anubis left
Anubis - Analysis Report
anubis right

Analysis Report for 3e4d9e5db0cc4b5177a97cf4ddc3a719.spyeyetracker

 Comment on this report

Summary:

Description Risk
Write to foreign memory areas: This executable tampers with the execution of another process. high
AV Hit: This executable is detected by an antivirus software. high
Execution did not terminate correctly: The executable crashed. medium
Spawns Processes: The executable produces processes during the execution. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 247 s 
Report created: 02/20/11, 11:03:11 UTC 
Termination reason: Timeout 
Program version: 1.74.3362 

2. 3e4d9e5db0.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: 3e4d9e5db0.exe 
MD5: 3e4d9e5db0cc4b5177a97cf4ddc3a719 
SHA-1: 0e945cfbd0ab11f3c93bfc2fba106c292e5a3cbd 
File Size: 565248 Bytes
Command Line: "C:\3e4d9e5db0.exe"  
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​WININET.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 

  - Ikarus Virus Scanner  
Gen.Variant.Hiloti (Sig-Id:1519891)

2.a) 3e4d9e5db0.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 

2.b) 3e4d9e5db0.exe - File Activities

  - Files Created:  
C:\myprocman\

  - Directories Created:  
C:\myprocman\

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\WININET.dll

2.c) 3e4d9e5db0.exe - Process Activities

  - Remote Threads Created:  
Affected Process
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe

  - Foreign Memory Regions Written:  
Process: C:\WINDOWS\explorer.exe

3. Explorer.EXE

  - General information about this executable  
Analysis Reason: 3e4d9e5db0.exe wrote to the virtual memory of this process 
Filename: Explorer.EXE 
MD5: 12896823fb95bfb3dc9b46bcaedc9923 
SHA-1: 9d2bf84874abc5b6e9a2744b7865c193c08d362f 
File Size: 1033728 Bytes
Command Line: C:\WINDOWS\Explorer.EXE 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​BROWSEUI.dll  0x75F80000  0x000FD000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​SHDOCVW.dll  0x7E290000  0x00171000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​CRYPTUI.dll  0x754D0000  0x00080000 
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​WININET.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​system32\​WINTRUST.dll  0x76C30000  0x0002E000 
C:\​WINDOWS\​system32\​IMAGEHLP.dll  0x76C90000  0x00028000 
C:\​WINDOWS\​system32\​WLDAP32.dll  0x76F60000  0x0002C000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​UxTheme.dll  0x5AD70000  0x00038000 
C:\​WINDOWS\​system32\​ShimEng.dll  0x5CB70000  0x00026000 
C:\​WINDOWS\​AppPatch\​AcGenral.DLL  0x6F880000  0x001CA000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​MSACM32.dll  0x77BE0000  0x00015000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​appHelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​CLBCATQ.DLL  0x76FD0000  0x0007F000 
C:\​WINDOWS\​system32\​COMRes.dll  0x77050000  0x000C5000 
C:\​WINDOWS\​System32\​cscui.dll  0x77A20000  0x00054000 
C:\​WINDOWS\​System32\​CSCDLL.dll  0x76600000  0x0001D000 
C:\​WINDOWS\​system32\​themeui.dll  0x5BA60000  0x00071000 
C:\​WINDOWS\​system32\​MSIMG32.dll  0x76380000  0x00005000 
C:\​WINDOWS\​system32\​xpsp2res.dll  0x00BC0000  0x002C5000 
C:\​WINDOWS\​system32\​actxprxy.dll  0x71D40000  0x0001B000 
C:\​WINDOWS\​system32\​msutb.dll  0x5FC10000  0x00033000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​urlmon.dll  0x7E1E0000  0x000A2000 
C:\​WINDOWS\​system32\​LINKINFO.dll  0x76980000  0x00008000 
C:\​WINDOWS\​system32\​ntshrui.dll  0x76990000  0x00025000 
C:\​WINDOWS\​system32\​ATL.DLL  0x76B20000  0x00011000 
C:\​WINDOWS\​system32\​WINSTA.dll  0x76360000  0x00010000 
C:\​WINDOWS\​system32\​webcheck.dll  0x74B30000  0x00046000 
C:\​WINDOWS\​system32\​WSOCK32.dll  0x71AD0000  0x00009000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​SETUPAPI.dll  0x77920000  0x000F3000 
C:\​WINDOWS\​system32\​stobject.dll  0x76280000  0x00021000 
C:\​WINDOWS\​system32\​BatMeter.dll  0x74AF0000  0x0000A000 
C:\​WINDOWS\​system32\​POWRPROF.dll  0x74AD0000  0x00008000 
C:\​WINDOWS\​system32\​WTSAPI32.dll  0x76F50000  0x00008000 
C:\​WINDOWS\​system32\​msi.dll  0x7D1E0000  0x002BC000 
C:\​WINDOWS\​system32\​NETSHELL.dll  0x76400000  0x001A5000 
C:\​WINDOWS\​system32\​credui.dll  0x76C00000  0x0002E000 
C:\​WINDOWS\​system32\​dot3api.dll  0x478C0000  0x0000A000 
C:\​WINDOWS\​system32\​rtutils.dll  0x76E80000  0x0000E000 
C:\​WINDOWS\​system32\​dot3dlg.dll  0x736D0000  0x00006000 
C:\​WINDOWS\​system32\​OneX.DLL  0x5DCA0000  0x00028000 
C:\​WINDOWS\​system32\​eappcfg.dll  0x745B0000  0x00022000 
C:\​WINDOWS\​system32\​MSVCP60.dll  0x76080000  0x00065000 
C:\​WINDOWS\​system32\​eappprxy.dll  0x5DCD0000  0x0000E000 
C:\​WINDOWS\​system32\​iphlpapi.dll  0x76D60000  0x00019000 
C:\​WINDOWS\​system32\​SAMLIB.dll  0x71BF0000  0x00013000 
C:\​WINDOWS\​system32\​MPR.dll  0x71B20000  0x00012000 
C:\​WINDOWS\​System32\​drprov.dll  0x75F60000  0x00007000 
C:\​WINDOWS\​System32\​ntlanman.dll  0x71C10000  0x0000E000 
C:\​WINDOWS\​System32\​NETUI0.dll  0x71CD0000  0x00017000 
C:\​WINDOWS\​System32\​NETUI1.dll  0x71C90000  0x00040000 
C:\​WINDOWS\​System32\​NETRAP.dll  0x71C80000  0x00007000 
C:\​WINDOWS\​System32\​davclnt.dll  0x75F70000  0x0000A000 
C:\​WINDOWS\​system32\​browselc.dll  0x71600000  0x00012000 
C:\​WINDOWS\​system32\​MLANG.dll  0x75CF0000  0x00091000 
C:\​WINDOWS\​system32\​IMM32.dll  0x76390000  0x0001D000 

3.a) Explorer.EXE - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 

3.b) Explorer.EXE - File Activities

  - Files Created:  
C:\myprocman\myprocman.exe

  - Files Read:  
C:\3e4d9e5db0.exe

  - Files Modified:  
C:\myprocman\myprocman.exe

  - Memory Mapped Files:  
File Name
C:\Windows\AppPatch\sysmain.sdb
C:\myprocman\myprocman.exe

3.c) Explorer.EXE - Process Activities

  - Processes Created:  
Executable Command Line
C:\myprocman\myprocman.exe   
C:\myprocman\myprocman.exe   

  - Processes Killed:  
C:\myprocman\myprocman.exe

  - Remote Threads Created:  
Affected Process
C:\myprocman\myprocman.exe

  - Foreign Memory Regions Read:  
Process: C:\myprocman\myprocman.exe

  - Foreign Memory Regions Written:  
Process: C:\myprocman\myprocman.exe

3.d) Explorer.EXE - Other Activities

  - Keyboard Keys Monitored:  
Virtual Key Code Times
VK_LBUTTON (1)  40 

4. myprocman.exe

  - General information about this executable  
Analysis Reason: Started by Explorer.EXE 
Filename: myprocman.exe 
MD5: 3e4d9e5db0cc4b5177a97cf4ddc3a719 
SHA-1: 0e945cfbd0ab11f3c93bfc2fba106c292e5a3cbd 
File Size: 565248 Bytes
Command Line: "C:\myprocman\myprocman.exe" 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​WININET.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 

  - Ikarus Virus Scanner  
Gen.Variant.Hiloti (Sig-Id:1519891)

4.a) myprocman.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 

4.b) myprocman.exe - File Activities

  - File System Control Communication:  
File Control Code Times
C:\Documents and Settings\Administrator\  0x00090028 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\WININET.dll


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org