Malicious
Classifications
Ransomware
Threat Names
CryptoLocker
Dynamic Analysis Report
Created on 2024-03-29T05:49:34+00:00
lossy.exe
Windows Exe (x86-32)
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\lossy.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
PE Information
»
Image Base | 0x08000000 |
Entry Point | 0x08001000 |
Size Of Code | 0x00002E00 |
Size Of Initialized Data | 0x00003000 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2012-02-16 03:43 (UTC+1) |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x08001000 | 0x00002C4B | 0x00002E00 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.23 |
.data | 0x08004000 | 0x00000AF2 | 0x00000C00 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.55 |
.rsrc | 0x08005000 | 0x00002108 | 0x00002200 | 0x00003E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.16 |
.reloc | 0x08008000 | 0x000001FA | 0x00000200 | 0x00006000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.49 |
Imports (3)
»
user32.dll (18)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
EndPaint | - | 0x08004034 | 0x000048B4 | 0x00003AB4 | 0x000000B6 |
GetMessageA | - | 0x08004038 | 0x000048B8 | 0x00003AB8 | 0x00000122 |
DispatchMessageA | - | 0x0800403C | 0x000048BC | 0x00003ABC | 0x00000093 |
ShowWindow | - | 0x08004040 | 0x000048C0 | 0x00003AC0 | 0x00000248 |
UpdateWindow | - | 0x08004044 | 0x000048C4 | 0x00003AC4 | 0x0000026A |
BeginPaint | - | 0x08004048 | 0x000048C8 | 0x00003AC8 | 0x0000000B |
TranslateMessage | - | 0x0800404C | 0x000048CC | 0x00003ACC | 0x0000025E |
MoveWindow | - | 0x08004050 | 0x000048D0 | 0x00003AD0 | 0x000001BE |
CreateWindowExA | - | 0x08004054 | 0x000048D4 | 0x00003AD4 | 0x00000056 |
RegisterClassExA | - | 0x08004058 | 0x000048D8 | 0x00003AD8 | 0x000001E1 |
DefWindowProcA | - | 0x0800405C | 0x000048DC | 0x00003ADC | 0x00000083 |
MessageBoxA | - | 0x08004060 | 0x000048E0 | 0x00003AE0 | 0x000001B1 |
SendMessageA | - | 0x08004064 | 0x000048E4 | 0x00003AE4 | 0x000001FD |
DestroyWindow | - | 0x08004068 | 0x000048E8 | 0x00003AE8 | 0x0000008D |
LoadCursorA | - | 0x0800406C | 0x000048EC | 0x00003AEC | 0x00000194 |
LoadIconA | - | 0x08004070 | 0x000048F0 | 0x00003AF0 | 0x00000198 |
PostQuitMessage | - | 0x08004074 | 0x000048F4 | 0x00003AF4 | 0x000001D5 |
GetWindowRect | - | 0x08004078 | 0x000048F8 | 0x00003AF8 | 0x00000157 |
kernel32.dll (10)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastError | - | 0x08004008 | 0x00004888 | 0x00003A88 | 0x00000128 |
lstrcpyA | - | 0x0800400C | 0x0000488C | 0x00003A8C | 0x00000315 |
GetModuleHandleA | - | 0x08004010 | 0x00004890 | 0x00003A90 | 0x00000134 |
GetCommandLineA | - | 0x08004014 | 0x00004894 | 0x00003A94 | 0x000000E6 |
FindFirstFileA | - | 0x08004018 | 0x00004898 | 0x00003A98 | 0x000000B1 |
FindClose | - | 0x0800401C | 0x0000489C | 0x00003A9C | 0x000000AD |
FindNextFileA | - | 0x08004020 | 0x000048A0 | 0x00003AA0 | 0x000000BA |
DeleteFileA | - | 0x08004024 | 0x000048A4 | 0x00003AA4 | 0x00000069 |
CloseHandle | - | 0x08004028 | 0x000048A8 | 0x00003AA8 | 0x00000023 |
CreateFileA | - | 0x0800402C | 0x000048AC | 0x00003AAC | 0x0000003D |
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFontIndirectA | - | 0x08004000 | 0x00004880 | 0x00003A80 | 0x0000002F |
Memory Dumps (8)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
lossy.exe | 1 | 0x08000000 | 0x08008FFF | Relevant Image | 32-bit | 0x08002CE4 |
...
|
||
buffer | 1 | 0x00440000 | 0x00445FFF | First Execution | 32-bit | 0x00440009 |
...
|
||
buffer | 1 | 0x00460000 | 0x00465FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00460000 | 0x00465FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00460000 | 0x00465FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00460000 | 0x00465FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00460000 | 0x00465FFF | First Execution | 32-bit | 0x00461020 |
...
|
||
lossy.exe | 1 | 0x08000000 | 0x08008FFF | Process Termination | 32-bit | - |
...
|
YARA Matches (1)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
CryptoLocker_rule2 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
C:\Users\RDHJ0C~1\AppData\Local\Temp\lossy.exe | Dropped File | Binary |
Malicious
|
...
|
»
PE Information
»
Image Base | 0x08000000 |
Entry Point | 0x08001000 |
Size Of Code | 0x00002E00 |
Size Of Initialized Data | 0x00003000 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2012-02-16 03:43 (UTC+1) |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x08001000 | 0x00002C4B | 0x00002E00 | 0x00000400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.23 |
.data | 0x08004000 | 0x00000AF2 | 0x00000C00 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.55 |
.rsrc | 0x08005000 | 0x00002108 | 0x00002200 | 0x00003E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.16 |
.reloc | 0x08008000 | 0x000001FA | 0x00000200 | 0x00006000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.49 |
Imports (3)
»
user32.dll (18)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
EndPaint | - | 0x08004034 | 0x000048B4 | 0x00003AB4 | 0x000000B6 |
GetMessageA | - | 0x08004038 | 0x000048B8 | 0x00003AB8 | 0x00000122 |
DispatchMessageA | - | 0x0800403C | 0x000048BC | 0x00003ABC | 0x00000093 |
ShowWindow | - | 0x08004040 | 0x000048C0 | 0x00003AC0 | 0x00000248 |
UpdateWindow | - | 0x08004044 | 0x000048C4 | 0x00003AC4 | 0x0000026A |
BeginPaint | - | 0x08004048 | 0x000048C8 | 0x00003AC8 | 0x0000000B |
TranslateMessage | - | 0x0800404C | 0x000048CC | 0x00003ACC | 0x0000025E |
MoveWindow | - | 0x08004050 | 0x000048D0 | 0x00003AD0 | 0x000001BE |
CreateWindowExA | - | 0x08004054 | 0x000048D4 | 0x00003AD4 | 0x00000056 |
RegisterClassExA | - | 0x08004058 | 0x000048D8 | 0x00003AD8 | 0x000001E1 |
DefWindowProcA | - | 0x0800405C | 0x000048DC | 0x00003ADC | 0x00000083 |
MessageBoxA | - | 0x08004060 | 0x000048E0 | 0x00003AE0 | 0x000001B1 |
SendMessageA | - | 0x08004064 | 0x000048E4 | 0x00003AE4 | 0x000001FD |
DestroyWindow | - | 0x08004068 | 0x000048E8 | 0x00003AE8 | 0x0000008D |
LoadCursorA | - | 0x0800406C | 0x000048EC | 0x00003AEC | 0x00000194 |
LoadIconA | - | 0x08004070 | 0x000048F0 | 0x00003AF0 | 0x00000198 |
PostQuitMessage | - | 0x08004074 | 0x000048F4 | 0x00003AF4 | 0x000001D5 |
GetWindowRect | - | 0x08004078 | 0x000048F8 | 0x00003AF8 | 0x00000157 |
kernel32.dll (10)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastError | - | 0x08004008 | 0x00004888 | 0x00003A88 | 0x00000128 |
lstrcpyA | - | 0x0800400C | 0x0000488C | 0x00003A8C | 0x00000315 |
GetModuleHandleA | - | 0x08004010 | 0x00004890 | 0x00003A90 | 0x00000134 |
GetCommandLineA | - | 0x08004014 | 0x00004894 | 0x00003A94 | 0x000000E6 |
FindFirstFileA | - | 0x08004018 | 0x00004898 | 0x00003A98 | 0x000000B1 |
FindClose | - | 0x0800401C | 0x0000489C | 0x00003A9C | 0x000000AD |
FindNextFileA | - | 0x08004020 | 0x000048A0 | 0x00003AA0 | 0x000000BA |
DeleteFileA | - | 0x08004024 | 0x000048A4 | 0x00003AA4 | 0x00000069 |
CloseHandle | - | 0x08004028 | 0x000048A8 | 0x00003AA8 | 0x00000023 |
CreateFileA | - | 0x0800402C | 0x000048AC | 0x00003AAC | 0x0000003D |
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFontIndirectA | - | 0x08004000 | 0x00004880 | 0x00003A80 | 0x0000002F |
Memory Dumps (15)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
lossy.exe | 2 | 0x08000000 | 0x08008FFF | Relevant Image | 32-bit | 0x08002CE4 |
...
|
||
buffer | 2 | 0x00440000 | 0x00445FFF | First Execution | 32-bit | 0x00440009 |
...
|
||
buffer | 2 | 0x00460000 | 0x00465FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x00460000 | 0x00465FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x00460000 | 0x00465FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x00460000 | 0x00465FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x00460000 | 0x00465FFF | First Execution | 32-bit | 0x00461020 |
...
|
||
buffer | 2 | 0x0019A000 | 0x0019FFFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x001F0000 | 0x001F5FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x00440000 | 0x00445FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x00460000 | 0x00465FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x01F90000 | 0x0202FFFF | First Network Behavior | 32-bit | - |
...
|
||
lossy.exe | 2 | 0x08000000 | 0x08008FFF | First Network Behavior | 32-bit | - |
...
|
||
counters.dat | 2 | 0x00470000 | 0x00470FFF | First Network Behavior | 32-bit | - |
...
|
||
lossy.exe | 2 | 0x08000000 | 0x08008FFF | Final Dump | 32-bit | - |
...
|
YARA Matches (1)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
CryptoLocker_rule2 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat | Modified File | Empty |
Clean
|
...
|
»