Try VMRay Platform
Malicious
Classifications

Ransomware

Threat Names

CryptoLocker

Dynamic Analysis Report

Created on 2024-03-29T05:49:34+00:00

lossy.exe

Windows Exe (x86-32)
...
Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\lossy.exe Sample File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 39.79 KB
MD5 01a8fe565e183f37e64f753d9a0d93bc Copy to Clipboard
SHA1 a7308710a3e4418bf14400680092a80ac513c8d3 Copy to Clipboard
SHA256 4af3488da70ab7f2f3a5c13f56e575573a6dd3b6a0fc7cd48d8bf41e43298cac Copy to Clipboard
SSDeep 768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6Dy8Pc:bIDOw9a0Dwo3P1ojvUSDhU Copy to Clipboard
ImpHash 0bcae7989ef60f5550a7f5735f53a2aa Copy to Clipboard
Static Analysis Parser Error malformed string file info
File Reputation Information
»
Verdict
Malicious
PE Information
»
Image Base 0x08000000
Entry Point 0x08001000
Size Of Code 0x00002E00
Size Of Initialized Data 0x00003000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2012-02-16 03:43 (UTC+1)
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x08001000 0x00002C4B 0x00002E00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.23
.data 0x08004000 0x00000AF2 0x00000C00 0x00003200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.55
.rsrc 0x08005000 0x00002108 0x00002200 0x00003E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.16
.reloc 0x08008000 0x000001FA 0x00000200 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.49
Imports (3)
»
user32.dll (18)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EndPaint - 0x08004034 0x000048B4 0x00003AB4 0x000000B6
GetMessageA - 0x08004038 0x000048B8 0x00003AB8 0x00000122
DispatchMessageA - 0x0800403C 0x000048BC 0x00003ABC 0x00000093
ShowWindow - 0x08004040 0x000048C0 0x00003AC0 0x00000248
UpdateWindow - 0x08004044 0x000048C4 0x00003AC4 0x0000026A
BeginPaint - 0x08004048 0x000048C8 0x00003AC8 0x0000000B
TranslateMessage - 0x0800404C 0x000048CC 0x00003ACC 0x0000025E
MoveWindow - 0x08004050 0x000048D0 0x00003AD0 0x000001BE
CreateWindowExA - 0x08004054 0x000048D4 0x00003AD4 0x00000056
RegisterClassExA - 0x08004058 0x000048D8 0x00003AD8 0x000001E1
DefWindowProcA - 0x0800405C 0x000048DC 0x00003ADC 0x00000083
MessageBoxA - 0x08004060 0x000048E0 0x00003AE0 0x000001B1
SendMessageA - 0x08004064 0x000048E4 0x00003AE4 0x000001FD
DestroyWindow - 0x08004068 0x000048E8 0x00003AE8 0x0000008D
LoadCursorA - 0x0800406C 0x000048EC 0x00003AEC 0x00000194
LoadIconA - 0x08004070 0x000048F0 0x00003AF0 0x00000198
PostQuitMessage - 0x08004074 0x000048F4 0x00003AF4 0x000001D5
GetWindowRect - 0x08004078 0x000048F8 0x00003AF8 0x00000157
kernel32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetLastError - 0x08004008 0x00004888 0x00003A88 0x00000128
lstrcpyA - 0x0800400C 0x0000488C 0x00003A8C 0x00000315
GetModuleHandleA - 0x08004010 0x00004890 0x00003A90 0x00000134
GetCommandLineA - 0x08004014 0x00004894 0x00003A94 0x000000E6
FindFirstFileA - 0x08004018 0x00004898 0x00003A98 0x000000B1
FindClose - 0x0800401C 0x0000489C 0x00003A9C 0x000000AD
FindNextFileA - 0x08004020 0x000048A0 0x00003AA0 0x000000BA
DeleteFileA - 0x08004024 0x000048A4 0x00003AA4 0x00000069
CloseHandle - 0x08004028 0x000048A8 0x00003AA8 0x00000023
CreateFileA - 0x0800402C 0x000048AC 0x00003AAC 0x0000003D
gdi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateFontIndirectA - 0x08004000 0x00004880 0x00003A80 0x0000002F
Memory Dumps (8)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
lossy.exe 1 0x08000000 0x08008FFF Relevant Image False 32-bit 0x08002CE4 False
...
buffer 1 0x00440000 0x00445FFF First Execution False 32-bit 0x00440009 False
...
buffer 1 0x00460000 0x00465FFF Marked Executable False 32-bit - False
...
buffer 1 0x00460000 0x00465FFF Marked Executable False 32-bit - False
...
buffer 1 0x00460000 0x00465FFF Marked Executable False 32-bit - False
...
buffer 1 0x00460000 0x00465FFF Marked Executable False 32-bit - False
...
buffer 1 0x00460000 0x00465FFF First Execution False 32-bit 0x00461020 False
...
lossy.exe 1 0x08000000 0x08008FFF Process Termination False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
CryptoLocker_rule2 CryptoLocker ransomware Ransomware
5/5
...
C:\Users\RDHJ0C~1\AppData\Local\Temp\lossy.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 39.87 KB
MD5 d5398ca115b0d703e49b6b6fb6059db6 Copy to Clipboard
SHA1 ad68f24113d6115f83a1ebbccbe6346c978ab98d Copy to Clipboard
SHA256 9e2f075d09137dd116f942e930ecd3fae2e6e355589c90682cd62f8bf00467e5 Copy to Clipboard
SSDeep 768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6Dy8P1:bIDOw9a0Dwo3P1ojvUSDh9 Copy to Clipboard
ImpHash 0bcae7989ef60f5550a7f5735f53a2aa Copy to Clipboard
Static Analysis Parser Error malformed string file info
PE Information
»
Image Base 0x08000000
Entry Point 0x08001000
Size Of Code 0x00002E00
Size Of Initialized Data 0x00003000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2012-02-16 03:43 (UTC+1)
Sections (4)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x08001000 0x00002C4B 0x00002E00 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.23
.data 0x08004000 0x00000AF2 0x00000C00 0x00003200 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 3.55
.rsrc 0x08005000 0x00002108 0x00002200 0x00003E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.16
.reloc 0x08008000 0x000001FA 0x00000200 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 5.49
Imports (3)
»
user32.dll (18)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
EndPaint - 0x08004034 0x000048B4 0x00003AB4 0x000000B6
GetMessageA - 0x08004038 0x000048B8 0x00003AB8 0x00000122
DispatchMessageA - 0x0800403C 0x000048BC 0x00003ABC 0x00000093
ShowWindow - 0x08004040 0x000048C0 0x00003AC0 0x00000248
UpdateWindow - 0x08004044 0x000048C4 0x00003AC4 0x0000026A
BeginPaint - 0x08004048 0x000048C8 0x00003AC8 0x0000000B
TranslateMessage - 0x0800404C 0x000048CC 0x00003ACC 0x0000025E
MoveWindow - 0x08004050 0x000048D0 0x00003AD0 0x000001BE
CreateWindowExA - 0x08004054 0x000048D4 0x00003AD4 0x00000056
RegisterClassExA - 0x08004058 0x000048D8 0x00003AD8 0x000001E1
DefWindowProcA - 0x0800405C 0x000048DC 0x00003ADC 0x00000083
MessageBoxA - 0x08004060 0x000048E0 0x00003AE0 0x000001B1
SendMessageA - 0x08004064 0x000048E4 0x00003AE4 0x000001FD
DestroyWindow - 0x08004068 0x000048E8 0x00003AE8 0x0000008D
LoadCursorA - 0x0800406C 0x000048EC 0x00003AEC 0x00000194
LoadIconA - 0x08004070 0x000048F0 0x00003AF0 0x00000198
PostQuitMessage - 0x08004074 0x000048F4 0x00003AF4 0x000001D5
GetWindowRect - 0x08004078 0x000048F8 0x00003AF8 0x00000157
kernel32.dll (10)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetLastError - 0x08004008 0x00004888 0x00003A88 0x00000128
lstrcpyA - 0x0800400C 0x0000488C 0x00003A8C 0x00000315
GetModuleHandleA - 0x08004010 0x00004890 0x00003A90 0x00000134
GetCommandLineA - 0x08004014 0x00004894 0x00003A94 0x000000E6
FindFirstFileA - 0x08004018 0x00004898 0x00003A98 0x000000B1
FindClose - 0x0800401C 0x0000489C 0x00003A9C 0x000000AD
FindNextFileA - 0x08004020 0x000048A0 0x00003AA0 0x000000BA
DeleteFileA - 0x08004024 0x000048A4 0x00003AA4 0x00000069
CloseHandle - 0x08004028 0x000048A8 0x00003AA8 0x00000023
CreateFileA - 0x0800402C 0x000048AC 0x00003AAC 0x0000003D
gdi32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
CreateFontIndirectA - 0x08004000 0x00004880 0x00003A80 0x0000002F
Memory Dumps (15)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
lossy.exe 2 0x08000000 0x08008FFF Relevant Image False 32-bit 0x08002CE4 False
...
buffer 2 0x00440000 0x00445FFF First Execution False 32-bit 0x00440009 False
...
buffer 2 0x00460000 0x00465FFF Marked Executable False 32-bit - False
...
buffer 2 0x00460000 0x00465FFF Marked Executable False 32-bit - False
...
buffer 2 0x00460000 0x00465FFF Marked Executable False 32-bit - False
...
buffer 2 0x00460000 0x00465FFF Marked Executable False 32-bit - False
...
buffer 2 0x00460000 0x00465FFF First Execution False 32-bit 0x00461020 False
...
buffer 2 0x0019A000 0x0019FFFF First Network Behavior False 32-bit - False
...
buffer 2 0x001F0000 0x001F5FFF First Network Behavior False 32-bit - False
...
buffer 2 0x00440000 0x00445FFF First Network Behavior False 32-bit - False
...
buffer 2 0x00460000 0x00465FFF First Network Behavior False 32-bit - False
...
buffer 2 0x01F90000 0x0202FFFF First Network Behavior False 32-bit - False
...
lossy.exe 2 0x08000000 0x08008FFF First Network Behavior False 32-bit - False
...
counters.dat 2 0x00470000 0x00470FFF First Network Behavior False 32-bit - False
...
lossy.exe 2 0x08000000 0x08008FFF Final Dump False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
CryptoLocker_rule2 CryptoLocker ransomware Ransomware
5/5
...
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat Modified File Empty
Clean
...
  • Actions
»
MIME Type application/x-empty
File Size 0 Bytes (not extracted)
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image