sliver | e456ee3e4e60b14525e3a2f0b0ca1bda82afcc1fa9ba9696f60c6297c4d01390

General

Target

joeseph-Luna-Logged.exe
Size

13.2MB
MD5

50c48cf579fee7a01dcdff742f16f7c2
SHA1

8758e4bb451725834bae5cb0b006f37898731ebd
SHA256

e456ee3e4e60b14525e3a2f0b0ca1bda82afcc1fa9ba9696f60c6297c4d01390
SHA512

ee542f1c789ae41160d468f9c6e1cd82157203676f177313deed519e4ae4af07a374eb7d594bc146a0c4704deceab723b932201ea9682c1ef1332b8b89ecc618
SSDEEP

393216:hWjIc+GLlRL+bXtZwOTQ44PSEgyumuQM272+Yyx+X:hAvpYdZwO1tmu07JYyIX

Score

10^/10

sliver backdoor defense_evasion discovery execution trojan

Malware Config

Signatures

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral1/files/0x00030000000261a1-21.dat	SliverRAT_v2

SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
356	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2824	mssearch.exe
2888	cache_mibXUSlK3jf8mVRqoEk6JnhMyy.exe

Indirect Command Execution 1 TTPs 1 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
3092	forfiles.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cache_mibXUSlK3jf8mVRqoEk6JnhMyy.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
356	powershell.exe
356	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	356	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2888	cache_mibXUSlK3jf8mVRqoEk6JnhMyy.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 3584	4808	joeseph-Luna-Logged.exe	83
PID 4808 wrote to memory of 3584	4808	joeseph-Luna-Logged.exe	83
PID 4808 wrote to memory of 356	4808	joeseph-Luna-Logged.exe	91
PID 4808 wrote to memory of 356	4808	joeseph-Luna-Logged.exe	91
PID 4808 wrote to memory of 2824	4808	joeseph-Luna-Logged.exe	93
PID 4808 wrote to memory of 2824	4808	joeseph-Luna-Logged.exe	93
PID 4808 wrote to memory of 3092	4808	joeseph-Luna-Logged.exe	94
PID 4808 wrote to memory of 3092	4808	joeseph-Luna-Logged.exe	94
PID 3092 wrote to memory of 2888	3092	forfiles.exe	96
PID 3092 wrote to memory of 2888	3092	forfiles.exe	96
PID 3092 wrote to memory of 2888	3092	forfiles.exe	96

C:\Users\Admin\AppData\Local\Temp\joeseph-Luna-Logged.exe
"C:\Users\Admin\AppData\Local\Temp\joeseph-Luna-Logged.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\system32\whoami.exe
  "whoami" /priv
  2⤵
  PID:3584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Public\Downloads
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:356
- C:\Users\Public\Downloads\mssearch.exe
  "C:\Users\Public\Downloads\mssearch.exe"
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\system32\forfiles.exe
  "forfiles" /p c:\windows\system32 /m cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-UU1sGMbRSEQuGpVoX0tkhMqysfWINRAR\cache_mibXUSlK3jf8mVRqoEk6JnhMyy.exe
  2⤵
  - Indirect Command Execution
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-UU1sGMbRSEQuGpVoX0tkhMqysfWINRAR\cache_mibXUSlK3jf8mVRqoEk6JnhMyy.exe
    "C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-UU1sGMbRSEQuGpVoX0tkhMqysfWINRAR\cache_mibXUSlK3jf8mVRqoEk6JnhMyy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indirect Command Execution

1

T1202

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$SELF-EXTRACT-UU1sGMbRSEQuGpVoX0tkhMqysfWINRAR\cache_mibXUSlK3jf8mVRqoEk6JnhMyy.exe

Filesize
11.7MB

MD5
eaeea58815f18ebdee07608ac15fb73f

SHA1
f0a4a6b521d46f803a5e1c4d8c09ebe42b428243

SHA256
dee1e4964a5db85611dcb801159112d687ffa4d49fb24e86845465b3da1935fb

SHA512
c28d84ef619a1e0704975e867b4279b84849a80282d889e35ccd983d8283347ebf91b0aac5c8cf76257e35d2abc3bac7ea0bb68b1e8078d24e99b53b9127db0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwtunoq3.jvk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Downloads\mssearch.exe

Filesize
14.9MB

MD5
542c777a796fb4bbfbd0e6ae9bcdafbc

SHA1
f15b056e1db72781fd0254a10b99721893a2495f

SHA256
91dd9b2373d18f974fb0dfa3dbca971c97386679eaa0956d30f160df6eb74277

SHA512
d1d1607d2b71e2af498d307c08f7b2c2330a44d57b4cbdcf80482f899b9a5af791e86c8e4c1f9f34dcbe6b27f1af5d105e406bb31de9e81fb17e67103f95bd93

Download Submit
memory/356-1-0x00007FFB3A873000-0x00007FFB3A875000-memory.dmp

Filesize
8KB

Download
memory/356-10-0x000001937E100000-0x000001937E122000-memory.dmp

Filesize
136KB

Download
memory/356-11-0x00007FFB3A870000-0x00007FFB3B332000-memory.dmp

Filesize
10.8MB

Download
memory/356-12-0x00007FFB3A870000-0x00007FFB3B332000-memory.dmp

Filesize
10.8MB

Download
memory/356-15-0x00007FFB3A870000-0x00007FFB3B332000-memory.dmp

Filesize
10.8MB

Download
memory/356-16-0x00007FFB3A870000-0x00007FFB3B332000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing