CryptoLocker | 9d840b1bff6d

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\dRICF1h0yTbqWsw9.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	392.03 KB
MD5	ac7f66ffd9ef8eeda0ab13340f8dbcac
SHA1	bffea163bc56eee3c36c4016072470965bfdde7e
SHA256	9d840b1bff6d74a4b366b2e46f42bbd71b5f64277e0f5463b763d8bcacbba7fb
SSDeep	6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzXRq:nnOflT/ZFIjBz3xjTxynGUOUhXRq
ImpHash	021d5e7849e90fdf4c65d3045c109483
Static Analysis Parser Error	malformed string file info

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x08000000
Entry Point	0x08001000
Size Of Code	0x00003000
Size Of Initialized Data	0x00003200
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2012-02-16 03:43 (UTC+1)

Sections (5)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x08001000	0x00002C77	0x00002E00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.25
.data	0x08004000	0x00000B9E	0x00000C00	0x00003200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.84
.rsrc	0x08005000	0x00002108	0x00002200	0x00003E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.16
.reloc	0x08008000	0x00000218	0x00000400	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	3.52
.ropf	0x08009000	0x00000065	0x00000200	0x00006400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	1.61

Imports (3)

user32.dll (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
UpdateWindow	-	0x08004048	0x000048F8	0x00003AF8	0x0000026A
LoadCursorA	-	0x0800404C	0x000048FC	0x00003AFC	0x00000194
ShowWindow	-	0x08004050	0x00004900	0x00003B00	0x00000248
PostQuitMessage	-	0x08004054	0x00004904	0x00003B04	0x000001D5
GetMessageA	-	0x08004058	0x00004908	0x00003B08	0x00000122
EndPaint	-	0x0800405C	0x0000490C	0x00003B0C	0x000000B6
DispatchMessageA	-	0x08004060	0x00004910	0x00003B10	0x00000093
BeginPaint	-	0x08004064	0x00004914	0x00003B14	0x0000000B
TranslateMessage	-	0x08004068	0x00004918	0x00003B18	0x0000025E
CreateWindowExA	-	0x0800406C	0x0000491C	0x00003B1C	0x00000056
RegisterClassExA	-	0x08004070	0x00004920	0x00003B20	0x000001E1
DefWindowProcA	-	0x08004074	0x00004924	0x00003B24	0x00000083
MessageBoxA	-	0x08004078	0x00004928	0x00003B28	0x000001B1
SendMessageA	-	0x0800407C	0x0000492C	0x00003B2C	0x000001FD
DestroyWindow	-	0x08004080	0x00004930	0x00003B30	0x0000008D
LoadIconA	-	0x08004084	0x00004934	0x00003B34	0x00000198
GetWindowRect	-	0x08004088	0x00004938	0x00003B38	0x00000157
SetWindowPos	-	0x0800408C	0x0000493C	0x00003B3C	0x0000023B

kernel32.dll (15)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetCurrentThreadId	-	0x08004008	0x000048B8	0x00003AB8	0x00000103
CreateFileA	-	0x0800400C	0x000048BC	0x00003ABC	0x0000003D
GetLastError	-	0x08004010	0x000048C0	0x00003AC0	0x00000128
lstrcpyA	-	0x08004014	0x000048C4	0x00003AC4	0x00000315
GetModuleHandleA	-	0x08004018	0x000048C8	0x00003AC8	0x00000134
GetCommandLineA	-	0x0800401C	0x000048CC	0x00003ACC	0x000000E6
FindFirstFileA	-	0x08004020	0x000048D0	0x00003AD0	0x000000B1
GetCurrentDirectoryA	-	0x08004024	0x000048D4	0x00003AD4	0x000000FE
FindClose	-	0x08004028	0x000048D8	0x00003AD8	0x000000AD
GetFileSize	-	0x0800402C	0x000048DC	0x00003ADC	0x0000011C
FindNextFileA	-	0x08004030	0x000048E0	0x00003AE0	0x000000BA
DeleteFileA	-	0x08004034	0x000048E4	0x00003AE4	0x00000069
CloseHandle	-	0x08004038	0x000048E8	0x00003AE8	0x00000023
GetCurrentProcessId	-	0x0800403C	0x000048EC	0x00003AEC	0x00000101
GetCurrentProcess	-	0x08004040	0x000048F0	0x00003AF0	0x00000100

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontIndirectA	-	0x08004000	0x000048B0	0x00003AB0	0x0000002F

Memory Dumps (9)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
dricf1h0ytbqwsw9.exe	1	0x08000000	0x08009FFF	Relevant Image	32-bit	0x08009000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x00540000	0x00545FFF	First Execution	32-bit	0x00540009	... Actions Go to Process Download Dump
buffer	1	0x00570000	0x00575FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00570000	0x00575FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00570000	0x00575FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00570000	0x00575FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00570000	0x00575FFF	First Execution	32-bit	0x00571020	... Actions Go to Process Download Dump
buffer	1	0x02400048	0x024620D7	Image In Buffer	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
dricf1h0ytbqwsw9.exe	1	0x08000000	0x08009FFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

C:\Users\RDHJ0C~1\AppData\Local\Temp\hasfj.exe

Dropped File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	392.14 KB
MD5	644db18868ec40775be6f8e627698cc7
SHA1	bfb2660b7ddd8faf66930035dd0b75f6d2ba97dc
SHA256	7b9a36c37bc43258158be3289a16a8ca1453b1d431d888a806c6a46cd8ccb954
SSDeep	6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzXRI:nnOflT/ZFIjBz3xjTxynGUOUhXRI
ImpHash	021d5e7849e90fdf4c65d3045c109483
Static Analysis Parser Error	malformed string file info

PE Information

Image Base	0x08000000
Entry Point	0x08001000
Size Of Code	0x00003000
Size Of Initialized Data	0x00003200
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2012-02-16 03:43 (UTC+1)

Sections (5)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x08001000	0x00002C77	0x00002E00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.25
.data	0x08004000	0x00000B9E	0x00000C00	0x00003200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.84
.rsrc	0x08005000	0x00002108	0x00002200	0x00003E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.16
.reloc	0x08008000	0x00000218	0x00000400	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	3.52
.ropf	0x08009000	0x00000065	0x00000200	0x00006400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	1.61

Imports (3)

user32.dll (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
UpdateWindow	-	0x08004048	0x000048F8	0x00003AF8	0x0000026A
LoadCursorA	-	0x0800404C	0x000048FC	0x00003AFC	0x00000194
ShowWindow	-	0x08004050	0x00004900	0x00003B00	0x00000248
PostQuitMessage	-	0x08004054	0x00004904	0x00003B04	0x000001D5
GetMessageA	-	0x08004058	0x00004908	0x00003B08	0x00000122
EndPaint	-	0x0800405C	0x0000490C	0x00003B0C	0x000000B6
DispatchMessageA	-	0x08004060	0x00004910	0x00003B10	0x00000093
BeginPaint	-	0x08004064	0x00004914	0x00003B14	0x0000000B
TranslateMessage	-	0x08004068	0x00004918	0x00003B18	0x0000025E
CreateWindowExA	-	0x0800406C	0x0000491C	0x00003B1C	0x00000056
RegisterClassExA	-	0x08004070	0x00004920	0x00003B20	0x000001E1
DefWindowProcA	-	0x08004074	0x00004924	0x00003B24	0x00000083
MessageBoxA	-	0x08004078	0x00004928	0x00003B28	0x000001B1
SendMessageA	-	0x0800407C	0x0000492C	0x00003B2C	0x000001FD
DestroyWindow	-	0x08004080	0x00004930	0x00003B30	0x0000008D
LoadIconA	-	0x08004084	0x00004934	0x00003B34	0x00000198
GetWindowRect	-	0x08004088	0x00004938	0x00003B38	0x00000157
SetWindowPos	-	0x0800408C	0x0000493C	0x00003B3C	0x0000023B

kernel32.dll (15)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetCurrentThreadId	-	0x08004008	0x000048B8	0x00003AB8	0x00000103
CreateFileA	-	0x0800400C	0x000048BC	0x00003ABC	0x0000003D
GetLastError	-	0x08004010	0x000048C0	0x00003AC0	0x00000128
lstrcpyA	-	0x08004014	0x000048C4	0x00003AC4	0x00000315
GetModuleHandleA	-	0x08004018	0x000048C8	0x00003AC8	0x00000134
GetCommandLineA	-	0x0800401C	0x000048CC	0x00003ACC	0x000000E6
FindFirstFileA	-	0x08004020	0x000048D0	0x00003AD0	0x000000B1
GetCurrentDirectoryA	-	0x08004024	0x000048D4	0x00003AD4	0x000000FE
FindClose	-	0x08004028	0x000048D8	0x00003AD8	0x000000AD
GetFileSize	-	0x0800402C	0x000048DC	0x00003ADC	0x0000011C
FindNextFileA	-	0x08004030	0x000048E0	0x00003AE0	0x000000BA
DeleteFileA	-	0x08004034	0x000048E4	0x00003AE4	0x00000069
CloseHandle	-	0x08004038	0x000048E8	0x00003AE8	0x00000023
GetCurrentProcessId	-	0x0800403C	0x000048EC	0x00003AEC	0x00000101
GetCurrentProcess	-	0x08004040	0x000048F0	0x00003AF0	0x00000100

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontIndirectA	-	0x08004000	0x000048B0	0x00003AB0	0x0000002F

Memory Dumps (16)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
hasfj.exe	2	0x08000000	0x08009FFF	Relevant Image	32-bit	0x08009000	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x02300000	0x02305FFF	First Execution	32-bit	0x02300009	... Actions Go to Process Download Dump
buffer	2	0x02330000	0x02335FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02330000	0x02335FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02330000	0x02335FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02330000	0x02335FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02330000	0x02335FFF	First Execution	32-bit	0x02331020	... Actions Go to Process Download Dump
buffer	2	0x0019A000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x00530000	0x00535FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02300000	0x02305FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02330000	0x02335FFF	First Network Behavior	32-bit	0x023312B8	... Actions Go to Process Download Dump
buffer	2	0x02340000	0x0235FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x02360048	0x023C2137	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
hasfj.exe	2	0x08000000	0x08009FFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
counters.dat	2	0x02320000	0x02320FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
hasfj.exe	2	0x08000000	0x08009FFF	Final Dump	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat

Modified File

Stream

MIME Type	application/octet-stream
File Size	128 Bytes
MD5	cc90851958032b8c8bbb7b24ec6271dd
SHA1	e027ad2ea4049374a3b01af2e3626b667dc816bc
SHA256	c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858
SSDeep	3:Fl:
ImpHash	-

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information