Source: Doc.exe |
ReversingLabs: Detection: 47% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.9% probability |
Source: Doc.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 4x nop then mov rdi, 0000800000000000h |
0_2_00A77120 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 4x nop then mov rsi, r9 |
0_2_00A77EC0 |
Source: global traffic |
TCP traffic: 192.168.2.4:49730 -> 128.65.199.135:8888 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: sam.mr |
Source: Doc.exe, 00000000.00000002.2912183689.000000C000242000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: GetRawInputData |
memstr_5efe563f-6 |
Source: Doc.exe, type: SAMPLE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: Doc.exe, type: SAMPLE |
Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen |
Source: 0.2.Doc.exe.a50000.0.unpack, type: UNPACKEDPE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: 0.2.Doc.exe.a50000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen |
Source: 0.0.Doc.exe.a50000.0.unpack, type: UNPACKEDPE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: 0.0.Doc.exe.a50000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen |
Source: 00000000.00000002.2910387662.00000000015C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: 00000000.00000000.1668971259.00000000015C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: Process Memory Space: Doc.exe PID: 7440, type: MEMORYSTR |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A560A0 |
0_2_00A560A0 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A968C0 |
0_2_00A968C0 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A94000 |
0_2_00A94000 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A56980 |
0_2_00A56980 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A74980 |
0_2_00A74980 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A5D120 |
0_2_00A5D120 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A79120 |
0_2_00A79120 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A77120 |
0_2_00A77120 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A98100 |
0_2_00A98100 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A96AA0 |
0_2_00A96AA0 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A6E260 |
0_2_00A6E260 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A5BBA0 |
0_2_00A5BBA0 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A833C0 |
0_2_00A833C0 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A64B40 |
0_2_00A64B40 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A6BCA0 |
0_2_00A6BCA0 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A73CC0 |
0_2_00A73CC0 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A775A0 |
0_2_00A775A0 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A6F520 |
0_2_00A6F520 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A5C560 |
0_2_00A5C560 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A80560 |
0_2_00A80560 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A77EC0 |
0_2_00A77EC0 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A63E60 |
0_2_00A63E60 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A56E40 |
0_2_00A56E40 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A68F80 |
0_2_00A68F80 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A85FE0 |
0_2_00A85FE0 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00A59740 |
0_2_00A59740 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: String function: 00A82BC0 appears 305 times |
|
Source: C:\Users\user\Desktop\Doc.exe |
Code function: String function: 00A97340 appears 37 times |
|
Source: Doc.exe, type: SAMPLE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: Doc.exe, type: SAMPLE |
Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team |
Source: 0.2.Doc.exe.a50000.0.unpack, type: UNPACKEDPE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: 0.2.Doc.exe.a50000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team |
Source: 0.0.Doc.exe.a50000.0.unpack, type: UNPACKEDPE |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: 0.0.Doc.exe.a50000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team |
Source: 00000000.00000002.2910387662.00000000015C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: 00000000.00000000.1668971259.00000000015C5000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: Process Memory Space: Doc.exe PID: 7440, type: MEMORYSTR |
Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14 |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/1@1/1 |
Source: C:\Users\user\Desktop\Doc.exe |
File opened: C:\Windows\system32\eaa1ef2ba13537e2451fafb30d9a808a4b8b3ea2665bc603f76bcaf634144697AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: Doc.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Doc.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Doc.exe |
ReversingLabs: Detection: 47% |
Source: C:\Users\user\Desktop\Doc.exe |
File read: C:\Users\user\Desktop\Doc.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: samcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Section loaded: samlib.dll |
Jump to behavior |
Source: Doc.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: Doc.exe |
Static file information: File size 15875584 > 1048576 |
Source: Doc.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x942e00 |
Source: Doc.exe |
Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x578200 |
Source: Doc.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Doc.exe |
Static PE information: section name: .symtab |
Source: C:\Users\user\Desktop\Doc.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00AAB800 rdtscp |
0_2_00AAB800 |
Source: Doc.exe |
Binary or memory string: oKDoTiK.AyxenSVcj |
Source: Doc.exe, 00000000.00000002.2913602213.000002216080C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00AAB800 Start: 00AAB809 End: 00AAB81F |
0_2_00AAB800 |
Source: C:\Users\user\Desktop\Doc.exe |
Code function: 0_2_00AAB800 rdtscp |
0_2_00AAB800 |
Source: C:\Users\user\Desktop\Doc.exe |
Queries volume information: C:\Users\user\Desktop\Doc.exe VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.2912183689.000000C000188000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Doc.exe PID: 7440, type: MEMORYSTR |
Source: Yara match |
File source: 00000000.00000002.2912183689.000000C000188000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Doc.exe PID: 7440, type: MEMORYSTR |