Edit tour
Windows
Analysis Report
Kor-1.3.5.0-Setup.exe
Overview
General Information
Detection
Score: | 18 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 0% |
Compliance
Score: | 51 |
Range: | 0 - 100 |
Signatures
Yara detected Generic Downloader
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
Sample searches for specific file, try point organization specific fake files to the analysis machine |
- System is w10x64
- Kor-1.3.5.0-Setup.exe (PID: 6372 cmdline:
"C:\Users\ user\Deskt op\Kor-1.3 .5.0-Setup .exe" MD5: D3ABB41627AB98B5F1B28F407CDEE216) - Kor-1.3.5.0-Setup.exe (PID: 6420 cmdline:
"C:\Users\ user\Deskt op\Kor-1.3 .5.0-Setup .exe" -bur n.unelevat ed BurnPip e.{4C76BB1 8-D643-46A C-B29F-8C9 6F4C6DDC8} {498B697F -8CEA-4946 -9F22-28FC 8D89DBCC} 6372 MD5: D3ABB41627AB98B5F1B28F407CDEE216)
- SrTasks.exe (PID: 6888 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB) - conhost.exe (PID: 5144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- msiexec.exe (PID: 3272 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 3328 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 701DD99 7AD27E1C9A 69425AFC01 86725 MD5: 9D09DC1EDA745A5F87553048E57620CF)
- Kor-1.3.5.0-Setup.exe (PID: 4336 cmdline:
"C:\Progra mData\Pack age Cache\ {9217b7d9- 4734-4961- b8b7-5763f c11b75e}\K or-1.3.5.0 -Setup.exe " /burn.ru nonce MD5: 7B7B364E58E38D520DF57780E27C55F4) - Kor-1.3.5.0-Setup.exe (PID: 6164 cmdline:
"C:\Progra mData\Pack age Cache\ {9217b7d9- 4734-4961- b8b7-5763f c11b75e}\K or-1.3.5.0 -Setup.exe " /burn.lo g.append " C:\Users\u ser\AppDat a\Local\Te mp\Kor_202 4042308212 9.log" MD5: 7B7B364E58E38D520DF57780E27C55F4)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Code function: | 0_2_00995A3A | |
Source: | Code function: | 0_2_009B6BF7 | |
Source: | Code function: | 0_2_00994CBD | |
Source: | Code function: | 0_2_00995C58 | |
Source: | Code function: | 0_2_00994E30 | |
Source: | Code function: | 12_2_00585C58 | |
Source: | Code function: | 12_2_00585A3A | |
Source: | Code function: | 12_2_005A6BF7 | |
Source: | Code function: | 12_2_00584CBD | |
Source: | Code function: | 12_2_00584E30 |
Compliance |
---|
Source: | Static PE information: |
Source: | Window detected: |