CryptoLocker | 368614574665

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\OqXZRaykm\Desktop\PxoKRFYoxQB8PbHT.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	69.68 KB
MD5	2f4dc148ea6fbec4f93557ab152f9c8f
SHA1	6a2db6790b96d06d65c2cec2964f196f0a0905ce
SHA256	368614574665904cb34365bc12233c841c6f62d1036a6e4f81117078dafc384f
SSDeep	1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293vaRLEu:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7G
ImpHash	db206e36db5c9492ce02c61a679129e2
Static Analysis Parser Error	malformed string file info

File Reputation Information

Verdict

Malicious

PE Information

Image Base	0x00400000
Entry Point	0x00401000
Size Of Code	0x00002400
Size Of Initialized Data	0x00004000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2013-10-02 08:13 (UTC)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00401000	0x000023F0	0x00002400	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.27
.rdata	0x00404000	0x00000DB0	0x00000E00	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.72
.data	0x00405000	0x000005F0	0x00000200	0x00003600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.9
.rsrc	0x00406000	0x00002B98	0x00002C00	0x00003800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.6

Imports (3)

user32.dll (20)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
BeginPaint	-	0x0040402C	0x00004B6C	0x0000336C	0x0000000B
DispatchMessageA	-	0x00404030	0x00004B70	0x00003370	0x00000093
DrawTextA	-	0x00404034	0x00004B74	0x00003374	0x000000AA
EndPaint	-	0x00404038	0x00004B78	0x00003378	0x000000B6
TranslateMessage	-	0x0040403C	0x00004B7C	0x0000337C	0x0000025E
GetMessageA	-	0x00404040	0x00004B80	0x00003380	0x00000122
PostQuitMessage	-	0x00404044	0x00004B84	0x00003384	0x000001D5
ShowWindow	-	0x00404048	0x00004B88	0x00003388	0x00000248
UpdateWindow	-	0x0040404C	0x00004B8C	0x0000338C	0x0000026A
MoveWindow	-	0x00404050	0x00004B90	0x00003390	0x000001BE
CreateWindowExA	-	0x00404054	0x00004B94	0x00003394	0x00000056
RegisterClassExA	-	0x00404058	0x00004B98	0x00003398	0x000001E1
DefWindowProcA	-	0x0040405C	0x00004B9C	0x0000339C	0x00000083
MessageBoxA	-	0x00404060	0x00004BA0	0x000033A0	0x000001B1
SendMessageA	-	0x00404064	0x00004BA4	0x000033A4	0x000001FD
LoadIconA	-	0x00404068	0x00004BA8	0x000033A8	0x00000198
DestroyWindow	-	0x0040406C	0x00004BAC	0x000033AC	0x0000008D
LoadCursorA	-	0x00404070	0x00004BB0	0x000033B0	0x00000194
GetClientRect	-	0x00404074	0x00004BB4	0x000033B4	0x000000E9
GetWindowRect	-	0x00404078	0x00004BB8	0x000033B8	0x00000157

kernel32.dll (7)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetLastError	-	0x0040400C	0x00004B4C	0x0000334C	0x00000128
lstrcpyA	-	0x00404010	0x00004B50	0x00003350	0x00000315
GetModuleHandleA	-	0x00404014	0x00004B54	0x00003354	0x00000134
GetCommandLineA	-	0x00404018	0x00004B58	0x00003358	0x000000E6
DeleteFileA	-	0x0040401C	0x00004B5C	0x0000335C	0x00000069
CloseHandle	-	0x00404020	0x00004B60	0x00003360	0x00000023
CreateFileA	-	0x00404024	0x00004B64	0x00003364	0x0000003D

gdi32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
DeleteObject	-	0x00404000	0x00004B40	0x00003340	0x0000004B
CreateFontIndirectA	-	0x00404004	0x00004B44	0x00003344	0x0000002F

Memory Dumps (8)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
pxokrfyoxqb8pbht.exe	1	0x00400000	0x00408FFF	Relevant Image	32-bit	0x00402B80	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x01EF0000	0x01EF5FFF	First Execution	32-bit	0x01EF0009	... Actions Go to Process Download Dump
buffer	1	0x00400000	0x00405FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00400000	0x00405FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00400000	0x00405FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00400000	0x00405FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00400000	0x00405FFF	First Execution	32-bit	0x00401020	... Actions Go to Process Download Dump
buffer	1	0x02150048	0x02161767	Image In Buffer	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (2)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_set1	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

C:\Users\OQXZRA~1\AppData\Local\Temp\hurok.exe

Dropped File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	69.78 KB
MD5	44d7a8ac512e257e45eadc485d8f7152
SHA1	fb665764475e46622c9c2ccde808e1b6f7c4b9ed
SHA256	af3991510c27f4588000b640e0dfdf682046c304927770f698416e3ca6fbf537
SSDeep	1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293vaRLE6:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7C
ImpHash	db206e36db5c9492ce02c61a679129e2
Static Analysis Parser Error	malformed string file info

PE Information

Image Base	0x00400000
Entry Point	0x00401000
Size Of Code	0x00002400
Size Of Initialized Data	0x00004000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2013-10-02 08:13 (UTC)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00401000	0x000023F0	0x00002400	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.27
.rdata	0x00404000	0x00000DB0	0x00000E00	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.72
.data	0x00405000	0x000005F0	0x00000200	0x00003600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.9
.rsrc	0x00406000	0x00002B98	0x00002C00	0x00003800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.6

Imports (3)

user32.dll (20)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
BeginPaint	-	0x0040402C	0x00004B6C	0x0000336C	0x0000000B
DispatchMessageA	-	0x00404030	0x00004B70	0x00003370	0x00000093
DrawTextA	-	0x00404034	0x00004B74	0x00003374	0x000000AA
EndPaint	-	0x00404038	0x00004B78	0x00003378	0x000000B6
TranslateMessage	-	0x0040403C	0x00004B7C	0x0000337C	0x0000025E
GetMessageA	-	0x00404040	0x00004B80	0x00003380	0x00000122
PostQuitMessage	-	0x00404044	0x00004B84	0x00003384	0x000001D5
ShowWindow	-	0x00404048	0x00004B88	0x00003388	0x00000248
UpdateWindow	-	0x0040404C	0x00004B8C	0x0000338C	0x0000026A
MoveWindow	-	0x00404050	0x00004B90	0x00003390	0x000001BE
CreateWindowExA	-	0x00404054	0x00004B94	0x00003394	0x00000056
RegisterClassExA	-	0x00404058	0x00004B98	0x00003398	0x000001E1
DefWindowProcA	-	0x0040405C	0x00004B9C	0x0000339C	0x00000083
MessageBoxA	-	0x00404060	0x00004BA0	0x000033A0	0x000001B1
SendMessageA	-	0x00404064	0x00004BA4	0x000033A4	0x000001FD
LoadIconA	-	0x00404068	0x00004BA8	0x000033A8	0x00000198
DestroyWindow	-	0x0040406C	0x00004BAC	0x000033AC	0x0000008D
LoadCursorA	-	0x00404070	0x00004BB0	0x000033B0	0x00000194
GetClientRect	-	0x00404074	0x00004BB4	0x000033B4	0x000000E9
GetWindowRect	-	0x00404078	0x00004BB8	0x000033B8	0x00000157

kernel32.dll (7)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetLastError	-	0x0040400C	0x00004B4C	0x0000334C	0x00000128
lstrcpyA	-	0x00404010	0x00004B50	0x00003350	0x00000315
GetModuleHandleA	-	0x00404014	0x00004B54	0x00003354	0x00000134
GetCommandLineA	-	0x00404018	0x00004B58	0x00003358	0x000000E6
DeleteFileA	-	0x0040401C	0x00004B5C	0x0000335C	0x00000069
CloseHandle	-	0x00404020	0x00004B60	0x00003360	0x00000023
CreateFileA	-	0x00404024	0x00004B64	0x00003364	0x0000003D

gdi32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
DeleteObject	-	0x00404000	0x00004B40	0x00003340	0x0000004B
CreateFontIndirectA	-	0x00404004	0x00004B44	0x00003344	0x0000002F

Memory Dumps (12)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
hurok.exe	4	0x00400000	0x00408FFF	Relevant Image	32-bit	0x00402B80	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x01EF0000	0x01EF5FFF	First Execution	32-bit	0x01EF0009	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x00405FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x00405FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x00405FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x00405FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x00405FFF	First Execution	32-bit	0x00401020	... Actions Go to Process Download Dump
buffer	4	0x0019C000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00400000	0x00405FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x01EF0000	0x01EF5FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x01F40000	0x01F9FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x02100048	0x021117C7	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (2)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match
CryptoLocker_set1	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

c:\users\oqxzraykm\appdata\local\temp\hurrok.exe

Dropped File

Empty

Also Known As	hurrok.exe (Accessed File, Dropped File)
MIME Type	application/x-empty
File Size	0 Bytes (not extracted)
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

0be74dcbb2460f6aab602ca1c3b509d46648ed8b7026d22ce43ca9bd30ac3828

Downloaded File

HTML

MIME Type	text/html
File Size	100.05 KB
MD5	f0b442713aafddfc56ea8671526248f7
SHA1	d89b81272a920608f1649dc5744546ad0815bcec
SHA256	0be74dcbb2460f6aab602ca1c3b509d46648ed8b7026d22ce43ca9bd30ac3828
SSDeep	768:W0IOGkklgWgucWCsZdap7GI1hels3o37R7JRT03N3LrSW2+z266:TOapiWYlIc7RlRTgdL2W2+z266
ImpHash	-

Extracted URLs (43)

URL	WHOIS Data	Reputation Status	Recursively Submitted	Actions
https://gemlttwi.com/xmlrpc.php?rsd	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-content/plugins/essential-addons-for-elementor-lite/assets/front-end/js/view/general.min.js?ver=6.0.10	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-content/uploads/2020/02/GEML-logo_d200-removebg-preview-161x85.png	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/concrete-works/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/careers/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-json/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-includes/js/dist/dom-ready.min.js?ver=f77871ff7694fffea381	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-content/uploads/2020/02/GEML-logo_d200-removebg-preview-150x105.png	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/stow-certificate/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/divisions/#BRIDGE	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/feed/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/divisions/#WATER	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.25.9	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/asphalt/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com//wp-includes//js//wp-emoji-release.min.js?ver=6.7	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-content/plugins/astra-sites/inc/lib/onboarding/assets/dist/template-preview/main.js?ver=06758d4d807d9d22c6ea	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
http://fonts.googleapis.com	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-includes/css/dist/block-library/style.min.css?ver=6.7	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://www.facebook.com/profile.php?id=100087583921301	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://s.w.org//images//core//emoji//15.0.3//svg//	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/concrete-calculator/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-content/themes/astra/assets/css/minified/frontend.min.css?ver=3.7.7	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/comments/feed/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/about-us/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/divisions/#ROAD	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/divisions/#BRIDGE	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-content/uploads/2020/02/GEML-logo_d200-removebg-preview.png	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com//wp-admin//admin-ajax.php	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gmpg.org/xfn/11	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/transport/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/gallery/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/equipment-rental/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-content/themes/astra/assets/css/minified/menu-animation.min.css?ver=3.7.7	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/divisions/#EARTH	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-content/themes/astra/assets/js/minified/frontend.min.js?ver=3.7.7	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/contact/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/projects/	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://s.w.org//images//core//emoji//15.0.3//72x72//	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://fonts.googleapis.com/css?family=Work+Sans%3A400%7CDM+Serif+Display%3A400&display=fallback&ver=3.7.7	Show WHOIS	Not Available	-	... Actions Show URL Submit URL
https://gemlttwi.com/wp-content/plugins/essential-addons-for-elementor-lite/assets/front-end/css/view/general.min.css?ver=6.0.10	Show WHOIS	Not Available	-	... Actions Show URL Submit URL

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information