anubis left
Anubis - Analysis Report
anubis right

Analysis Report for HideProc.exe

 Comment on this report

Summary:

Description Risk
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 240 s 
Report created: 10/20/09, 13:02:22 UTC 
Termination reason: Timeout 
Program version: 1.72.0 

2. HideProc.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: HideProc.exe 
MD5: be914686a2dcf37e071d046aea6641d0 
SHA-1: e6fe3197bf231a316d7e17a14fcf6d6ff6431232 
File Size: 32768 Bytes
Command Line: "C:\HideProc.exe"  
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 

  - Ikarus Virus Scanner  
Virus.Win32.AdWare (Sig-Id:19683252)

  - Program output  
Stdout: 
OpenService failed; error: 1060
SCManager Opened.
Service Opened.
Service Started.

Operating System detected: Windows XP.
Enter PID:

2.a) HideProc.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 

2.b) HideProc.exe - File Activities

  - File System Control Communication:  
File Control Code Times
C:\  0x00090028 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 

2.c) HideProc.exe - Windows Service Activities

  - Services Created:  
Name Type Path
HideProc  SERVICE_DEMAND_START  C:\WINDOWS\system32\drivers\HideProc.sys 

3. services.exe

  - General information about this executable  
Analysis Reason: A service was started. 
Filename: services.exe 
MD5: 0e776ed5f7cc9f94299e70461b7b8185 
SHA-1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf 
File Size: 108544 Bytes
Command Line: C:\WINDOWS\system32\services.exe 
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​NCObjAPI.DLL  0x5F770000  0x0000C000 
C:\​WINDOWS\​system32\​MSVCP60.dll  0x76080000  0x00065000 
C:\​WINDOWS\​system32\​SCESRV.dll  0x7DBD0000  0x00051000 
C:\​WINDOWS\​system32\​AUTHZ.dll  0x776C0000  0x00012000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​umpnpmgr.dll  0x7DBA0000  0x00021000 
C:\​WINDOWS\​system32\​WINSTA.dll  0x76360000  0x00010000 
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​ShimEng.dll  0x5CB70000  0x00026000 
C:\​WINDOWS\​AppPatch\​AcAdProc.dll  0x47260000  0x0000F000 
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​eventlog.dll  0x77B70000  0x00011000 
C:\​WINDOWS\​system32\​PSAPI.DLL  0x76BF0000  0x0000B000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​wtsapi32.dll  0x76F50000  0x00008000 

3.a) services.exe - Registry Activities

  - Registry Values Read:  
Key Name Value Times
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0303\​4&2C5A7332&0  ClassGUID  {4D36E96B-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0400\​4&2C5A7332&0  ClassGUID  {4D36E978-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0501\​1  ClassGUID  {4D36E978-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0700\​4&2C5A7332&0  ClassGUID  {4D36E969-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0A03\​1  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI\​PNP0F13\​4&2C5A7332&0  ClassGUID  {4D36E96F-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ACPI_HAL\​PNP0C08\​0  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​DISPLAY\​DEFAULT_MONITOR\​4&2946A9FF&0&11223344&00&02  ClassGUID  {4D36E96E-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​IDE\​CDROMQEMU_QEMU_CD-ROM________________________0.9.____\​4D51303030302033202020202020202020202020  ClassGUID  {4D36E965-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​IDE\​DISKQEMU_HARDDISK___________________________0.9.1___\​4D51303030302031202020202020202020202020  ClassGUID  {4D36E967-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ISAPNP\​READDATAPORT\​0  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​LPTENUM\​MICROSOFTRAWPORT\​5&34A37E9F&0&LPT1  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCIIDE\​IDECHANNEL\​4&3DE75EA&0&0  ClassGUID  {4D36E96A-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCIIDE\​IDECHANNEL\​4&3DE75EA&0&1  ClassGUID  {4D36E96A-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_1013&DEV_00B8&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&10  ClassGUID  {4D36E968-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&18  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_8086&DEV_1237&SUBSYS_00000000&REV_02\​3&13C0B0C5&0&00  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_8086&DEV_7000&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&08  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​PCI\​VEN_8086&DEV_7010&SUBSYS_00000000&REV_00\​3&13C0B0C5&0&09  ClassGUID  {4D36E96A-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​ACPI_HAL\​0000  ClassGUID  {4D36E966-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​DMIO\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​FTDISK\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_AFD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_BEEP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_DMBOOT\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_DMLOAD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_FIPS\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_GPC\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_HTTP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_IPNAT\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_IPSEC\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_KSECDD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_MNMDD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_MOUNTMGR\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDISTAPI\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDISUIO\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDIS\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NDPROXY\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NETBT\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_NULL\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_PARTMGR\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_PARVDM\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_RASACD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_RDPCDD\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_TCPIP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_VOLSNAP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​LEGACY_WANARP\​0000  ClassGUID  {8ECC055D-047F-11D1-A537-0000F8753ED1} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMACM  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMDRV  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMMCI  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMVCD  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MEDIA\​MS_MMVID  ClassGUID  {4D36E96C-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_L2TPMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_NDISWANIP\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PPPOEMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PPTPMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​MS_PTIMINIPORT\​0000  ClassGUID  {4D36E972-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​RDPDR\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​RDP_KBD\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​RDP_MOU\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​SYSTEM\​0000  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​SYSTEM\​0001  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​ROOT\​SYSTEM\​0002  ClassGUID  {4D36E97D-E325-11CE-BFC1-08002BE10318} 
HKLM\​SYSTEM\​CONTROLSET001\​ENUM\​STORAGE\​VOLUME\​1&30A96598&0&SIGNATUREB15FB15FOFFSET7E00LENGTH13F291800  ClassGUID  {71A27CDD-812A-11D0-BEC7-08002BE2092F} 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​HideProc\​Enum  Root\​LEGACY_HIDEPROC\​0000 
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​HideProc\​Enum  Count 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​SYSTEM\​CONTROLSET001\​SERVICES\​EVENTLOG  Key Change,Value Change 


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org