CryptoLocker | 4550696e6e67

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\G5NW8TTWbyYGaxWc.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	44.39 KB
MD5	5b4ecbb1566d2546e02780b3ea51539e
SHA1	0b53e3ac91230bca2fd6479a87d0b30fd6ba2881
SHA256	4550696e6e67e66e34d2785a7b81dc728dd59d87b86a3dc77d311ba3858280d5
SSDeep	768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjIm8z2iaSIO/WZrEu/d+qmsUHQ1wsr:ZzFbxmLPWQMOtEvwDpj386Sj/WprqQ11
ImpHash	9470ea6ce8a031743fbf1e256278f573
Static Analysis Parser Error	malformed string file info

File Reputation Information

Verdict

Malicious

PE Information

Image Base	0x00500000
Entry Point	0x005037A0
Size Of Code	0x00002A00
Size Of Initialized Data	0x00002D4E
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2013-10-02 14:54 (UTC+2)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
	0x00501000	0x00005000	0x00002A00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.79
.rsrc	0x00506000	0x00003000	0x00002C00	0x00002E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.98
.reloc	0x00509000	0x00001000	0x00000000	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.0
petite	0x0050A000	0x0000014E	0x0000014E	0x00005A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.82

Imports (3)

user32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
MessageBoxA	-	0x0050A0F8	0x0000A0F8	0x00005AF8	0x00000000
wsprintfA	-	0x0050A0FC	0x0000A0FC	0x00005AFC	0x00000000

kernel32.dll (7)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ExitProcess	-	0x0050A104	0x0000A104	0x00005B04	0x00000000
GetModuleHandleA	-	0x0050A108	0x0000A108	0x00005B08	0x00000000
GetProcAddress	-	0x0050A10C	0x0000A10C	0x00005B0C	0x00000000
VirtualProtect	-	0x0050A110	0x0000A110	0x00005B10	0x00000000
VirtualAlloc	-	0x0050A114	0x0000A114	0x00005B14	0x00000000
VirtualFree	-	0x0050A118	0x0000A118	0x00005B18	0x00000000
LoadLibraryA	-	0x0050A11C	0x0000A11C	0x00005B1C	0x00000000

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontIndirectA	-	0x0050A124	0x0000A124	0x00005B24	0x00000000

Memory Dumps (12)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
g5nw8ttwbyygaxwc.exe	1	0x00500000	0x0050AFFF	Relevant Image	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x001E0000	0x001E2FFF	First Execution	32-bit	0x001E0000	... Actions Go to Process Download Dump
g5nw8ttwbyygaxwc.exe	1	0x00500000	0x0050AFFF	Content Changed	32-bit	0x00501000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x001E0000	0x001E2FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x00610000	0x00615FFF	First Execution	32-bit	0x00610009	... Actions Go to Process Download Dump
buffer	1	0x00640000	0x00645FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00640000	0x00645FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00640000	0x00645FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00640000	0x00645FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00640000	0x00645FFF	First Execution	32-bit	0x00641020	... Actions Go to Process Download Dump
buffer	1	0x02080048	0x0208B243	Image In Buffer	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
g5nw8ttwbyygaxwc.exe	1	0x00500000	0x0050AFFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

C:\Users\RDHJ0C~1\AppData\Local\Temp\misid.exe

Dropped File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	44.49 KB
MD5	5d1c137fad1581de3e56137e80dbd32d
SHA1	d2d853b94ec64dc065dfa4d89c7d0b027f538527
SHA256	1ba676f734bc0c00ba88e8641f47faba717cba41f836b314ef68007f2e8fe7b7
SSDeep	768:UEEmoQDj/xnMp+yptndwe/PWQtOOtEvwDpjIm8z2iaSIO/WZrEu/d+qmsUHQ1wsc:ZzFbxmLPWQMOtEvwDpj386Sj/WprqQ1+
ImpHash	9470ea6ce8a031743fbf1e256278f573
Static Analysis Parser Error	malformed string file info

PE Information

Image Base	0x00500000
Entry Point	0x005037A0
Size Of Code	0x00002A00
Size Of Initialized Data	0x00002D4E
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2013-10-02 14:54 (UTC+2)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
	0x00501000	0x00005000	0x00002A00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	7.79
.rsrc	0x00506000	0x00003000	0x00002C00	0x00002E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.98
.reloc	0x00509000	0x00001000	0x00000000	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.0
petite	0x0050A000	0x0000014E	0x0000014E	0x00005A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.82

Imports (3)

user32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
MessageBoxA	-	0x0050A0F8	0x0000A0F8	0x00005AF8	0x00000000
wsprintfA	-	0x0050A0FC	0x0000A0FC	0x00005AFC	0x00000000

kernel32.dll (7)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ExitProcess	-	0x0050A104	0x0000A104	0x00005B04	0x00000000
GetModuleHandleA	-	0x0050A108	0x0000A108	0x00005B08	0x00000000
GetProcAddress	-	0x0050A10C	0x0000A10C	0x00005B0C	0x00000000
VirtualProtect	-	0x0050A110	0x0000A110	0x00005B10	0x00000000
VirtualAlloc	-	0x0050A114	0x0000A114	0x00005B14	0x00000000
VirtualFree	-	0x0050A118	0x0000A118	0x00005B18	0x00000000
LoadLibraryA	-	0x0050A11C	0x0000A11C	0x00005B1C	0x00000000

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontIndirectA	-	0x0050A124	0x0000A124	0x00005B24	0x00000000

Memory Dumps (18)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
misid.exe	2	0x00500000	0x0050AFFF	Relevant Image	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x001E0000	0x001E2FFF	First Execution	32-bit	0x001E0000	... Actions Go to Process Download Dump
misid.exe	2	0x00500000	0x0050AFFF	Content Changed	32-bit	0x00501000	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x001E0000	0x001E2FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x00510000	0x00515FFF	First Execution	32-bit	0x00510009	... Actions Go to Process Download Dump
buffer	2	0x00630000	0x00635FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00630000	0x00635FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00630000	0x00635FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00630000	0x00635FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00630000	0x00635FFF	First Execution	32-bit	0x00631020	... Actions Go to Process Download Dump
buffer	2	0x0019A000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x001F0000	0x001F5FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00510000	0x00515FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00630000	0x00635FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02000000	0x0212FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
misid.exe	2	0x00500000	0x0050AFFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
counters.dat	2	0x00640000	0x00640FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
misid.exe	2	0x00500000	0x0050AFFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

c:\users\rdhj0cnfevzx\appdata\local\temp\misids.exe

Downloaded File

HTML

Also Known As	misids.exe (Downloaded File, Accessed File)
MIME Type	text/html
File Size	315 Bytes
MD5	a34ac19f4afae63adc5d2f7bc970c07f
SHA1	a82190fc530c265aa40a045c21770d967f4767b8
SHA256	d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3
SSDeep	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoFEHcLgabzjsKtgsg93wzRbKqD:J0+oxBeRmR9etdzRxGezZfCzjsKtgizR
ImpHash	-

File Reputation Information

Verdict

Clean

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat

Modified File

Stream

MIME Type	application/octet-stream
File Size	128 Bytes
MD5	cc90851958032b8c8bbb7b24ec6271dd
SHA1	e027ad2ea4049374a3b01af2e3626b667dc816bc
SHA256	c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858
SSDeep	3:Fl:
ImpHash	-

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information