CryptoLocker | 3a35de450f89

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\OqXZRaykm\Desktop\7fq0PwBJkR1rhpBD.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	62.69 KB
MD5	64306135c8040ec8c2101e1f0bd6dc61
SHA1	d981fd91a3a31aa3891d98dfc569068145b8be77
SHA256	3a35de450f89eb21217d0a52df01dc796fd43bf5fb02c479d6b7b8503327209f
SSDeep	768:f6LsoEEeegiZPvEhHSG+gz5NQXtckstOOtEvwDpj/WaD3TUogs/VXpAPWRiV:f6QFElP6n+g9u9cvMOtEvwDpjnpVXzRE
ImpHash	bd2f03255beebcd07c02192dbb770be8
Static Analysis Parser Error	malformed string file info

File Reputation Information

Verdict

Malicious

PE Information

Image Base	0x00500000
Entry Point	0x00501000
Size Of Code	0x00003000
Size Of Initialized Data	0x00003000
Size Of Uninitialized Data	0x00008000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2013-10-02 14:59 (UTC+2)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
UPX0	0x00501000	0x00008000	0x00005200	0x00000400	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.22
UPX1	0x00509000	0x00003000	0x00002C00	0x00005600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.06
.rsrc	0x0050C000	0x00003000	0x00002C00	0x00008200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.07
.imports	0x0050F000	0x00001000	0x00000400	0x0000AE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.97

Imports (3)

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontIndirectA	-	0x00504000	0x00004000	0x00003400	0x00000000

KERNEL32.DLL (12)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetLastError	-	0x00504008	0x00004008	0x00003408	0x00000000
lstrcpyA	-	0x0050400C	0x0000400C	0x0000340C	0x00000000
GetModuleHandleA	-	0x00504010	0x00004010	0x00003410	0x00000000
GetCommandLineA	-	0x00504014	0x00004014	0x00003414	0x00000000
FindFirstFileA	-	0x00504018	0x00004018	0x00003418	0x00000000
FormatMessageA	-	0x0050401C	0x0000401C	0x0000341C	0x00000000
FindClose	-	0x00504020	0x00004020	0x00003420	0x00000000
FindNextFileA	-	0x00504024	0x00004024	0x00003424	0x00000000
DeleteFileA	-	0x00504028	0x00004028	0x00003428	0x00000000
CloseHandle	-	0x0050402C	0x0000402C	0x0000342C	0x00000000
GetACP	-	0x00504030	0x00004030	0x00003430	0x00000000
CreateFileA	-	0x00504034	0x00004034	0x00003434	0x00000000

user32.dll (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
PostQuitMessage	-	0x0050403C	0x0000403C	0x0000343C	0x00000000
GetMessageA	-	0x00504040	0x00004040	0x00003440	0x00000000
UpdateWindow	-	0x00504044	0x00004044	0x00003444	0x00000000
EndPaint	-	0x00504048	0x00004048	0x00003448	0x00000000
DispatchMessageA	-	0x0050404C	0x0000404C	0x0000344C	0x00000000
BeginPaint	-	0x00504050	0x00004050	0x00003450	0x00000000
TranslateMessage	-	0x00504054	0x00004054	0x00003454	0x00000000
MoveWindow	-	0x00504058	0x00004058	0x00003458	0x00000000
CreateWindowExA	-	0x0050405C	0x0000405C	0x0000345C	0x00000000
RegisterClassExA	-	0x00504060	0x00004060	0x00003460	0x00000000
DefWindowProcA	-	0x00504064	0x00004064	0x00003464	0x00000000
MessageBoxA	-	0x00504068	0x00004068	0x00003468	0x00000000
SendMessageA	-	0x0050406C	0x0000406C	0x0000346C	0x00000000
DestroyWindow	-	0x00504070	0x00004070	0x00003470	0x00000000
LoadCursorA	-	0x00504074	0x00004074	0x00003474	0x00000000
LoadIconA	-	0x00504078	0x00004078	0x00003478	0x00000000
ShowWindow	-	0x0050407C	0x0000407C	0x0000347C	0x00000000
GetWindowRect	-	0x00504080	0x00004080	0x00003480	0x00000000

Memory Dumps (9)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
7fq0pwbjkr1rhpbd.exe	1	0x00500000	0x0050FFFF	First Execution	32-bit	0x00501000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x01FF0000	0x01FF5FFF	First Execution	32-bit	0x01FF0009	... Actions Go to Process Download Dump
buffer	1	0x01F00000	0x01F05FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x01F00000	0x01F05FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x01F00000	0x01F05FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x01F00000	0x01F05FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x01F00000	0x01F05FFF	First Execution	32-bit	0x01F01020	... Actions Go to Process Download Dump
buffer	1	0x021A0048	0x021AFB6D	Image In Buffer	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
7fq0pwbjkr1rhpbd.exe	1	0x00500000	0x0050FFFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (2)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match
CryptoLocker_set1	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

C:\Users\OQXZRA~1\AppData\Local\Temp\asih.exe

Dropped File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	62.78 KB
MD5	fccbc45b57d6b00c3bca157c0508334c
SHA1	30d0f7d390e13addd109ec897a7d2a554db6e6c3
SHA256	8a2967549dcf2edab04f035633de09c1321db7566ca462868181549cb6e47f6a
SSDeep	768:f6LsoEEeegiZPvEhHSG+gz5NQXtckstOOtEvwDpj/WaD3TUogs/VXpAPWRiZ:f6QFElP6n+g9u9cvMOtEvwDpjnpVXzRg
ImpHash	bd2f03255beebcd07c02192dbb770be8
Static Analysis Parser Error	malformed string file info

PE Information

Image Base	0x00500000
Entry Point	0x00501000
Size Of Code	0x00003000
Size Of Initialized Data	0x00003000
Size Of Uninitialized Data	0x00008000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2013-10-02 14:59 (UTC+2)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
UPX0	0x00501000	0x00008000	0x00005200	0x00000400	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.22
UPX1	0x00509000	0x00003000	0x00002C00	0x00005600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.06
.rsrc	0x0050C000	0x00003000	0x00002C00	0x00008200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.07
.imports	0x0050F000	0x00001000	0x00000400	0x0000AE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.97

Imports (3)

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontIndirectA	-	0x00504000	0x00004000	0x00003400	0x00000000

KERNEL32.DLL (12)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetLastError	-	0x00504008	0x00004008	0x00003408	0x00000000
lstrcpyA	-	0x0050400C	0x0000400C	0x0000340C	0x00000000
GetModuleHandleA	-	0x00504010	0x00004010	0x00003410	0x00000000
GetCommandLineA	-	0x00504014	0x00004014	0x00003414	0x00000000
FindFirstFileA	-	0x00504018	0x00004018	0x00003418	0x00000000
FormatMessageA	-	0x0050401C	0x0000401C	0x0000341C	0x00000000
FindClose	-	0x00504020	0x00004020	0x00003420	0x00000000
FindNextFileA	-	0x00504024	0x00004024	0x00003424	0x00000000
DeleteFileA	-	0x00504028	0x00004028	0x00003428	0x00000000
CloseHandle	-	0x0050402C	0x0000402C	0x0000342C	0x00000000
GetACP	-	0x00504030	0x00004030	0x00003430	0x00000000
CreateFileA	-	0x00504034	0x00004034	0x00003434	0x00000000

user32.dll (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
PostQuitMessage	-	0x0050403C	0x0000403C	0x0000343C	0x00000000
GetMessageA	-	0x00504040	0x00004040	0x00003440	0x00000000
UpdateWindow	-	0x00504044	0x00004044	0x00003444	0x00000000
EndPaint	-	0x00504048	0x00004048	0x00003448	0x00000000
DispatchMessageA	-	0x0050404C	0x0000404C	0x0000344C	0x00000000
BeginPaint	-	0x00504050	0x00004050	0x00003450	0x00000000
TranslateMessage	-	0x00504054	0x00004054	0x00003454	0x00000000
MoveWindow	-	0x00504058	0x00004058	0x00003458	0x00000000
CreateWindowExA	-	0x0050405C	0x0000405C	0x0000345C	0x00000000
RegisterClassExA	-	0x00504060	0x00004060	0x00003460	0x00000000
DefWindowProcA	-	0x00504064	0x00004064	0x00003464	0x00000000
MessageBoxA	-	0x00504068	0x00004068	0x00003468	0x00000000
SendMessageA	-	0x0050406C	0x0000406C	0x0000346C	0x00000000
DestroyWindow	-	0x00504070	0x00004070	0x00003470	0x00000000
LoadCursorA	-	0x00504074	0x00004074	0x00003474	0x00000000
LoadIconA	-	0x00504078	0x00004078	0x00003478	0x00000000
ShowWindow	-	0x0050407C	0x0000407C	0x0000347C	0x00000000
GetWindowRect	-	0x00504080	0x00004080	0x00003480	0x00000000

Memory Dumps (14)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
asih.exe	4	0x00500000	0x0050FFFF	First Execution	32-bit	0x00501000	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x006E0000	0x006E5FFF	First Execution	32-bit	0x006E0009	... Actions Go to Process Download Dump
buffer	4	0x00710000	0x00715FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00710000	0x00715FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00710000	0x00715FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00710000	0x00715FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00710000	0x00715FFF	First Execution	32-bit	0x00711020	... Actions Go to Process Download Dump
buffer	4	0x0019C000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x006D0000	0x006D5FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x006E0000	0x006E5FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00710000	0x00715FFF	First Network Behavior	32-bit	0x007112B8	... Actions Go to Process Download Dump
buffer	4	0x00720048	0x0072FBCB	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x022B0000	0x0248FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
asih.exe	4	0x00500000	0x0050FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (2)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match
CryptoLocker_set1	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information