Windows Analysis Report
Doc.exe

Overview

General Information

Sample name: Doc.exe
Analysis ID: 1523125
MD5: 2746a7120bce30e9230a2e71a9ad909f
SHA1: 506c97a2e62a2c962dbd283b2344e73cac4f8271
SHA256: 4480d314657f84b2f829fb85fe6603c288bd9262e00e752e475c2a315dd2013f
Tags: user-lontze7
Infos:

Detection

Sliver
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Sliver Implants
AI detected suspicious sample
Machine Learning detection for sample
Potentially malicious time measurement code found
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Communication To Uncommon Destination Ports
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Sliver According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Doc.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: Doc.exe Joe Sandbox ML: detected
Source: Doc.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Doc.exe Code function: 4x nop then mov rdi, 0000800000000000h 0_2_00A77120
Source: C:\Users\user\Desktop\Doc.exe Code function: 4x nop then mov rsi, r9 0_2_00A77EC0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 128.65.199.135:8888
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: sam.mr
Installs a raw input device (often for capturing keystrokes)
Source: Doc.exe, 00000000.00000002.2912183689.000000C000242000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_5efe563f-6

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Doc.exe, type: SAMPLE Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: Doc.exe, type: SAMPLE Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 0.2.Doc.exe.a50000.0.unpack, type: UNPACKEDPE Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 0.2.Doc.exe.a50000.0.unpack, type: UNPACKEDPE Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 0.0.Doc.exe.a50000.0.unpack, type: UNPACKEDPE Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 0.0.Doc.exe.a50000.0.unpack, type: UNPACKEDPE Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Source: 00000000.00000002.2910387662.00000000015C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: 00000000.00000000.1668971259.00000000015C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: Process Memory Space: Doc.exe PID: 7440, type: MEMORYSTR Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A560A0 0_2_00A560A0
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A968C0 0_2_00A968C0
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A94000 0_2_00A94000
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A56980 0_2_00A56980
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A74980 0_2_00A74980
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A5D120 0_2_00A5D120
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A79120 0_2_00A79120
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A77120 0_2_00A77120
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A98100 0_2_00A98100
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A96AA0 0_2_00A96AA0
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A6E260 0_2_00A6E260
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A5BBA0 0_2_00A5BBA0
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A833C0 0_2_00A833C0
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A64B40 0_2_00A64B40
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A6BCA0 0_2_00A6BCA0
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A73CC0 0_2_00A73CC0
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A775A0 0_2_00A775A0
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A6F520 0_2_00A6F520
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A5C560 0_2_00A5C560
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A80560 0_2_00A80560
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A77EC0 0_2_00A77EC0
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A63E60 0_2_00A63E60
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A56E40 0_2_00A56E40
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A68F80 0_2_00A68F80
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A85FE0 0_2_00A85FE0
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00A59740 0_2_00A59740
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Doc.exe Code function: String function: 00A82BC0 appears 305 times
Source: C:\Users\user\Desktop\Doc.exe Code function: String function: 00A97340 appears 37 times
Yara signature match
Source: Doc.exe, type: SAMPLE Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: Doc.exe, type: SAMPLE Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 0.2.Doc.exe.a50000.0.unpack, type: UNPACKEDPE Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 0.2.Doc.exe.a50000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 0.0.Doc.exe.a50000.0.unpack, type: UNPACKEDPE Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 0.0.Doc.exe.a50000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: 00000000.00000002.2910387662.00000000015C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: 00000000.00000000.1668971259.00000000015C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: Process Memory Space: Doc.exe PID: 7440, type: MEMORYSTR Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/1@1/1
Source: C:\Users\user\Desktop\Doc.exe File opened: C:\Windows\system32\eaa1ef2ba13537e2451fafb30d9a808a4b8b3ea2665bc603f76bcaf634144697AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: Doc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Doc.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Doc.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\Doc.exe File read: C:\Users\user\Desktop\Doc.exe Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Section loaded: samlib.dll Jump to behavior
Source: Doc.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Doc.exe Static file information: File size 15875584 > 1048576
Source: Doc.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x942e00
Source: Doc.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x578200
Source: Doc.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: Doc.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\Doc.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00AAB800 rdtscp 0_2_00AAB800
Source: Doc.exe Binary or memory string: oKDoTiK.AyxenSVcj
Source: Doc.exe, 00000000.00000002.2913602213.000002216080C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00AAB800 Start: 00AAB809 End: 00AAB81F 0_2_00AAB800
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Doc.exe Code function: 0_2_00AAB800 rdtscp 0_2_00AAB800
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Doc.exe Queries volume information: C:\Users\user\Desktop\Doc.exe VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Sliver Implants
Source: Yara match File source: 00000000.00000002.2912183689.000000C000188000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Doc.exe PID: 7440, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Sliver Implants
Source: Yara match File source: 00000000.00000002.2912183689.000000C000188000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Doc.exe PID: 7440, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523125 Sample: Doc.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 76 10 sam.mr 2->10 14 Malicious sample detected (through community Yara rule) 2->14 16 Multi AV Scanner detection for submitted file 2->16 18 Yara detected Sliver Implants 2->18 20 2 other signatures 2->20 6 Doc.exe 2->6         started        signatures3 process4 dnsIp5 12 sam.mr 128.65.199.135, 49730, 8888 INFOMANIAK-ASCH Switzerland 6->12 22 Potentially malicious time measurement code found 6->22 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
128.65.199.135
 sam.mr Switzerland
29222 INFOMANIAK-ASCH false

Contacted Domains

Name IP Active
sam.mr 128.65.199.135 true