2336-8-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-123-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-301-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-1-0x00007FFC24EED000-0x00007FFC24EEE000-memory.dmp

Filesize
4KB

Download
memory/2336-143-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-141-0x00007FFC24E50000-0x00007FFC25045000-memory.dmp

Filesize
2.0MB

Download
memory/2336-3-0x00007FFBE4ED0000-0x00007FFBE4EE0000-memory.dmp

Filesize
64KB

Download
memory/2336-4-0x00007FFBE4ED0000-0x00007FFBE4EE0000-memory.dmp

Filesize
64KB

Download
memory/2336-5-0x00007FFBE4ED0000-0x00007FFBE4EE0000-memory.dmp

Filesize
64KB

Download
memory/2336-2-0x00007FFBE4ED0000-0x00007FFBE4EE0000-memory.dmp

Filesize
64KB

Download
memory/4492-129-0x000001745ECC0000-0x000001745FDC9000-memory.dmp

Filesize
17.0MB

Download
memory/4492-128-0x000001745ECC0000-0x000001745FDC9000-memory.dmp

Filesize
17.0MB

Download
memory/4492-127-0x000001745ECC0000-0x000001745FDC9000-memory.dmp

Filesize
17.0MB

Download
memory/4492-142-0x00007FFBF80A0000-0x00007FFBF9206000-memory.dmp

Filesize
17.4MB

Download
memory/4492-126-0x000001745ECC0000-0x000001745FDC9000-memory.dmp

Filesize
17.0MB

Download
memory/4492-125-0x000001745ECC0000-0x000001745FDC9000-memory.dmp

Filesize
17.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads