KeyGen.exe
This report is generated from a file or URL submitted to this webservice on April 26th 2017 21:04:41 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.40 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Fingerprint
- Reads the active computer name
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
-
35/61 Antivirus vendors marked sample as malicious (57% detection rate)
16/41 Antivirus vendors marked sample as malicious (39% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
35/61 Antivirus vendors marked sample as malicious (57% detection rate)
16/41 Antivirus vendors marked sample as malicious (39% detection rate) - source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 41/85 Antivirus vendors marked spawned process "<Input Sample>" (PID: 2900) as malicious (classified as "Downloader.Exchanger" with 48% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
Pattern Matching
-
YARA signature match
- details
- YARA signature "UPX" classified file "KeyGen.exe.bin" as "upx" based on indicators: "UPX0,UPX1,UPX!" (Author: Kevin Breen <kevin@techanarchy.net>)
- source
- YARA Signature
- relevance
- 10/10
-
YARA signature match
-
Unusual Characteristics
-
Entrypoint in PE header is within an uncommon section
- details
- "KeyGen.exe.bin" has an entrypoint in section "UPX1"
- source
- Static Parser
- relevance
- 5/10
-
Entrypoint in PE header is within an uncommon section
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 10
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- UPX1 with unusual entropies 7.9567844273
- source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"KeyGen.exe.bin" has a section named "UPX0"
"KeyGen.exe.bin" has a section named "UPX1" - source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
- FindResourceA@KERNEL32.DLL from KeyGen.exe (PID: 2900) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Opened the service control manager
- details
- "<Input Sample>" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
-
"<Input Sample>" called "OpenService" to access the "AudioSrv" service
"<Input Sample>" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_CONFIG" (0X1) access rights
"<Input Sample>" called "OpenService" to access the "AudioSrv" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights - source
- API Call
- relevance
- 10/10
-
Contains ability to find and load resources of a specific module
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
VirtualProtect
GetProcAddress
VirtualAlloc
LoadLibraryA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 6
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from KeyGen.exe (PID: 2900) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
General
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\MidiMapper_modLongMessage_RefCnt"
"Local\MidiMapper_modLongMessage_RefCnt" - source
- Created Mutant
- relevance
- 3/10
-
Creates mutants
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\system32\wdmaud.drv"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\wdmaud.drv.mui"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MMDevAPI.DLL.mui"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "KeyGen.exe.bin" was detected as "UPX v1.25 (Delphi) Stub"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
KeyGen.exe
- Filename
- KeyGen.exe
- Size
- 53KiB (53760 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- Architecture
- WINDOWS
- SHA256
- 643bc250dc4e6cb47fecb1648aa5eea88b4fcbf42933aff65ecec144ae6f563e
- MD5
- 3468e276c104484ab52e3a773dbb0252
- SHA1
- 092f3169780db5a96d521f8aa5913fbb098c7f5f
- ssdeep
- 1536:kkVaszYUVNFqi9YJ4BS8/nRbf2/Knouy8Mn:kk/zY4NdSAf9outM
- imphash
- 965a25da4325b995a24a08a5602c7539
- authentihash
- 03241882cc78be69290c24ec82440bf7889dae631f3f02532b99fdcf9a1f5b66
- Compiler/Packer
- UPX v1.25 (Delphi) Stub
- PDB Pathway
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- KeyGen.exe (PID: 2900) 41/85
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.