sliver | 924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb.doc
Size

59KB
MD5

0aa07c58cdcaf9953eacd916e4f61973
SHA1

17570423d85a315fffac747d3c669848824b1d5c
SHA256

924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb
SHA512

97f158e62a113e2db679203b4a0cd3cfbe65ea990c2b77dab1a204b9b2be8cdaeedf617758892503b6779464fe2466302f06fa821e41aa2d2d58d562c3d12397
SSDEEP

1536:RandM9Ql1gcEdJRUwlPnGoBvpgq4eJEV:8n26HgcEdJRUwVGCyqlJE

Score

10^/10

sliver backdoor trojan

Malware Config

Signatures

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral2/memory/116-131-0x00007FFD9B670000-0x00007FFD9C7D6000-memory.dmp	SliverRAT_v2

SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 5 IoCs

flow	pid	Process
36	116	rundll32.exe
38	116	rundll32.exe
39	116	rundll32.exe
52	116	rundll32.exe
53	116	rundll32.exe

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
116	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll	EXCEL.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3308	WINWORD.EXE
3308	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3308	WINWORD.EXE
3308	WINWORD.EXE
3308	WINWORD.EXE
3308	WINWORD.EXE
4904	EXCEL.EXE
4904	EXCEL.EXE
4904	EXCEL.EXE
4904	EXCEL.EXE
4904	EXCEL.EXE
3308	WINWORD.EXE
3308	WINWORD.EXE
3308	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3308

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll,update_grandfrais
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
91b8a3d51def558e2d7f72d3384ac46c

SHA1
1bc2977a29325608e749563eddba657b15eb668d

SHA256
dbb808a0a568f795b14c793443a3d18dacf6f7ede7742af17b76f041b8330cf8

SHA512
924f975d58664595dade580d81a8cbc74a0d52790f3b844145d7bd348ea1ba50947aa899d0c1fafd7d681c07a1cf581296f1830f9b2ea93df79d3740de892a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
204326fdc7b05f4c65751389b668f777

SHA1
7ce51c8e59d48f70f395a67fada47079e19d6307

SHA256
9bec07602191bdb30135855316a9eed9b99dc0cef6732916c4a21d89255ecc10

SHA512
acf6e7a0eb405b23ca48dea746c810f1ede88a9d03bd41922bfbbbde9cc9045895051cc5508875e39c69f426d7c2fa0cd8d1129b25f18f22934608ffc21d9a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
6afc1f47c88c0a4119a8bec4353a07e3

SHA1
c125f317f3a7744f43ca4e44a2b4833b1df7a1fc

SHA256
04b564c7055455485ceab1104e10008fc084b923033658827f50557f3c0c053f

SHA512
163d3e23d5477d6c47c71eec9c49edebe7abe702f53187439e32dfa7314eb3e44372cc4230cabf9e031787912698f511b52fbb97bd89ac0b2a7a8f3c4c54cdf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
b725dd30ef8e321490ab7283c9f73fe6

SHA1
634d69bc41aa678dfa862650a6cb0cb688a10940

SHA256
72dbf0e3a04bf3bcdb161a563358a5f695a1a5ddaa487f4bfd33a1f58bc21ca1

SHA512
e9d8a5bc70591d0d9312b5a545725608387cb14a3be9faf3fbe743b7fda24ea142ea9420056510538f70b6861c34ecc500728d5493a57d0f2a6c00d427b6be86

Download Submit
C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll

Filesize
17.4MB

MD5
5615d287207d970765bf9bdef701eb92

SHA1
a261d552ea77c96db5202b7a5f3d2fcfb3ce348b

SHA256
4742371ba458a52733a2b8991ab9a24615108215ff623730403f21e7dd228a7b

SHA512
f8d8633f7f189cefa15070442cfed8383fdf31d7750afa05c2a4ec142a24e23d593bd8cbad634233c9c15cf2da36fae5a4920cc1d24c81c23b3b5d0a75277f02

Download Submit
memory/116-131-0x00007FFD9B670000-0x00007FFD9C7D6000-memory.dmp

Filesize
17.4MB

Download
memory/116-127-0x0000022DC9A00000-0x0000022DCAB09000-memory.dmp

Filesize
17.0MB

Download
memory/116-117-0x0000022DC9A00000-0x0000022DCAB09000-memory.dmp

Filesize
17.0MB

Download
memory/116-116-0x0000022DC9A00000-0x0000022DCAB09000-memory.dmp

Filesize
17.0MB

Download
memory/116-115-0x0000022DC9A00000-0x0000022DCAB09000-memory.dmp

Filesize
17.0MB

Download
memory/116-114-0x0000022DC9A00000-0x0000022DCAB09000-memory.dmp

Filesize
17.0MB

Download
memory/3308-21-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-13-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-9-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-8-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-11-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-12-0x00007FFD82B70000-0x00007FFD82B80000-memory.dmp

Filesize
64KB

Download
memory/3308-14-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-15-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-17-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-19-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-18-0x00007FFD82B70000-0x00007FFD82B80000-memory.dmp

Filesize
64KB

Download
memory/3308-20-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-22-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-6-0x00007FFD84D30000-0x00007FFD84D40000-memory.dmp

Filesize
64KB

Download
memory/3308-16-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-7-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-5-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-2-0x00007FFD84D30000-0x00007FFD84D40000-memory.dmp

Filesize
64KB

Download
memory/3308-3-0x00007FFD84D30000-0x00007FFD84D40000-memory.dmp

Filesize
64KB

Download
memory/3308-4-0x00007FFD84D30000-0x00007FFD84D40000-memory.dmp

Filesize
64KB

Download
memory/3308-10-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-49-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-48-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-44-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-175-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-136-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-135-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-134-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-126-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-1-0x00007FFDC4D4D000-0x00007FFDC4D4E000-memory.dmp

Filesize
4KB

Download
memory/3308-128-0x00007FFDC4D4D000-0x00007FFDC4D4E000-memory.dmp

Filesize
4KB

Download
memory/3308-129-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-130-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-132-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-133-0x00007FFDC4CB0000-0x00007FFDC4EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3308-0-0x00007FFD84D30000-0x00007FFD84D40000-memory.dmp

Filesize
64KB

Download
memory/4904-125-0x00007FFD84D30000-0x00007FFD84D40000-memory.dmp

Filesize
64KB

Download
memory/4904-122-0x00007FFD84D30000-0x00007FFD84D40000-memory.dmp

Filesize
64KB

Download
memory/4904-124-0x00007FFD84D30000-0x00007FFD84D40000-memory.dmp

Filesize
64KB

Download
memory/4904-123-0x00007FFD84D30000-0x00007FFD84D40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads