Loading ...

Play interactive tourEdit tour

Analysis Report dokumentera.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:219421
Start date:01.04.2020
Start time:10:50:27
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 51s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:dokumentera.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal76.troj.evad.winEXE@3/3@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 1.6% (good quality ratio 1.3%)
  • Quality average: 82.3%
  • Quality standard deviation: 35.4%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 36
  • Number of non-executed functions: 5
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 40.90.23.153, 40.90.137.126, 40.90.137.124, 20.44.86.43, 67.27.234.126, 8.241.122.254, 8.253.95.120, 67.27.159.126, 67.27.235.126, 8.241.121.254, 67.26.81.254, 67.27.157.254, 8.241.123.126, 67.27.233.126, 205.185.216.10, 205.185.216.42, 67.26.83.254, 8.253.95.121, 67.27.158.126, 93.184.221.240, 67.27.158.254, 67.27.233.254, 8.248.121.254, 8.248.131.254
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, lgin.msa.trafficmanager.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu.azureedge.net, login.msa.msidentity.com, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold760 - 100false
Nanocore
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Winlogon Helper DLLProcess Injection11Masquerading1Credential DumpingVirtualization/Sandbox Evasion14Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing12Network SniffingSecurity Software Discovery231Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingModify Registry1Credentials in FilesSystem Information Discovery21Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion14Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection11Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: dokumentera.exeVirustotal: Detection: 20%Perma Link
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmp, type: MEMORY

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: dokumentera.exe, 00000001.00000003.891489482.0000000004C5E000.00000004.00000001.sdmp, dokumentera.exe, 00000001.00000002.998272929.0000000005DF2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: dokumentera.exe, 00000001.00000002.998272929.0000000005DF2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: dokumentera.exe, 00000001.00000002.998272929.0000000005DF2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: dokumentera.exe, 00000001.00000003.889613103.0000000004C5E000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: dokumentera.exe, 00000001.00000003.903338495.0000000004C22000.00000004.00000001.sdmp, dokumentera.exe, 00000001.00000003.906088907.0000000004C23000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: dokumentera.exe, 00000001.00000003.904711040.0000000004C3B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: dokumentera.exe, 00000001.00000002.998272929.0000000005DF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dokumentera.exe, 00000001.00000002.998272929.0000000005DF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dokumentera.exe, 00000001.00000003.898272614.0000000004C5E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/m
Source: dokumentera.exe, 00000001.00000003.906088907.0000000004C23000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnE
Source: dokumentera.exe, 00000001.00000003.903162676.0000000004C25000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
Source: dokumentera.exe, 00000001.00000003.903162676.0000000004C25000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
Source: dokumentera.exe, 00000001.00000003.897246104.0000000004C5E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: dokumentera.exe, 00000001.00000003.921718833.0000000004C29000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dokumentera.exe, 00000001.00000003.921718833.0000000004C29000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
Source: dokumentera.exe, 00000001.00000003.921718833.0000000004C29000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
Source: dokumentera.exe, 00000001.00000003.921718833.0000000004C29000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
Source: dokumentera.exe, 00000001.00000003.921718833.0000000004C29000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-s
Source: dokumentera.exe, 00000001.00000003.921718833.0000000004C29000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: dokumentera.exe, 00000001.00000003.921718833.0000000004C29000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: dokumentera.exe, 00000001.00000003.921718833.0000000004C29000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es-m
Source: dokumentera.exe, 00000001.00000003.921718833.0000000004C29000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: dokumentera.exe, 00000001.00000003.921718833.0000000004C29000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
Source: dokumentera.exe, 00000001.00000003.885946764.000000000087B000.00000004.00000001.sdmp, dokumentera.exe, 00000001.00000002.998272929.0000000005DF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: dokumentera.exe, 00000001.00000003.885946764.000000000087B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comRln(
Source: dokumentera.exe, 00000001.00000003.885946764.000000000087B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn-u
Source: dokumentera.exe, 00000001.00000003.885946764.000000000087B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comuctYK
Source: dokumentera.exe, 00000001.00000003.885946764.000000000087B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comwD
Source: dokumentera.exe, 00000001.00000002.998272929.0000000005DF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: dokumentera.exe, 00000001.00000003.898272614.0000000004C5E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: dokumentera.exe, 00000001.00000002.998272929.0000000005DF2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: dokumentera.exe, 00000001.00000003.912661770.0000000004C23000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comV
Source: dokumentera.exe, 00000001.00000003.912661770.0000000004C23000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslntz
Source: dokumentera.exe, 00000001.00000003.890371556.000000000087A000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
Source: dokumentera.exe, 00000001.00000003.890371556.000000000087A000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net0
Source: dokumentera.exe, 00000001.00000002.998272929.0000000005DF2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: dokumentera.exe, 00000001.00000003.890371556.000000000087A000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netntQG
Source: dokumentera.exe, 00000001.00000002.998272929.0000000005DF2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Creates files inside the system directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_023409DA1_2_023409DA
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_02483AE81_2_02483AE8
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_024800E81_2_024800E8
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_02488CE81_2_02488CE8
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_02484CE01_2_02484CE0
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_02484FF81_2_02484FF8
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_024856F11_2_024856F1
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_024865881_2_02486588
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_02486FAF1_2_02486FAF
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_024881601_2_02488160
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_024800D91_2_024800D9
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_02483B8A1_2_02483B8A
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_02484D981_2_02484D98
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_024840A91_2_024840A9
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_024880B81_2_024880B8
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1276
Sample file is different than original file name gathered from version infoShow sources
Source: dokumentera.exe, 00000001.00000002.967941263.00000000001F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyiVABopRrUTkZsAcmoX.exe6 vs dokumentera.exe
Source: dokumentera.exe, 00000001.00000002.999641807.00000000068B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDefender Protect.dllB vs dokumentera.exe
Source: dokumentera.exe, 00000001.00000002.1018924721.0000000007B80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs dokumentera.exe
Source: dokumentera.exeBinary or memory string: OriginalFilenameyiVABopRrUTkZsAcmoX.exe6 vs dokumentera.exe
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Yara signature matchShow sources
Source: 00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: dokumentera.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Binary contains paths to development resourcesShow sources
Source: dokumentera.exe, 00000001.00000003.904642684.0000000004C5E000.00000004.00000001.sdmpBinary or memory string: =MS Gothic is a trademark of the Microsoft group of companies.slnt
Classification labelShow sources
Source: classification engineClassification label: mal76.troj.evad.winEXE@3/3@0/0
Creates mutexesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeMutant created: \Sessions\1\BaseNamedObjects\fujKOAmTtL
Creates temporary filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FBB.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: dokumentera.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: dokumentera.exeVirustotal: Detection: 20%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\dokumentera.exeFile read: C:\Users\user\Desktop\dokumentera.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\dokumentera.exe 'C:\Users\user\Desktop\dokumentera.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1276
Source: C:\Users\user\Desktop\dokumentera.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1276Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\dokumentera.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\dokumentera.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: dokumentera.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\dokumentera.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: dokumentera.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Windows\mscorlib.pdb\ source: dokumentera.exe, 00000001.00000002.970543494.00000000024C0000.00000004.00000040.sdmp
Source: Binary string: symbols\dll\mscorlib.pdb source: dokumentera.exe, 00000001.00000002.968116517.0000000000586000.00000004.00000010.sdmp
Source: Binary string: lib.pdb source: dokumentera.exe, 00000001.00000002.970543494.00000000024C0000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: dokumentera.exe, 00000001.00000002.970543494.00000000024C0000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: dokumentera.exe, 00000001.00000002.999641807.00000000068B0000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: dokumentera.exe, 00000001.00000002.1018924721.0000000007B80000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: dokumentera.exe, u0005u2004.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.dokumentera.exe.190000.0.unpack, u0005u2004.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.dokumentera.exe.190000.0.unpack, u0005u2004.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_0019F419 push cs; ret 1_2_0019F41A
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_0019F99C push cs; ret 1_2_0019F99D
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_0019F6FA push cs; ret 1_2_0019F6FB
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_008A75BF pushfd ; ret 1_2_008A75D5
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.91855675435

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMED
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\dokumentera.exe TID: 4668Thread sleep time: -65000s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0Jump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: QEMUP
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: |i"SOFTWARE\VMware, Inc.\VMware Tools
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: |i87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: |i#"SOFTWARE\VMware, Inc.\VMware ToolsP
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: vmware
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: |iA"SOFTWARE\VMware, Inc.\VMware Tools
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: vmwareD
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: |i%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: 9|i"SOFTWARE\VMware, Inc.\VMware ToolsD
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: |i&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: VMWARED
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: 9|i%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\D
Source: dokumentera.exe, 00000001.00000002.972330247.0000000002810000.00000004.00000001.sdmpBinary or memory string: QEMUD

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\dokumentera.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess queried: DebugPortJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 1_2_0248910A LdrInitializeThunk,1_2_0248910A
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\dokumentera.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1276Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmp, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
10:52:26API Interceptor1x Sleep call for process: dokumentera.exe modified
10:52:32API Interceptor1x Sleep call for process: dw20.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dokumentera.exe21%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.sajatypeworks.comwD0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/V0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe1%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.sajatypeworks.comuctYK0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Q0%Avira URL Cloudsafe
http://www.sajatypeworks.comn-u0%Avira URL Cloudsafe
http://www.tiro.com0%VirustotalBrowse
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%VirustotalBrowse
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
http://www.sajatypeworks.comRln(0%Avira URL Cloudsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.founder.com.cn/cnE0%Avira URL Cloudsafe
http://www.sajatypeworks.com0%VirustotalBrowse
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.founder.com.cn/cn/0%VirustotalBrowse
http://www.founder.com.cn/cn/0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cnn0%Avira URL Cloudsafe
http://fontfabrik.com0%VirustotalBrowse
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%VirustotalBrowse
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.tiro.comV0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/es-m0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
http://www.typography.net0%VirustotalBrowse
http://www.typography.net0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/o0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/o0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/.0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/.0%Avira URL Cloudsafe
http://www.tiro.comslntz0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%VirustotalBrowse
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.typography.net00%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/d0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn0%VirustotalBrowse
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.typography.netntQG0%Avira URL Cloudsafe
http://www.sakkal.com0%VirustotalBrowse
http://www.sakkal.com0%URL Reputationsafe
http://www.founder.com.cn/cn/m0%Avira URL Cloudsafe
http://www.founder.com.cn/cnd0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/Y0-s0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x11f81d:$x1: NanoCore.ClientPluginHost
  • 0x11f85a:$x2: IClientNetworkHost
  • 0x12338d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.979416451.00000000038FB000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x11f585:$a: NanoCore
    • 0x11f595:$a: NanoCore
    • 0x11f7c9:$a: NanoCore
    • 0x11f7dd:$a: NanoCore
    • 0x11f81d:$a: NanoCore
    • 0x11f5e4:$b: ClientPlugin
    • 0x11f7e6:$b: ClientPlugin
    • 0x11f826:$b: ClientPlugin
    • 0x7463a:$c: ProjectData
    • 0x11f70b:$c: ProjectData
    • 0x120112:$d: DESCrypto
    • 0x127ade:$e: KeepAlive
    • 0x125acc:$g: LogClientMessage
    • 0x121cc7:$i: get_Connected
    • 0x120448:$j: #=q
    • 0x120478:$j: #=q
    • 0x120494:$j: #=q
    • 0x1204c4:$j: #=q
    • 0x1204e0:$j: #=q
    • 0x1204fc:$j: #=q
    • 0x12052c:$j: #=q

    Unpacked PEs

    No yara matches

    Sigma Overview

    No Sigma rule has matched

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.