CryptoLocker | 065bffbd67a1

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\FYQbZNssjFtjWVUC.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	40.97 KB
MD5	e5de8293c1131f5fd798531e0470068c
SHA1	b68bf28150f87e0ee2dd5bcd156cd0bd5b128cb2
SHA256	065bffbd67a1d7fb4785254adf361039921dec9bca93a7db46d5a27976e7cf39
SSDeep	768:bxNQIE0eBhkL2Fo1CCwgfjOg1tsJ6zeen754XcwxbFqx:bxNrC7kYo1Fxf3s05rwxbFw
ImpHash	3c4da9ed0ba02990af7795e358bfd650
Static Analysis Parser Error	malformed string file info

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x08000000
Entry Point	0x08001000
Size Of Code	0x00002C00
Size Of Initialized Data	0x00003400
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2012-02-16 02:43 (UTC)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x08001000	0x00002B35	0x00002C00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.37
.data	0x08004000	0x00000C64	0x00000E00	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.24
.rsrc	0x08005000	0x00002108	0x00002200	0x00003E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.16
.reloc	0x08008000	0x00000206	0x00000400	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	3.36

Imports (3)

user32.dll (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
PostQuitMessage	-	0x0800403C	0x000049F8	0x000039F8	0x000001D5
GetMessageA	-	0x08004040	0x000049FC	0x000039FC	0x00000122
UpdateWindow	-	0x08004044	0x00004A00	0x00003A00	0x0000026A
EndPaint	-	0x08004048	0x00004A04	0x00003A04	0x000000B6
DispatchMessageA	-	0x0800404C	0x00004A08	0x00003A08	0x00000093
BeginPaint	-	0x08004050	0x00004A0C	0x00003A0C	0x0000000B
TranslateMessage	-	0x08004054	0x00004A10	0x00003A10	0x0000025E
CreateWindowExA	-	0x08004058	0x00004A14	0x00003A14	0x00000056
RegisterClassExA	-	0x0800405C	0x00004A18	0x00003A18	0x000001E1
DefWindowProcA	-	0x08004060	0x00004A1C	0x00003A1C	0x00000083
MessageBoxA	-	0x08004064	0x00004A20	0x00003A20	0x000001B1
SendMessageA	-	0x08004068	0x00004A24	0x00003A24	0x000001FD
DestroyWindow	-	0x0800406C	0x00004A28	0x00003A28	0x0000008D
LoadIconA	-	0x08004070	0x00004A2C	0x00003A2C	0x00000198
GetWindowRect	-	0x08004074	0x00004A30	0x00003A30	0x00000157
LoadCursorA	-	0x08004078	0x00004A34	0x00003A34	0x00000194
ShowWindow	-	0x0800407C	0x00004A38	0x00003A38	0x00000248
SetWindowPos	-	0x08004080	0x00004A3C	0x00003A3C	0x0000023B

kernel32.dll (12)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetLastError	-	0x08004008	0x000049C4	0x000039C4	0x00000128
lstrcpyA	-	0x0800400C	0x000049C8	0x000039C8	0x00000315
GetModuleHandleA	-	0x08004010	0x000049CC	0x000039CC	0x00000134
GetCommandLineA	-	0x08004014	0x000049D0	0x000039D0	0x000000E6
FindFirstFileA	-	0x08004018	0x000049D4	0x000039D4	0x000000B1
GetCurrentDirectoryA	-	0x0800401C	0x000049D8	0x000039D8	0x000000FE
FindClose	-	0x08004020	0x000049DC	0x000039DC	0x000000AD
FindNextFileA	-	0x08004024	0x000049E0	0x000039E0	0x000000BA
DeleteFileA	-	0x08004028	0x000049E4	0x000039E4	0x00000069
CloseHandle	-	0x0800402C	0x000049E8	0x000039E8	0x00000023
GetCurrentProcess	-	0x08004030	0x000049EC	0x000039EC	0x00000100
CreateFileA	-	0x08004034	0x000049F0	0x000039F0	0x0000003D

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontIndirectA	-	0x08004000	0x000049BC	0x000039BC	0x0000002F

Memory Dumps (9)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
fyqbznssjftjwvuc.exe	1	0x08000000	0x08008FFF	Relevant Image	32-bit	0x08002C59	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x00470000	0x00475FFF	First Execution	32-bit	0x00470009	... Actions Go to Process Download Dump
buffer	1	0x01F10000	0x01F15FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x01F10000	0x01F15FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x01F10000	0x01F15FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x01F10000	0x01F15FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x01F10000	0x01F15FFF	First Execution	32-bit	0x01F11020	... Actions Go to Process Download Dump
buffer	1	0x023C0048	0x023CA495	Image In Buffer	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
fyqbznssjftjwvuc.exe	1	0x08000000	0x08008FFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

C:\Users\RDHJ0C~1\AppData\Local\Temp\pissa.exe

Dropped File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	41.07 KB
MD5	5b8f65112ef5988522daddae38f05087
SHA1	7cadb63fad4281795b7baccf16fe0c4707afeb77
SHA256	c22ff63c915b72ebf81271c1d70dbd59ebdcc831776485023db8b893e412a7fb
SSDeep	768:bxNQIE0eBhkL2Fo1CCwgfjOg1tsJ6zeen754XcwxbFqV:bxNrC7kYo1Fxf3s05rwxbFE
ImpHash	3c4da9ed0ba02990af7795e358bfd650
Static Analysis Parser Error	malformed string file info

PE Information

Image Base	0x08000000
Entry Point	0x08001000
Size Of Code	0x00002C00
Size Of Initialized Data	0x00003400
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2012-02-16 02:43 (UTC)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x08001000	0x00002B35	0x00002C00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.37
.data	0x08004000	0x00000C64	0x00000E00	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.24
.rsrc	0x08005000	0x00002108	0x00002200	0x00003E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.16
.reloc	0x08008000	0x00000206	0x00000400	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	3.36

Imports (3)

user32.dll (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
PostQuitMessage	-	0x0800403C	0x000049F8	0x000039F8	0x000001D5
GetMessageA	-	0x08004040	0x000049FC	0x000039FC	0x00000122
UpdateWindow	-	0x08004044	0x00004A00	0x00003A00	0x0000026A
EndPaint	-	0x08004048	0x00004A04	0x00003A04	0x000000B6
DispatchMessageA	-	0x0800404C	0x00004A08	0x00003A08	0x00000093
BeginPaint	-	0x08004050	0x00004A0C	0x00003A0C	0x0000000B
TranslateMessage	-	0x08004054	0x00004A10	0x00003A10	0x0000025E
CreateWindowExA	-	0x08004058	0x00004A14	0x00003A14	0x00000056
RegisterClassExA	-	0x0800405C	0x00004A18	0x00003A18	0x000001E1
DefWindowProcA	-	0x08004060	0x00004A1C	0x00003A1C	0x00000083
MessageBoxA	-	0x08004064	0x00004A20	0x00003A20	0x000001B1
SendMessageA	-	0x08004068	0x00004A24	0x00003A24	0x000001FD
DestroyWindow	-	0x0800406C	0x00004A28	0x00003A28	0x0000008D
LoadIconA	-	0x08004070	0x00004A2C	0x00003A2C	0x00000198
GetWindowRect	-	0x08004074	0x00004A30	0x00003A30	0x00000157
LoadCursorA	-	0x08004078	0x00004A34	0x00003A34	0x00000194
ShowWindow	-	0x0800407C	0x00004A38	0x00003A38	0x00000248
SetWindowPos	-	0x08004080	0x00004A3C	0x00003A3C	0x0000023B

kernel32.dll (12)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetLastError	-	0x08004008	0x000049C4	0x000039C4	0x00000128
lstrcpyA	-	0x0800400C	0x000049C8	0x000039C8	0x00000315
GetModuleHandleA	-	0x08004010	0x000049CC	0x000039CC	0x00000134
GetCommandLineA	-	0x08004014	0x000049D0	0x000039D0	0x000000E6
FindFirstFileA	-	0x08004018	0x000049D4	0x000039D4	0x000000B1
GetCurrentDirectoryA	-	0x0800401C	0x000049D8	0x000039D8	0x000000FE
FindClose	-	0x08004020	0x000049DC	0x000039DC	0x000000AD
FindNextFileA	-	0x08004024	0x000049E0	0x000039E0	0x000000BA
DeleteFileA	-	0x08004028	0x000049E4	0x000039E4	0x00000069
CloseHandle	-	0x0800402C	0x000049E8	0x000039E8	0x00000023
GetCurrentProcess	-	0x08004030	0x000049EC	0x000039EC	0x00000100
CreateFileA	-	0x08004034	0x000049F0	0x000039F0	0x0000003D

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontIndirectA	-	0x08004000	0x000049BC	0x000039BC	0x0000002F

Memory Dumps (16)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
pissa.exe	2	0x08000000	0x08008FFF	Relevant Image	32-bit	0x08002C59	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x00650000	0x00655FFF	First Execution	32-bit	0x00650009	... Actions Go to Process Download Dump
buffer	2	0x01FE0000	0x01FE5FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x01FE0000	0x01FE5FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x01FE0000	0x01FE5FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x01FE0000	0x01FE5FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x01FE0000	0x01FE5FFF	First Execution	32-bit	0x01FE1020	... Actions Go to Process Download Dump
buffer	2	0x0019A000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00640000	0x00645FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00650000	0x00655FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x01FE0000	0x01FE5FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x023C0000	0x024BFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x024C0048	0x024CA4F5	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
pissa.exe	2	0x08000000	0x08008FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
counters.dat	2	0x01FD0000	0x01FD0FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
pissa.exe	2	0x08000000	0x08008FFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\4ldxc150\rch[1].htm

Downloaded File

HTML

Also Known As	pissec.exe (Accessed File, Downloaded File)
MIME Type	text/html
File Size	114 Bytes
MD5	e89f75f918dbdcee28604d4e09dd71d7
SHA1	f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA256	6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SSDeep	3:PouVIZx/XMn30EEBuvFfD0OkADYyT0NV9kBbZWM:hax/XW3/p5mmYyT0NVuB9d
ImpHash	-

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat

Modified File

Stream

MIME Type	application/octet-stream
File Size	128 Bytes
MD5	cc90851958032b8c8bbb7b24ec6271dd
SHA1	e027ad2ea4049374a3b01af2e3626b667dc816bc
SHA256	c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858
SSDeep	3:Fl:
ImpHash	-

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information