Analysis Report for RENAME_ME.exe

Comment on this report

Summary:

Description	Risk
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information sample.exe C:\sample.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	241 s
Report created:	05/25/09, 15:52:42 UTC
Termination reason:	Timeout
Program version:	1.68.0

2. sample.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	sample.exe
MD5:	4857c57dd2353426fc6ac805f86cec35
SHA-1:	370448fcb31e1caebac43fea5e02a7b0dbb7444a
File Size:	1458176 Bytes
Command Line:	"C:\sample.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\COMCTL32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\msctfime.ime	0x755C0000	0x0002E000
C:\WINDOWS\system32\winmm.dll	0x76B40000	0x0002D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\version.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000

	- SigBuster Output

Themida vna SN:732

2.a) sample.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\Hardware\description\System	SystemBiosVersion	0x510045004d0055002000200020002d002000310000005200650076006900	2
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\Software\Microsoft\CTF\SystemShared	CUAS	0	1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM	Ime File	msctfime.ime	1
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1

2.b) sample.exe - File Activities

	- Files Read:

C:\WINDOWS\system32\ADVAPI32.dll

C:\WINDOWS\system32\KERNEL32.dll

C:\WINDOWS\system32\USER32.dll

C:\WINDOWS\system32\ntdll.dll

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\msctfime.ime

C:\WINDOWS\system32\ole32.dll

C:\WINDOWS\system32\winmm.dll

2.c) sample.exe - Process Activities

	- Thread Overview:

Time	Number of threads
After 34 seconds	1

2.d) sample.exe - Other Activities

	- Mutexes Created:

CTF.Asm.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.Compart.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.LBES.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.Layouts.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.TMD.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003

CTF.TimListCache.FMPDefaultS-1-5-21-1229272821-1004336348-527237240-1003MUTEX.DefaultS-1-5-21-1229272821-1004336348-527237240-1003

DBWinMutex

	- Windows SEH exceptions:

Description	Times
Exception 0xc000001d (STATUS_ILLEGAL_INSTRUCTION) at 0x5b24c3	1
Exception 0xc0000096 (STATUS_PRIVILEGED_INSTRUCTION) at 0x5b268c	1
Exception 0x40010006 at 0xb51eeb	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x7c809eca	1