Malicious
Classifications
Ransomware
Threat Names
CryptoLocker Mal/HTMLGen-A
Dynamic Analysis Report
Created on 2024-03-29T05:51:26+00:00
asih.exe
Windows Exe (x86-32)
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\asih.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
PE Information
»
Image Base | 0x00500000 |
Entry Point | 0x00501000 |
Size Of Code | 0x00002E00 |
Size Of Initialized Data | 0x00003E00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2013-10-02 14:59 (UTC+2) |
Sections (6)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text U | 0x00501000 | 0x00002CAA | 0x00002E00 | 0x00000400 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.28 |
.rdata | 0x00504000 | 0x000004B6 | 0x00000600 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.94 |
.data s | 0x00505000 | 0x00000630 | 0x00000400 | 0x00003800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.79 |
.rsrc U | 0x00506000 | 0x00002AC8 | 0x00002C00 | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.98 |
.reloc | 0x00509000 | 0x00000218 | 0x00000400 | 0x00006800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0 |
.yya Feb | 0x0050A000 | 0x00000400 | 0x00000400 | 0x00006C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.89 |
Imports (3)
»
KERNEL32.DLL (12)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastError | - | 0x00504008 | 0x00004008 | 0x00003208 | 0x00000000 |
lstrcpyA | - | 0x0050400C | 0x0000400C | 0x0000320C | 0x00000000 |
GetModuleHandleA | - | 0x00504010 | 0x00004010 | 0x00003210 | 0x00000000 |
GetCommandLineA | - | 0x00504014 | 0x00004014 | 0x00003214 | 0x00000000 |
FindFirstFileA | - | 0x00504018 | 0x00004018 | 0x00003218 | 0x00000000 |
FormatMessageA | - | 0x0050401C | 0x0000401C | 0x0000321C | 0x00000000 |
FindClose | - | 0x00504020 | 0x00004020 | 0x00003220 | 0x00000000 |
FindNextFileA | - | 0x00504024 | 0x00004024 | 0x00003224 | 0x00000000 |
DeleteFileA | - | 0x00504028 | 0x00004028 | 0x00003228 | 0x00000000 |
CloseHandle | - | 0x0050402C | 0x0000402C | 0x0000322C | 0x00000000 |
GetACP | - | 0x00504030 | 0x00004030 | 0x00003230 | 0x00000000 |
CreateFileA | - | 0x00504034 | 0x00004034 | 0x00003234 | 0x00000000 |
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFontIndirectA | - | 0x00504000 | 0x00004000 | 0x00003200 | 0x00000000 |
user32.dll (18)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
PostQuitMessage | - | 0x0050403C | 0x0000403C | 0x0000323C | 0x00000000 |
GetMessageA | - | 0x00504040 | 0x00004040 | 0x00003240 | 0x00000000 |
UpdateWindow | - | 0x00504044 | 0x00004044 | 0x00003244 | 0x00000000 |
EndPaint | - | 0x00504048 | 0x00004048 | 0x00003248 | 0x00000000 |
DispatchMessageA | - | 0x0050404C | 0x0000404C | 0x0000324C | 0x00000000 |
BeginPaint | - | 0x00504050 | 0x00004050 | 0x00003250 | 0x00000000 |
TranslateMessage | - | 0x00504054 | 0x00004054 | 0x00003254 | 0x00000000 |
MoveWindow | - | 0x00504058 | 0x00004058 | 0x00003258 | 0x00000000 |
CreateWindowExA | - | 0x0050405C | 0x0000405C | 0x0000325C | 0x00000000 |
RegisterClassExA | - | 0x00504060 | 0x00004060 | 0x00003260 | 0x00000000 |
DefWindowProcA | - | 0x00504064 | 0x00004064 | 0x00003264 | 0x00000000 |
MessageBoxA | - | 0x00504068 | 0x00004068 | 0x00003268 | 0x00000000 |
SendMessageA | - | 0x0050406C | 0x0000406C | 0x0000326C | 0x00000000 |
DestroyWindow | - | 0x00504070 | 0x00004070 | 0x00003270 | 0x00000000 |
LoadCursorA | - | 0x00504074 | 0x00004074 | 0x00003274 | 0x00000000 |
LoadIconA | - | 0x00504078 | 0x00004078 | 0x00003278 | 0x00000000 |
ShowWindow | - | 0x0050407C | 0x0000407C | 0x0000327C | 0x00000000 |
GetWindowRect | - | 0x00504080 | 0x00004080 | 0x00003280 | 0x00000000 |
Memory Dumps (10)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
asih.exe | 1 | 0x00500000 | 0x0050AFFF | First Execution | 32-bit | 0x00501000 |
...
|
||
buffer | 1 | 0x001F0000 | 0x001F5FFF | First Execution | 32-bit | 0x001F0009 |
...
|
||
buffer | 1 | 0x001F0000 | 0x001F5FFF | Content Changed | 32-bit | 0x001F0983 |
...
|
||
buffer | 1 | 0x00420000 | 0x00425FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00420000 | 0x00425FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00420000 | 0x00425FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00420000 | 0x00425FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00420000 | 0x00425FFF | First Execution | 32-bit | 0x00421020 |
...
|
||
buffer | 1 | 0x02130048 | 0x0213BA71 | Image In Buffer | 32-bit | - |
...
|
||
asih.exe | 1 | 0x00500000 | 0x0050AFFF | Process Termination | 32-bit | - |
...
|
YARA Matches (2)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
CryptoLocker_rule2 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
CryptoLocker_set1 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
C:\Users\RDHJ0C~1\AppData\Local\Temp\asih.exe | Dropped File | Binary |
Malicious
|
...
|
»
PE Information
»
Image Base | 0x00500000 |
Entry Point | 0x00501000 |
Size Of Code | 0x00002E00 |
Size Of Initialized Data | 0x00003E00 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2013-10-02 14:59 (UTC+2) |
Sections (6)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text U | 0x00501000 | 0x00002CAA | 0x00002E00 | 0x00000400 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.28 |
.rdata | 0x00504000 | 0x000004B6 | 0x00000600 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.94 |
.data s | 0x00505000 | 0x00000630 | 0x00000400 | 0x00003800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.79 |
.rsrc U | 0x00506000 | 0x00002AC8 | 0x00002C00 | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.98 |
.reloc | 0x00509000 | 0x00000218 | 0x00000400 | 0x00006800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0 |
.yya Feb | 0x0050A000 | 0x00000400 | 0x00000400 | 0x00006C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.89 |
Imports (3)
»
KERNEL32.DLL (12)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastError | - | 0x00504008 | 0x00004008 | 0x00003208 | 0x00000000 |
lstrcpyA | - | 0x0050400C | 0x0000400C | 0x0000320C | 0x00000000 |
GetModuleHandleA | - | 0x00504010 | 0x00004010 | 0x00003210 | 0x00000000 |
GetCommandLineA | - | 0x00504014 | 0x00004014 | 0x00003214 | 0x00000000 |
FindFirstFileA | - | 0x00504018 | 0x00004018 | 0x00003218 | 0x00000000 |
FormatMessageA | - | 0x0050401C | 0x0000401C | 0x0000321C | 0x00000000 |
FindClose | - | 0x00504020 | 0x00004020 | 0x00003220 | 0x00000000 |
FindNextFileA | - | 0x00504024 | 0x00004024 | 0x00003224 | 0x00000000 |
DeleteFileA | - | 0x00504028 | 0x00004028 | 0x00003228 | 0x00000000 |
CloseHandle | - | 0x0050402C | 0x0000402C | 0x0000322C | 0x00000000 |
GetACP | - | 0x00504030 | 0x00004030 | 0x00003230 | 0x00000000 |
CreateFileA | - | 0x00504034 | 0x00004034 | 0x00003234 | 0x00000000 |
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFontIndirectA | - | 0x00504000 | 0x00004000 | 0x00003200 | 0x00000000 |
user32.dll (18)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
PostQuitMessage | - | 0x0050403C | 0x0000403C | 0x0000323C | 0x00000000 |
GetMessageA | - | 0x00504040 | 0x00004040 | 0x00003240 | 0x00000000 |
UpdateWindow | - | 0x00504044 | 0x00004044 | 0x00003244 | 0x00000000 |
EndPaint | - | 0x00504048 | 0x00004048 | 0x00003248 | 0x00000000 |
DispatchMessageA | - | 0x0050404C | 0x0000404C | 0x0000324C | 0x00000000 |
BeginPaint | - | 0x00504050 | 0x00004050 | 0x00003250 | 0x00000000 |
TranslateMessage | - | 0x00504054 | 0x00004054 | 0x00003254 | 0x00000000 |
MoveWindow | - | 0x00504058 | 0x00004058 | 0x00003258 | 0x00000000 |
CreateWindowExA | - | 0x0050405C | 0x0000405C | 0x0000325C | 0x00000000 |
RegisterClassExA | - | 0x00504060 | 0x00004060 | 0x00003260 | 0x00000000 |
DefWindowProcA | - | 0x00504064 | 0x00004064 | 0x00003264 | 0x00000000 |
MessageBoxA | - | 0x00504068 | 0x00004068 | 0x00003268 | 0x00000000 |
SendMessageA | - | 0x0050406C | 0x0000406C | 0x0000326C | 0x00000000 |
DestroyWindow | - | 0x00504070 | 0x00004070 | 0x00003270 | 0x00000000 |
LoadCursorA | - | 0x00504074 | 0x00004074 | 0x00003274 | 0x00000000 |
LoadIconA | - | 0x00504078 | 0x00004078 | 0x00003278 | 0x00000000 |
ShowWindow | - | 0x0050407C | 0x0000407C | 0x0000327C | 0x00000000 |
GetWindowRect | - | 0x00504080 | 0x00004080 | 0x00003280 | 0x00000000 |
Memory Dumps (15)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
asih.exe | 2 | 0x00500000 | 0x0050AFFF | First Execution | 32-bit | 0x00501000 |
...
|
||
buffer | 2 | 0x006A0000 | 0x006A5FFF | First Execution | 32-bit | 0x006A0009 |
...
|
||
buffer | 2 | 0x01EE0000 | 0x01EE5FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x01EE0000 | 0x01EE5FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x01EE0000 | 0x01EE5FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x01EE0000 | 0x01EE5FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 2 | 0x01EE0000 | 0x01EE5FFF | First Execution | 32-bit | 0x01EE1020 |
...
|
||
buffer | 2 | 0x0019A000 | 0x0019FFFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x00690000 | 0x00695FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x006A0000 | 0x006A5FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x01EE0000 | 0x01EE5FFF | First Network Behavior | 32-bit | 0x01EE12B8 |
...
|
||
buffer | 2 | 0x01FC0048 | 0x01FCBACF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 2 | 0x020D0000 | 0x0220FFFF | First Network Behavior | 32-bit | - |
...
|
||
asih.exe | 2 | 0x00500000 | 0x0050AFFF | First Network Behavior | 32-bit | - |
...
|
||
counters.dat | 2 | 0x01EF0000 | 0x01EF0FFF | First Network Behavior | 32-bit | - |
...
|
YARA Matches (2)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
CryptoLocker_rule2 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
CryptoLocker_set1 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat | Modified File | Stream |
Clean
|
...
|
»