Analysis Report for loader.exe

Comment on this report

Summary:

Description	Risk
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information sample.exe C:\sample.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities services.exe C:\WINDOWS\system32\services.exe NtConnectPort(\RPC Control\ntsvcs was called. General Information a) File Activities 163305.exe C:\GHCSS\163305.exe Started by sample.exe General Information a) Registry Activities b) File Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	241 s
Report created:	01/03/09, 16:18:33 UTC
Termination reason:	Timeout
Program version:	1.67.0

	- Popups

Process	Window Name	Window Text	Screenshot	Number of Displayed Times
0		0		1
csrss.exe	sample.exe - Application Error	OK The instruction at "0x7c911669" referenced memory at "0x00000000". The memory could not be "read". Click on OK to terminate the program		1

2. sample.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	sample.exe
MD5:	34df5b9ccf4514714efc28d51d0dfb47
SHA-1:	2c35d3ff5488ffa6addd0d80dca1c4e377409657
File Size:	697856 Bytes
Command Line:	"C:\sample.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.DLL	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL	0x773D0000	0x00103000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\uxtheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\msctfime.ime	0x755C0000	0x0002E000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\oleaut32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\version.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\shell32.dll	0x7C9C0000	0x00817000

	- SigBuster Output

Obsidium v1.3.0.4 SN:1385

	- Ikarus Virus Scanner

Virus.Win32.Rbot (Sig-Id:436767)

2.a) sample.exe - Registry Activities

	- Registry Keys Created:

HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Obsidium

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion	RegisteredOwner	user	2
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	MS Shell Dlg 2	Tahoma	4
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\CTF\SystemShared	CUAS	0	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM	Ime File	msctfime.ime	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

2.b) sample.exe - File Activities

	- Files Created:

C:\GHCSS

C:\GHCSS\dir.txt

C:\GHCSS\ghmh.exe

	- Files Read:

C:\sample.exe

	- Files Modified:

C:\GHCSS\dir.txt

C:\GHCSS\ghmh.exe

	- Directories Created:

C:\GHCSS

	- Files Renamed:

Old Filename	New Filename
C:\GHCSS\ghmh.exe	\??\C:\GHCSS\163305.exe

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8

	- Memory Mapped Files:

File Name

C:\GHCSS\163305.exe

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\Msimtf.dll

C:\WINDOWS\system32\PSAPI.DLL

C:\WINDOWS\system32\msctfime.ime

C:\WINDOWS\system32\shell32.dll

C:\WINDOWS\system32\uxtheme.dll

C:\Windows\AppPatch\sysmain.sdb

2.c) sample.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\GHCSS\163305.exe

	- Remote Threads Created:

Affected Process

C:\GHCSS\163305.exe

	- Thread Overview:

Time	Number of threads
After 31 seconds	1

	- Foreign Memory Regions Read:

Process: C:\GHCSS\163305.exe

	- Foreign Memory Regions Written:

Process: C:\GHCSS\163305.exe

2.d) sample.exe - Other Activities

	- Mutexes Created:

CTF.Asm.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.Compart.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.LBES.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.Layouts.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.TMD.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.TimListCache.FMPDefaultS-1-5-21-1229272821-1004336348-527237240-1003MUTEX.DefaultS-1-5-21-1229272821-1004336348-527237240-1003

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4eb055	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4f68be	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4eb3c1	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x9e1c8e	1
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x7c90120e	4
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x9e81c1	1
Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x9e82d8	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ebd43	1
Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x4ebf30	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x4ecc47	1
Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x9eb25c	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x9eb269	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x9ebcf7	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x9ebc05	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x9ebf0a	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x9ec129	1
Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x9ec240	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x9ec122	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x9ec13b	1
Exception 0x80000003 (STATUS_BREAKPOINT) at 0x9ec12e	1
Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x9ec114	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x9ec121	1
Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x9e98b2	18
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x9e9d41	16
Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x9e9d4c	12
Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x4ecd77	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x4ed34b	1
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x9e98a7	10

3. services.exe

	- General information about this executable

Analysis Reason:	NtConnectPort(\RPC Control\ntsvcs was called.
Filename:	services.exe
MD5:	0e776ed5f7cc9f94299e70461b7b8185
SHA-1:	cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf
File Size:	108544 Bytes
Command Line:	C:\WINDOWS\system32\services.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\NCObjAPI.DLL	0x5F770000	0x0000C000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\SCESRV.dll	0x7DBD0000	0x00051000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00012000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\umpnpmgr.dll	0x7DBA0000	0x00021000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcAdProc.dll	0x47260000	0x0000F000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\eventlog.dll	0x77B70000	0x00011000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000

3.a) services.exe - File Activities

	- Files Modified:

C:\WINDOWS\system32\config\SysEvent.Evt

4. 163305.exe

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	163305.exe
MD5:	1bf934873c92122382a1f587b9c4561b
SHA-1:	689fdf6ac9d6732e89d61c5ff1801b57fbc441a8
File Size:	875008 Bytes
Command Line:	C:\GHCSS\163305.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\oleaut32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\version.dll	0x77C00000	0x00008000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\shell32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\uxtheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\olepro32.dll	0x5EDD0000	0x00017000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\msctfime.ime	0x755C0000	0x0002E000

	- Popups

Window Name	Window Text	Screenshot	Number of Displayed Times
Error	OK		1

4.a) 163305.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes	MS Shell Dlg 2	Tahoma	4
HKLM\Software\Microsoft\CTF\SystemShared	CUAS	0	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM	Ime File	msctfime.ime	1

4.b) 163305.exe - File Activities

	- Memory Mapped Files: