ScreenShot
| Created | 2023.05.02 07:40 | Machine | s1_win7_x6403 |
| Filename | Korsakoff.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 6 detected (susgen) | ||
| md5 | d03d1839ba1d7c4c5a1941d8e3fb35eb | ||
| sha256 | 796ba530098b895341962be8f2c0de6acc18a3edcc5ed9dd2fac7867c0047fe1 | ||
| ssdeep | 3072:xWBwnf9pn1IDouc+TiX9SHOjfaaR1clwr1w/IRkDgdyV:+oLOTFQfaa3cE1w2Ug | ||
| imphash | d368098002d24bb51fe91ae21666133a | ||
| impfuzzy | 96:O8vz7yLHlZbanr5r28IPfpmOFh8uEpEI6iV98G9uGKfjKeV:a+598muTfjKeV | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| warning | Disables Windows Security features |
| watch | Checks for the presence of known windows from debuggers and forensic tools |
| watch | Creates a suspicious Powershell process |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | File has been identified by 6 AntiVirus engines on VirusTotal as malicious |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x140005018 WriteFile
0x140005020 CloseHandle
0x140005028 GetLastError
0x140005030 Sleep
0x140005038 GetCurrentProcess
0x140005040 CreateProcessW
0x140005048 GetModuleFileNameW
0x140005050 CreateFileA
0x140005058 AllocConsole
0x140005060 IsDebuggerPresent
0x140005068 InitializeSListHead
0x140005070 GetSystemTimeAsFileTime
0x140005078 GetCurrentThreadId
0x140005080 GetCurrentProcessId
0x140005088 QueryPerformanceCounter
0x140005090 ExpandEnvironmentStringsW
0x140005098 CopyFileA
0x1400050a0 ExpandEnvironmentStringsA
0x1400050a8 IsProcessorFeaturePresent
0x1400050b0 TerminateProcess
0x1400050b8 SetUnhandledExceptionFilter
0x1400050c0 UnhandledExceptionFilter
0x1400050c8 RtlVirtualUnwind
0x1400050d0 RtlLookupFunctionEntry
0x1400050d8 RtlCaptureContext
0x1400050e0 GetModuleHandleW
USER32.dll
0x140005200 FindWindowA
0x140005208 MessageBoxA
0x140005210 ShowWindow
SHELL32.dll
0x1400051f0 ShellExecuteExA
ADVAPI32.dll
0x140005000 OpenProcessToken
0x140005008 GetTokenInformation
MSVCP140.dll
0x1400050f0 ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
0x1400050f8 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
0x140005100 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
0x140005108 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
0x140005110 ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
0x140005118 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
0x140005120 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
0x140005128 ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
0x140005130 ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
0x140005138 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
0x140005140 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
0x140005148 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
0x140005150 ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
0x140005158 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
0x140005160 ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
0x140005168 ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
0x140005170 ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
0x140005178 ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
0x140005180 ?id@?$ctype@_W@std@@2V0locale@2@A
0x140005188 ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
0x140005190 ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
0x140005198 ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
0x1400051a0 ??Bid@locale@std@@QEAA_KXZ
0x1400051a8 ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
0x1400051b0 ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
0x1400051b8 ?_Xout_of_range@std@@YAXPEBD@Z
0x1400051c0 ?_Xlength_error@std@@YAXPEBD@Z
0x1400051c8 ?uncaught_exception@std@@YA_NXZ
0x1400051d0 ??1_Lockit@std@@QEAA@XZ
0x1400051d8 ??0_Lockit@std@@QEAA@H@Z
0x1400051e0 ?widen@?$ctype@_W@std@@QEBA_WD@Z
WININET.dll
0x140005280 InternetCloseHandle
0x140005288 InternetOpenUrlA
0x140005290 InternetReadFile
0x140005298 InternetOpenA
VCRUNTIME140.dll
0x140005220 memmove
0x140005228 memcpy
0x140005230 __std_exception_copy
0x140005238 __std_terminate
0x140005240 __C_specific_handler
0x140005248 memset
0x140005250 memcmp
0x140005258 __std_exception_destroy
0x140005260 __CxxFrameHandler3
0x140005268 memchr
0x140005270 _CxxThrowException
api-ms-win-crt-runtime-l1-1-0.dll
0x140005300 __p___argv
0x140005308 _initialize_onexit_table
0x140005310 _register_onexit_function
0x140005318 _c_exit
0x140005320 __p___argc
0x140005328 terminate
0x140005330 _configure_narrow_argv
0x140005338 _initialize_narrow_environment
0x140005340 _get_initial_narrow_environment
0x140005348 _initterm
0x140005350 _cexit
0x140005358 _register_thread_local_exe_atexit_callback
0x140005360 _crt_atexit
0x140005368 _seh_filter_exe
0x140005370 _exit
0x140005378 _initterm_e
0x140005380 system
0x140005388 exit
0x140005390 _invalid_parameter_noinfo_noreturn
0x140005398 _set_app_type
api-ms-win-crt-stdio-l1-1-0.dll
0x1400053a8 __p__commode
0x1400053b0 __stdio_common_vfprintf
0x1400053b8 _set_fmode
0x1400053c0 __acrt_iob_func
api-ms-win-crt-convert-l1-1-0.dll
0x1400052a8 wcstombs
api-ms-win-crt-string-l1-1-0.dll
0x1400053d0 strcpy_s
api-ms-win-crt-heap-l1-1-0.dll
0x1400052b8 free
0x1400052c0 _callnewh
0x1400052c8 malloc
0x1400052d0 _set_new_mode
api-ms-win-crt-math-l1-1-0.dll
0x1400052f0 __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll
0x1400052e0 _configthreadlocale
EAT(Export Address Table) is none
KERNEL32.dll
0x140005018 WriteFile
0x140005020 CloseHandle
0x140005028 GetLastError
0x140005030 Sleep
0x140005038 GetCurrentProcess
0x140005040 CreateProcessW
0x140005048 GetModuleFileNameW
0x140005050 CreateFileA
0x140005058 AllocConsole
0x140005060 IsDebuggerPresent
0x140005068 InitializeSListHead
0x140005070 GetSystemTimeAsFileTime
0x140005078 GetCurrentThreadId
0x140005080 GetCurrentProcessId
0x140005088 QueryPerformanceCounter
0x140005090 ExpandEnvironmentStringsW
0x140005098 CopyFileA
0x1400050a0 ExpandEnvironmentStringsA
0x1400050a8 IsProcessorFeaturePresent
0x1400050b0 TerminateProcess
0x1400050b8 SetUnhandledExceptionFilter
0x1400050c0 UnhandledExceptionFilter
0x1400050c8 RtlVirtualUnwind
0x1400050d0 RtlLookupFunctionEntry
0x1400050d8 RtlCaptureContext
0x1400050e0 GetModuleHandleW
USER32.dll
0x140005200 FindWindowA
0x140005208 MessageBoxA
0x140005210 ShowWindow
SHELL32.dll
0x1400051f0 ShellExecuteExA
ADVAPI32.dll
0x140005000 OpenProcessToken
0x140005008 GetTokenInformation
MSVCP140.dll
0x1400050f0 ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
0x1400050f8 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
0x140005100 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
0x140005108 ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
0x140005110 ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
0x140005118 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
0x140005120 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
0x140005128 ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
0x140005130 ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
0x140005138 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
0x140005140 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
0x140005148 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
0x140005150 ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
0x140005158 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
0x140005160 ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
0x140005168 ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
0x140005170 ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
0x140005178 ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
0x140005180 ?id@?$ctype@_W@std@@2V0locale@2@A
0x140005188 ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
0x140005190 ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
0x140005198 ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
0x1400051a0 ??Bid@locale@std@@QEAA_KXZ
0x1400051a8 ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
0x1400051b0 ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
0x1400051b8 ?_Xout_of_range@std@@YAXPEBD@Z
0x1400051c0 ?_Xlength_error@std@@YAXPEBD@Z
0x1400051c8 ?uncaught_exception@std@@YA_NXZ
0x1400051d0 ??1_Lockit@std@@QEAA@XZ
0x1400051d8 ??0_Lockit@std@@QEAA@H@Z
0x1400051e0 ?widen@?$ctype@_W@std@@QEBA_WD@Z
WININET.dll
0x140005280 InternetCloseHandle
0x140005288 InternetOpenUrlA
0x140005290 InternetReadFile
0x140005298 InternetOpenA
VCRUNTIME140.dll
0x140005220 memmove
0x140005228 memcpy
0x140005230 __std_exception_copy
0x140005238 __std_terminate
0x140005240 __C_specific_handler
0x140005248 memset
0x140005250 memcmp
0x140005258 __std_exception_destroy
0x140005260 __CxxFrameHandler3
0x140005268 memchr
0x140005270 _CxxThrowException
api-ms-win-crt-runtime-l1-1-0.dll
0x140005300 __p___argv
0x140005308 _initialize_onexit_table
0x140005310 _register_onexit_function
0x140005318 _c_exit
0x140005320 __p___argc
0x140005328 terminate
0x140005330 _configure_narrow_argv
0x140005338 _initialize_narrow_environment
0x140005340 _get_initial_narrow_environment
0x140005348 _initterm
0x140005350 _cexit
0x140005358 _register_thread_local_exe_atexit_callback
0x140005360 _crt_atexit
0x140005368 _seh_filter_exe
0x140005370 _exit
0x140005378 _initterm_e
0x140005380 system
0x140005388 exit
0x140005390 _invalid_parameter_noinfo_noreturn
0x140005398 _set_app_type
api-ms-win-crt-stdio-l1-1-0.dll
0x1400053a8 __p__commode
0x1400053b0 __stdio_common_vfprintf
0x1400053b8 _set_fmode
0x1400053c0 __acrt_iob_func
api-ms-win-crt-convert-l1-1-0.dll
0x1400052a8 wcstombs
api-ms-win-crt-string-l1-1-0.dll
0x1400053d0 strcpy_s
api-ms-win-crt-heap-l1-1-0.dll
0x1400052b8 free
0x1400052c0 _callnewh
0x1400052c8 malloc
0x1400052d0 _set_new_mode
api-ms-win-crt-math-l1-1-0.dll
0x1400052f0 __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll
0x1400052e0 _configthreadlocale
EAT(Export Address Table) is none