sliver | 924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb

General

Target

924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb.doc
Size

59KB
MD5

0aa07c58cdcaf9953eacd916e4f61973
SHA1

17570423d85a315fffac747d3c669848824b1d5c
SHA256

924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb
SHA512

97f158e62a113e2db679203b4a0cd3cfbe65ea990c2b77dab1a204b9b2be8cdaeedf617758892503b6779464fe2466302f06fa821e41aa2d2d58d562c3d12397
SSDEEP

1536:RandM9Ql1gcEdJRUwlPnGoBvpgq4eJEV:8n26HgcEdJRUwVGCyqlJE

Score

10^/10

Malware Config

Signatures

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral2/memory/1808-128-0x00007FFCBCB90000-0x00007FFCBDCF6000-memory.dmp	SliverRAT_v2

SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver
Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
1808	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll	EXCEL.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2300	WINWORD.EXE
2300	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
4816	EXCEL.EXE
4816	EXCEL.EXE
4816	EXCEL.EXE
4816	EXCEL.EXE
4816	EXCEL.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\924f953de2ee0ba094a76e5001b8f445d5e80f37e1fa6c5943a13b971f63b0fb.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll,update_grandfrais
1⤵
- Loads dropped DLL
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
f0cd77a5c17378d91f7e5d7dfe16a228

SHA1
780ec99a9cc89b19c6d9af16cd3e871f1a138cf8

SHA256
1f3bcc0c03076354d4015bc5a6d5eb997cb207261c834a11df9efad0eff319da

SHA512
399393bfd9c562130f19b737e09a0c270e5a561be394b321084df47515d6125c96675bd1ed1635635daceb098d136ac5a24e520d07f98d11edec76520f52bd14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
0b210712b90adf209602ffc128606fb5

SHA1
ebdcb02bb7c9f0af37cb228c422063dd8756cc9b

SHA256
d97de0345833db1ddfdafce76ccdfb1650c5113680ae479034cc6a33ee81fcb4

SHA512
6d8bcf482edaac0298a08ae5841c60c8090b5ebbd65e5708bb7103d097c86d5d55609cc875cd2779f880937a0d88386ca782e9152c5c9fcf0f9909d1be000cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
347ba64ec527060264cec0d100481e92

SHA1
14312b352ef53a917454cce14a6d4c52ada91818

SHA256
323294bb6c24cfbbd9f59b9a75fa1c33a7e3c275a4541a51a32c3cf809c07859

SHA512
171107940f5a743f7e7a4e3abad916c1ba752518134408988e5264ebed50a6385d40e8233f39e1b3c9afa9a0e9c6b8902c8fbcf8093a86d43e2237b0ab665235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
a2d03b3461f467b156e213b9f95ca284

SHA1
c60694ddea0e688a9da1cd06b1a396a15b1c7245

SHA256
e5e839b971ddf3ea487389dc9b029c70de877b0300777473e3136ea6a4d84279

SHA512
47f167ceca63c73b56d92c78ac5eb1d02f3f849334828bc96aea499c7e1b95a24a5a36e06fdc04ae4309ace60a98dd4dffd0810eea33be93c0bc7329ea26835f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
609570251f1bc338af65bab89eb83587

SHA1
7bb29071695b04173b16117fa7693c6969cd55f3

SHA256
2f197f8e13841e871a2231bf8aaf2f2616126e297ecb869fa3b6ad6879bad0f3

SHA512
40d56a55b27d0f880a12b9525cb44631fc80cc66c54a9de8191520fb9177deac64feba4d25307f4a14b88f62870eadd3157d9a9210c2f467cdce13b2dd7232e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD2DAE.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
1fc60b2a463ddc67a254d371765600d3

SHA1
06d943c2ef22c33c46e0430a96d188f6255e7c17

SHA256
1ab9e2a0ddc3f49a88a52a9c392782cdead447ee56a277aaf91b1d40d219cf68

SHA512
4f1940d8d177747764e6d131e87452d6d3b6c3973ba55bab274f8378deefb2e857353052cab71bce32c0ec95756d2fd64543ed8cb7bde8b8f50018149abeb0d3

Download Submit
C:\Windows\System32\spool\drivers\color\grandfraisupdate.dll

Filesize
17.4MB

MD5
5615d287207d970765bf9bdef701eb92

SHA1
a261d552ea77c96db5202b7a5f3d2fcfb3ce348b

SHA256
4742371ba458a52733a2b8991ab9a24615108215ff623730403f21e7dd228a7b

SHA512
f8d8633f7f189cefa15070442cfed8383fdf31d7750afa05c2a4ec142a24e23d593bd8cbad634233c9c15cf2da36fae5a4920cc1d24c81c23b3b5d0a75277f02

Download Submit
memory/1808-114-0x0000016F92CC0000-0x0000016F93DC9000-memory.dmp

Filesize
17.0MB

Download
memory/1808-113-0x0000016F92CC0000-0x0000016F93DC9000-memory.dmp

Filesize
17.0MB

Download
memory/1808-128-0x00007FFCBCB90000-0x00007FFCBDCF6000-memory.dmp

Filesize
17.4MB

Download
memory/1808-119-0x0000016F92CC0000-0x0000016F93DC9000-memory.dmp

Filesize
17.0MB

Download
memory/1808-115-0x0000016F92CC0000-0x0000016F93DC9000-memory.dmp

Filesize
17.0MB

Download
memory/2300-6-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-1-0x00007FFCA9C50000-0x00007FFCA9C60000-memory.dmp

Filesize
64KB

Download
memory/2300-35-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-36-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-9-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-10-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-5-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-83-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-8-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-104-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-4-0x00007FFCA9C50000-0x00007FFCA9C60000-memory.dmp

Filesize
64KB

Download
memory/2300-28-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-0-0x00007FFCA9C50000-0x00007FFCA9C60000-memory.dmp

Filesize
64KB

Download
memory/2300-13-0x00007FFCA72F0000-0x00007FFCA7300000-memory.dmp

Filesize
64KB

Download
memory/2300-2-0x00007FFCA9C50000-0x00007FFCA9C60000-memory.dmp

Filesize
64KB

Download
memory/2300-12-0x00007FFCA72F0000-0x00007FFCA7300000-memory.dmp

Filesize
64KB

Download
memory/2300-11-0x00007FFCE9BD0000-0x00007FFCE9DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-3-0x00007FFCE9C6D000-0x00007FFCE9C6E000-memory.dmp

Filesize
4KB

Download
memory/2300-7-0x00007FFCA9C50000-0x00007FFCA9C60000-memory.dmp

Filesize
64KB

Download
memory/4816-126-0x00007FFCA9C50000-0x00007FFCA9C60000-memory.dmp

Filesize
64KB

Download
memory/4816-125-0x00007FFCA9C50000-0x00007FFCA9C60000-memory.dmp

Filesize
64KB

Download
memory/4816-127-0x00007FFCA9C50000-0x00007FFCA9C60000-memory.dmp

Filesize
64KB

Download
memory/4816-124-0x00007FFCA9C50000-0x00007FFCA9C60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads