Loading ...

Play interactive tourEdit tour

Analysis Report dokumentera.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:219753
Start date:02.04.2020
Start time:14:01:42
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 32s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:dokumentera.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@6/5@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 1.3% (good quality ratio 1.1%)
  • Quality average: 84.7%
  • Quality standard deviation: 31.8%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 372
  • Number of non-executed functions: 7
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Nanocore
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Hidden Files and Directories1Access Token Manipulation1Masquerading1Input Capture11Virtualization/Sandbox Evasion13Application Deployment SoftwareInput Capture11Data Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScheduled Task1Scheduled Task1Process Injection12Hidden Files and Directories1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesScheduled Task1Software Packing13Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote Access Tools1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDisabling Security Tools1Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion13Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceAccess Token Manipulation1Brute ForceSecurity Software Discovery311Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection12Two-Factor Authentication InterceptionFile and Directory Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDeobfuscate/Decode Files or Information1Bash HistorySystem Information Discovery13Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessObfuscated Files or Information2Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\aKrtWHyRehAOaq.exeVirustotal: Detection: 36%Perma Link
Source: C:\Users\user\AppData\Roaming\aKrtWHyRehAOaq.exeReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted fileShow sources
Source: dokumentera.exeVirustotal: Detection: 36%Perma Link
Source: dokumentera.exeReversingLabs: Detection: 45%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000004.00000002.1172306059.0000000005900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1170587891.0000000004087000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1164652989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.767581244.000000000396B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 936, type: MEMORY
Source: Yara matchFile source: Process Memory Space: dokumentera.exe PID: 4208, type: MEMORY
Source: Yara matchFile source: 4.2.MSBuild.exe.5900000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.MSBuild.exe.5900000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Source: unknownTCP traffic detected without corresponding DNS query: 172.111.188.199
Urls found in memory or binary dataShow sources
Source: dokumentera.exe, 00000000.00000003.742704202.0000000004DFE000.00000004.00000001.sdmp, dokumentera.exe, 00000000.00000002.771103189.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: dokumentera.exe, 00000000.00000002.771103189.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: dokumentera.exe, 00000000.00000002.771103189.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: dokumentera.exe, 00000000.00000003.742185674.0000000004DFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: dokumentera.exe, 00000000.00000003.745777587.0000000004DC3000.00000004.00000001.sdmp, dokumentera.exe, 00000000.00000003.745745272.0000000004DC5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: dokumentera.exe, 00000000.00000003.746173148.0000000004DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: dokumentera.exe, 00000000.00000002.771103189.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dokumentera.exe, 00000000.00000002.771103189.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dokumentera.exe, 00000000.00000003.747391012.0000000004DC3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
Source: dokumentera.exe, 00000000.00000003.744656477.0000000004DFE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: dokumentera.exe, 00000000.00000003.744656477.0000000004DFE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krL
Source: dokumentera.exe, 00000000.00000003.748865844.0000000004DC9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dokumentera.exe, 00000000.00000003.748865844.0000000004DC9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: dokumentera.exe, 00000000.00000003.748865844.0000000004DC9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
Source: dokumentera.exe, 00000000.00000003.748865844.0000000004DC9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: dokumentera.exe, 00000000.00000003.748865844.0000000004DC9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: dokumentera.exe, 00000000.00000003.748865844.0000000004DC9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/m
Source: dokumentera.exe, 00000000.00000003.748865844.0000000004DC9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: dokumentera.exe, 00000000.00000003.741750515.0000000000BAB000.00000004.00000001.sdmp, dokumentera.exe, 00000000.00000002.771103189.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: dokumentera.exe, 00000000.00000003.741750515.0000000000BAB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.compor
Source: dokumentera.exe, 00000000.00000002.771103189.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: dokumentera.exe, 00000000.00000003.744656477.0000000004DFE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: dokumentera.exe, 00000000.00000003.744656477.0000000004DFE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kro.kr
Source: dokumentera.exe, 00000000.00000002.771103189.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: dokumentera.exe, 00000000.00000003.747391012.0000000004DC3000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comI
Source: dokumentera.exe, 00000000.00000003.747391012.0000000004DC3000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
Source: dokumentera.exe, 00000000.00000003.742716782.0000000000BAA000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net
Source: dokumentera.exe, 00000000.00000003.742716782.0000000000BAA000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net-br
Source: dokumentera.exe, 00000000.00000003.742716782.0000000000BAA000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.net-us
Source: dokumentera.exe, 00000000.00000002.771103189.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: dokumentera.exe, 00000000.00000002.771103189.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)Show sources
Source: MSBuild.exe, 00000004.00000002.1172306059.0000000005900000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000004.00000002.1172306059.0000000005900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1170587891.0000000004087000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1164652989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.767581244.000000000396B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 936, type: MEMORY
Source: Yara matchFile source: Process Memory Space: dokumentera.exe PID: 4208, type: MEMORY
Source: Yara matchFile source: 4.2.MSBuild.exe.5900000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.MSBuild.exe.5900000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000004.00000002.1172306059.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.1170587891.0000000004087000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.1172154043.0000000005550000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.1164652989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.1164652989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.767581244.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.767581244.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 936, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 936, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dokumentera.exe PID: 4208, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dokumentera.exe PID: 4208, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.MSBuild.exe.5550000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.MSBuild.exe.5900000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.MSBuild.exe.5900000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04D532AA NtQuerySystemInformation,0_2_04D532AA
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04D53270 NtQuerySystemInformation,0_2_04D53270
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_05231642 NtQuerySystemInformation,4_2_05231642
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_05231607 NtQuerySystemInformation,4_2_05231607
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A26FAF0_2_04A26FAF
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A24CE00_2_04A24CE0
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A23AE80_2_04A23AE8
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A200E80_2_04A200E8
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A24FF80_2_04A24FF8
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A240A90_2_04A240A9
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A280B80_2_04A280B8
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A23B8A0_2_04A23B8A
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A24D980_2_04A24D98
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A200D90_2_04A200D9
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04A281600_2_04A28160
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_011D24784_2_011D2478
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_011E7AC64_2_011E7AC6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_02CE2FA84_2_02CE2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_02CE23A04_2_02CE23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_02CE38504_2_02CE3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_02CE84684_2_02CE8468
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_02CE90684_2_02CE9068
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_02CEAD384_2_02CEAD38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_02CE306F4_2_02CE306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_02CE912F4_2_02CE912F
Sample file is different than original file name gathered from version infoShow sources
Source: dokumentera.exe, 00000000.00000002.761755359.00000000002B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyiVABopRrUTkZsAcmoX.exe6 vs dokumentera.exe
Source: dokumentera.exe, 00000000.00000002.772441992.0000000007C30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs dokumentera.exe
Source: dokumentera.exe, 00000000.00000002.773948092.0000000008A60000.00000002.00000001.sdmpBinary or memory string: originalfilename vs dokumentera.exe
Source: dokumentera.exe, 00000000.00000002.773948092.0000000008A60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs dokumentera.exe
Source: dokumentera.exe, 00000000.00000002.773449591.0000000008960000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs dokumentera.exe
Source: dokumentera.exe, 00000000.00000002.767581244.000000000396B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReZer0V2.exe. vs dokumentera.exe
Source: dokumentera.exe, 00000000.00000002.769176642.0000000004D90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDefender Protect.dllB vs dokumentera.exe
Source: dokumentera.exeBinary or memory string: OriginalFilenameyiVABopRrUTkZsAcmoX.exe6 vs dokumentera.exe
Yara signature matchShow sources
Source: 00000004.00000002.1172306059.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.1172306059.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.1170587891.0000000004087000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.1172154043.0000000005550000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.1172154043.0000000005550000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.1164652989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.1164652989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.767581244.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.767581244.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 936, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 936, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dokumentera.exe PID: 4208, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dokumentera.exe PID: 4208, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.MSBuild.exe.5550000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.MSBuild.exe.5550000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MSBuild.exe.5900000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.MSBuild.exe.5900000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MSBuild.exe.5900000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.MSBuild.exe.5900000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: dokumentera.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: aKrtWHyRehAOaq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Binary contains paths to development resourcesShow sources
Source: dokumentera.exe, 00000000.00000003.746120952.0000000004DFE000.00000004.00000001.sdmpBinary or memory string: =MS Gothic is a trademark of the Microsoft group of companies.slnt
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@0/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04D531DA AdjustTokenPrivileges,0_2_04D531DA
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04D531A3 AdjustTokenPrivileges,0_2_04D531A3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_05231402 AdjustTokenPrivileges,4_2_05231402
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_052313CB AdjustTokenPrivileges,4_2_052313CB
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\dokumentera.exeFile created: C:\Users\user\AppData\Roaming\aKrtWHyRehAOaq.exeJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeMutant created: \Sessions\1\BaseNamedObjects\fujKOAmTtL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4956:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bbf44dff-1887-4166-9696-1524dee5426a}
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1D19.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: dokumentera.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: dokumentera.exeVirustotal: Detection: 36%
Source: dokumentera.exeReversingLabs: Detection: 45%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\dokumentera.exeFile read: C:\Users\user\Desktop\dokumentera.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\dokumentera.exe 'C:\Users\user\Desktop\dokumentera.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aKrtWHyRehAOaq' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D19.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}
Source: C:\Users\user\Desktop\dokumentera.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aKrtWHyRehAOaq' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D19.tmp'Jump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\dokumentera.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\dokumentera.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: dokumentera.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\dokumentera.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: dokumentera.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: indows\MSBuild.pdbpdbild.pdbc source: MSBuild.exe, 00000004.00000002.1167567343.0000000002CF0000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.1167567343.0000000002CF0000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: dokumentera.exe, 00000000.00000002.769176642.0000000004D90000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.1167567343.0000000002CF0000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\MSBuild.pdb\ source: MSBuild.exe, 00000004.00000002.1167567343.0000000002CF0000.00000004.00000040.sdmp
Source: Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.1167567343.0000000002CF0000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: dokumentera.exe, 00000000.00000002.772441992.0000000007C30000.00000002.00000001.sdmp, MSBuild.exe, 00000004.00000002.1171870268.0000000005490000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.1167567343.0000000002CF0000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: aKrtWHyRehAOaq.exe.0.dr, u0005u2004.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.dokumentera.exe.250000.0.unpack, u0005u2004.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.dokumentera.exe.250000.0.unpack, u0005u2004.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_0025F99C push cs; ret 0_2_0025F99D
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_0025F419 push cs; ret 0_2_0025F41A
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_0025F6FA push cs; ret 0_2_0025F6FB
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_00B675CE pushfd ; ret 0_2_00B675D5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_011E9D38 pushad ; retf 4_2_011E9D39
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_011E9D34 push eax; retf 4_2_011E9D35
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.91855675435
Source: initial sampleStatic PE information: section name: .text entropy: 7.91855675435
.NET source code contains many randomly named methodsShow sources
Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeFile created: C:\Users\user\AppData\Roaming\aKrtWHyRehAOaq.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aKrtWHyRehAOaq' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D19.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: Process Memory Space: dokumentera.exe PID: 4208, type: MEMORY
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLD
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMED
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 991Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 618Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 878Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\dokumentera.exe TID: 480Thread sleep time: -65000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exe TID: 704Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4784Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4784Thread sleep count: 68 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4784Thread sleep count: 991 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5080Thread sleep count: 618 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4784Thread sleep count: 138 > 30Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4508Thread sleep time: -160000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to query system informationShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_0523112A GetSystemInfo,4_2_0523112A
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: Ki87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: QEMUP
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: Ki&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MSBuild.exe, 00000004.00000002.1172817857.0000000006200000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: Ki#"SOFTWARE\VMware, Inc.\VMware ToolsP
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: vmware
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: KiA"SOFTWARE\VMware, Inc.\VMware Tools
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: vmwareD
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IID
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: 9Ki"SOFTWARE\VMware, Inc.\VMware ToolsD
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: VMWARED
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: Ki"SOFTWARE\VMware, Inc.\VMware Tools
Source: MSBuild.exe, 00000004.00000002.1172817857.0000000006200000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000004.00000002.1172817857.0000000006200000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: Ki%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: 9Ki%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\D
Source: dokumentera.exe, 00000000.00000002.765252332.0000000002880000.00000004.00000001.sdmpBinary or memory string: QEMUD
Source: MSBuild.exe, 00000004.00000002.1172817857.0000000006200000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\dokumentera.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\dokumentera.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\dokumentera.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aKrtWHyRehAOaq' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D19.tmp'Jump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe {path}Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: MSBuild.exe, 00000004.00000002.1170198151.00000000033AD000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: MSBuild.exe, 00000004.00000002.1165840168.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000004.00000002.1165840168.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: MSBuild.exe, 00000004.00000002.1165840168.00000000016B0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: MSBuild.exe, 00000004.00000002.1165840168.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: MSBuild.exe, 00000004.00000003.768058450.0000000000F34000.00000004.00000001.sdmpBinary or memory string: Program Managerw.0.app.0.378734a

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\dokumentera.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\dokumentera.exeCode function: 0_2_04D51A7E GetUserNameA,0_2_04D51A7E
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000004.00000002.1172306059.0000000005900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1170587891.0000000004087000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1164652989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.767581244.000000000396B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 936, type: MEMORY
Source: Yara matchFile source: Process Memory Space: dokumentera.exe PID: 4208, type: MEMORY
Source: Yara matchFile source: 4.2.MSBuild.exe.5900000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.MSBuild.exe.5900000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: dokumentera.exe, 00000000.00000002.767581244.000000000396B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000004.00000002.1172306059.0000000005900000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000004.00000002.1170587891.0000000004087000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 00000004.00000002.1172306059.0000000005900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1170587891.0000000004087000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1164652989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.767581244.000000000396B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 936, type: MEMORY
Source: Yara matchFile source: Process Memory Space: dokumentera.exe PID: 4208, type: MEMORY
Source: Yara matchFile source: 4.2.MSBuild.exe.5900000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.MSBuild.exe.5900000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_05232792 bind,4_2_05232792
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 4_2_0523275F bind,4_2_0523275F

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet