Malicious
Classifications
Ransomware
Threat Names
CryptoLocker Mal/Generic-S Mal/HTMLGen-A
Dynamic Analysis Report
Created on 2024-11-20T22:40:14+00:00
8bd9TGTS2vqqLRIx.exe
Windows Exe (x86-32)
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\8bd9TGTS2vqqLRIx.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
Names | Mal/Generic-S |
PE Information
»
Image Base | 0x00500000 |
Entry Point | 0x00501000 |
Size Of Code | 0x00002E00 |
Size Of Initialized Data | 0x00003E00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2013-10-02 12:54 (UTC) |
Sections (5)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00501000 | 0x00002CCF | 0x00002E00 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.04 |
.rdata | 0x00504000 | 0x000004C6 | 0x00000600 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.25 |
.data | 0x00505000 | 0x0000061B | 0x00000400 | 0x00003800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.76 |
.rsrc | 0x00506000 | 0x00002AC8 | 0x00002C00 | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.98 |
.reloc | 0x00509000 | 0x0000021E | 0x00000400 | 0x00006800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.44 |
Imports (3)
»
user32.dll (18)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ShowWindow | - | 0x00504040 | 0x00004260 | 0x00003460 | 0x00000248 |
PostQuitMessage | - | 0x00504044 | 0x00004264 | 0x00003464 | 0x000001D5 |
GetMessageA | - | 0x00504048 | 0x00004268 | 0x00003468 | 0x00000122 |
EndPaint | - | 0x0050404C | 0x0000426C | 0x0000346C | 0x000000B6 |
DispatchMessageA | - | 0x00504050 | 0x00004270 | 0x00003470 | 0x00000093 |
BeginPaint | - | 0x00504054 | 0x00004274 | 0x00003474 | 0x0000000B |
TranslateMessage | - | 0x00504058 | 0x00004278 | 0x00003478 | 0x0000025E |
MoveWindow | - | 0x0050405C | 0x0000427C | 0x0000347C | 0x000001BE |
CreateWindowExA | - | 0x00504060 | 0x00004280 | 0x00003480 | 0x00000056 |
RegisterClassExA | - | 0x00504064 | 0x00004284 | 0x00003484 | 0x000001E1 |
DefWindowProcA | - | 0x00504068 | 0x00004288 | 0x00003488 | 0x00000083 |
MessageBoxA | - | 0x0050406C | 0x0000428C | 0x0000348C | 0x000001B1 |
SendMessageA | - | 0x00504070 | 0x00004290 | 0x00003490 | 0x000001FD |
DestroyWindow | - | 0x00504074 | 0x00004294 | 0x00003494 | 0x0000008D |
LoadCursorA | - | 0x00504078 | 0x00004298 | 0x00003498 | 0x00000194 |
LoadIconA | - | 0x0050407C | 0x0000429C | 0x0000349C | 0x00000198 |
UpdateWindow | - | 0x00504080 | 0x000042A0 | 0x000034A0 | 0x0000026A |
GetWindowRect | - | 0x00504084 | 0x000042A4 | 0x000034A4 | 0x00000157 |
kernel32.dll (13)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastError | - | 0x00504008 | 0x00004228 | 0x00003428 | 0x00000128 |
lstrcpyA | - | 0x0050400C | 0x0000422C | 0x0000342C | 0x00000315 |
GetModuleHandleA | - | 0x00504010 | 0x00004230 | 0x00003430 | 0x00000134 |
GetCommandLineA | - | 0x00504014 | 0x00004234 | 0x00003434 | 0x000000E6 |
FindFirstFileA | - | 0x00504018 | 0x00004238 | 0x00003438 | 0x000000B1 |
FormatMessageA | - | 0x0050401C | 0x0000423C | 0x0000343C | 0x000000CC |
FindClose | - | 0x00504020 | 0x00004240 | 0x00003440 | 0x000000AD |
FindNextFileA | - | 0x00504024 | 0x00004244 | 0x00003444 | 0x000000BA |
DeleteFileA | - | 0x00504028 | 0x00004248 | 0x00003448 | 0x00000069 |
CloseHandle | - | 0x0050402C | 0x0000424C | 0x0000344C | 0x00000023 |
GetCPInfo | - | 0x00504030 | 0x00004250 | 0x00003450 | 0x000000DB |
GetACP | - | 0x00504034 | 0x00004254 | 0x00003454 | 0x000000D6 |
CreateFileA | - | 0x00504038 | 0x00004258 | 0x00003458 | 0x0000003D |
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFontIndirectA | - | 0x00504000 | 0x00004220 | 0x00003420 | 0x0000002F |
Memory Dumps (8)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
8bd9tgts2vqqlrix.exe | 1 | 0x00500000 | 0x00509FFF | Relevant Image | 32-bit | 0x00502DEA |
...
|
||
buffer | 1 | 0x001F0000 | 0x001F5FFF | First Execution | 32-bit | 0x001F0009 |
...
|
||
buffer | 1 | 0x00420000 | 0x00425FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00420000 | 0x00425FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00420000 | 0x00425FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00420000 | 0x00425FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00420000 | 0x00425FFF | First Execution | 32-bit | 0x00421020 |
...
|
||
8bd9tgts2vqqlrix.exe | 1 | 0x00500000 | 0x00509FFF | Process Termination | 32-bit | - |
...
|
YARA Matches (2)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
CryptoLocker_rule2 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
CryptoLocker_set1 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
C:\Users\RDHJ0C~1\AppData\Local\Temp\misid.exe | Dropped File | Binary |
Malicious
|
...
|
»
PE Information
»
Image Base | 0x00500000 |
Entry Point | 0x00501000 |
Size Of Code | 0x00002E00 |
Size Of Initialized Data | 0x00003E00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2013-10-02 12:54 (UTC) |
Sections (5)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00501000 | 0x00002CCF | 0x00002E00 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.04 |
.rdata | 0x00504000 | 0x000004C6 | 0x00000600 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.25 |
.data | 0x00505000 | 0x0000061B | 0x00000400 | 0x00003800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.76 |
.rsrc | 0x00506000 | 0x00002AC8 | 0x00002C00 | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.98 |
.reloc | 0x00509000 | 0x0000021E | 0x00000400 | 0x00006800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.44 |
Imports (3)
»
user32.dll (18)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
ShowWindow | - | 0x00504040 | 0x00004260 | 0x00003460 | 0x00000248 |
PostQuitMessage | - | 0x00504044 | 0x00004264 | 0x00003464 | 0x000001D5 |
GetMessageA | - | 0x00504048 | 0x00004268 | 0x00003468 | 0x00000122 |
EndPaint | - | 0x0050404C | 0x0000426C | 0x0000346C | 0x000000B6 |
DispatchMessageA | - | 0x00504050 | 0x00004270 | 0x00003470 | 0x00000093 |
BeginPaint | - | 0x00504054 | 0x00004274 | 0x00003474 | 0x0000000B |
TranslateMessage | - | 0x00504058 | 0x00004278 | 0x00003478 | 0x0000025E |
MoveWindow | - | 0x0050405C | 0x0000427C | 0x0000347C | 0x000001BE |
CreateWindowExA | - | 0x00504060 | 0x00004280 | 0x00003480 | 0x00000056 |
RegisterClassExA | - | 0x00504064 | 0x00004284 | 0x00003484 | 0x000001E1 |
DefWindowProcA | - | 0x00504068 | 0x00004288 | 0x00003488 | 0x00000083 |
MessageBoxA | - | 0x0050406C | 0x0000428C | 0x0000348C | 0x000001B1 |
SendMessageA | - | 0x00504070 | 0x00004290 | 0x00003490 | 0x000001FD |
DestroyWindow | - | 0x00504074 | 0x00004294 | 0x00003494 | 0x0000008D |
LoadCursorA | - | 0x00504078 | 0x00004298 | 0x00003498 | 0x00000194 |
LoadIconA | - | 0x0050407C | 0x0000429C | 0x0000349C | 0x00000198 |
UpdateWindow | - | 0x00504080 | 0x000042A0 | 0x000034A0 | 0x0000026A |
GetWindowRect | - | 0x00504084 | 0x000042A4 | 0x000034A4 | 0x00000157 |
kernel32.dll (13)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastError | - | 0x00504008 | 0x00004228 | 0x00003428 | 0x00000128 |
lstrcpyA | - | 0x0050400C | 0x0000422C | 0x0000342C | 0x00000315 |
GetModuleHandleA | - | 0x00504010 | 0x00004230 | 0x00003430 | 0x00000134 |
GetCommandLineA | - | 0x00504014 | 0x00004234 | 0x00003434 | 0x000000E6 |
FindFirstFileA | - | 0x00504018 | 0x00004238 | 0x00003438 | 0x000000B1 |
FormatMessageA | - | 0x0050401C | 0x0000423C | 0x0000343C | 0x000000CC |
FindClose | - | 0x00504020 | 0x00004240 | 0x00003440 | 0x000000AD |
FindNextFileA | - | 0x00504024 | 0x00004244 | 0x00003444 | 0x000000BA |
DeleteFileA | - | 0x00504028 | 0x00004248 | 0x00003448 | 0x00000069 |
CloseHandle | - | 0x0050402C | 0x0000424C | 0x0000344C | 0x00000023 |
GetCPInfo | - | 0x00504030 | 0x00004250 | 0x00003450 | 0x000000DB |
GetACP | - | 0x00504034 | 0x00004254 | 0x00003454 | 0x000000D6 |
CreateFileA | - | 0x00504038 | 0x00004258 | 0x00003458 | 0x0000003D |
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFontIndirectA | - | 0x00504000 | 0x00004220 | 0x00003420 | 0x0000002F |
Memory Dumps (13)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
misid.exe | 2 | 0x00500000 | 0x00509FFF | Relevant Image | 32-bit | 0x00502DEA |
...
|
||
buffer | 2 | 0x004C0000 | 0x004C5FFF | First Execution | 32-bit | 0x004C0009 |
...
|
||
buffer | 2 | 0x004F0000 | 0x004F5FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x004F0000 | 0x004F5FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x004F0000 | 0x004F5FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x004F0000 | 0x004F5FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x004F0000 | 0x004F5FFF | First Execution | 32-bit | 0x004F1020 |
...
|
||
buffer | 2 | 0x0019A000 | 0x0019FFFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x001F0000 | 0x001F5FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x004C0000 | 0x004C5FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x004F0000 | 0x004F5FFF | First Network Behavior | 32-bit | - |
...
|
||
misid.exe | 2 | 0x00500000 | 0x00509FFF | First Network Behavior | 32-bit | - |
...
|
||
counters.dat | 2 | 0x00550000 | 0x00550FFF | First Network Behavior | 32-bit | - |
...
|
YARA Matches (2)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
CryptoLocker_rule2 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
CryptoLocker_set1 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
c:\users\rdhj0cnfevzx\appdata\local\temp\misids.exe | Downloaded File | HTML |
Clean
Known to be clean.
|
...
|
»
File Reputation Information
»
Verdict |
Clean
Known to be clean.
|
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat | Modified File | Stream |
Clean
|
...
|
»