Analyzing...
|
File Name:   krename.exe
SHA1:   ca3ae1eb8407582846c89914ed23fb8473c33bf2
MD5:   cdb7575e7fb7219aa0f396983358542e
First Seen Date:  2016-08-01 23:54:41.506402 ( )
Number of Clients Seen:   7
Last Analysis Date:  2016-08-01 23:54:41.506402 ( )
Human Expert Analysis Date:  2017-08-23 09:52:17.621083 ( )Human Expert Analysis Result:   Clean
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2016-08-01 23:54:41.506402 | Clean | |
Static Analysis Overall Verdict | 2016-08-01 23:54:41.506402 | Highly Suspicious | |
Dynamic Analysis Overall Verdict | 2016-08-01 23:54:41.506402 | No Threat Found | help |
Human Expert Analysis Overall Verdict | 2017-08-23 09:52:17.621083 | Clean |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Clean | |
Illegal size of optional Header | Clean | |
Packer detection on signature database | Unknown | help |
Based on the sections entropy check! file is possibly packed | Suspicious | |
Timestamp value suspicious | Suspicious | |
Header Checksum is zero! | Clean | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
TLS callback functions array detected | Clean |
Packer detection on signature database
PECompact V2.X-> Bitsum Technologies
PeCompact 2.xx --> BitSum Technologies
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
No Threat Found | help |
Suspicious Behaviors | |
---|---|
Creates a child process | |
Uses a function clandestinely | |
Logs user key strokes | |
Opens a file in a system directory | |
Has no visible windows |
Behavioral Information
C:\sample
C:\Windows\syswow64\kernel32.dll
C:\Windows\system32\EhStorShell.dll
C:\Windows\syswow64\MSCTF.dll
C:\Windows\syswow64\USER32.dll
Disable
DataFilePath
Plane1
Plane2
Plane3
Plane4
Plane5
Plane6
Plane7
Plane8
Plane9
Plane10
Plane11
Plane12
Plane13
Plane14
Plane15
Plane16
Tahoma
DispatcherPath
UseDoubleClickTimer
C:\Windows\Fonts\staticcache.dat
C:\Users\win7\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\win7\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000008.db
\??\C:\Windows\system32\EhStorShell.dll
\??\C:\Windows\system32\ntshrui.dll
\\.\PIPE\srvsvc
C:\Users\win7\Desktop
C:\Users\Public\Desktop
\??\C:\Windows\System32\shdocvw.dll
\\.\PIPE\samr
\??\C:\Windows\system32\NetworkExplorer.dll
\\.\VBoxGuest
\\.\VBoxMiniRdrDN
\\.\PIPE\wkssvc
\\.\PIPE\DAV RPC SERVICE
C:\Users\win7\AppData\Roaming\Microsoft\Windows\Network Shortcuts\desktop.ini
C:\Users\win7\AppData\Roaming\Microsoft\Windows\Network Shortcuts
c:\python27\dlls\py.ico
Software\Borland\Locales
Software\Borland\Delphi\Locales
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
Tahoma
Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
Software\Raize\CodeSite\2.0
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ken Rename
Marlett
<NULL>
Local\MSCTF.Asm.MutexDefault1
CSDispatcher.exe
imm32.dll
kernel32
user32
olepro32.dll
ADVAPI32.dll
comctl32.dll
ole32.dll
uxtheme.dll
propsys.dll
ntmarta.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
WindowsCodecs.dll
C:\Windows\system32\EhStorShell.dll
C:\Windows\system32\ntshrui.dll
srvcli.dll
cscapi.dll
slc.dll
c:\windows\system32\imageres.dll
C:\Windows\system32\imageres.dll
SHELL32.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\shdocvw.dll
PROPSYS.dll
OLEAUT32.dll
SspiCli.dll
C:\Windows\system32\networkexplorer.dll
USER32.dll
C:\Windows\system32\VBoxMRXNP.dll
C:\Windows\System32\drprov.dll
C:\Windows\System32\ntlanman.dll
C:\Windows\System32\davclnt.dll
API-MS-Win-Security-LSALookup-L1-1-0.dll
RPCRT4.dll
netutils.dll
WINTRUST.dll
C:\Windows\system32\ole32.dll
C:\CFVS_Injector.exe
c:\python27\dlls\py.ico
C:\DLL_Loader.exe
C:\Procmon.exe
SetWindowsHookExW
SetWindowsHookExA
OpenProcess
CreateProcessA
ShellExecuteExA
ShellExecuteW
ShellExecuteA
Precise Detectors Analysis Results
No Detector Result Received
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Human Expert Analysis Results
Analysis Start Date:   2017-08-23 05:54:41.712741 ( )
Analysis End Date:  2017-08-23 09:52:17.621083 ( )
File Upload Date:  2017-08-22 20:14:44.234724 ( )
Update Date:  2017-08-23 09:02:32.936725 ( )
Human Expert Analyst Feedback:  
Verdict:   Clean
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|