CryptoLocker | d9cd8e29f72b

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\OqXZRaykm\Desktop\asih.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	50.22 KB
MD5	00e91fb785524907ad123537290364fb
SHA1	0691ee2aff1f1d949d6313e6f9359dd23ded08bb
SHA256	d9cd8e29f72b72c8754469641d68a179a424a1e04d99228f5d0c3897c4937b17
SSDeep	768:z6LsoEEeegiZPvEhHSG+gzum/kLyMro2GtOOtEvwDpj/YY1J+OT/:z6QFElP6n+gKmddpMOtEvwDpj31r
ImpHash	bd2f03255beebcd07c02192dbb770be8
Static Analysis Parser Error	malformed string file info

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00500000
Entry Point	0x00501000
Size Of Code	0x00003000
Size Of Initialized Data	0x00003000
Size Of Uninitialized Data	0x00008000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2013-10-02 12:59 (UTC)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
UPX0	0x00501000	0x00008000	0x00005200	0x00000400	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.22
UPX1	0x00509000	0x00003000	0x00002800	0x00005600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.02
.rsrc	0x0050C000	0x00003000	0x00002C00	0x00007E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.07
.imports	0x0050F000	0x00001000	0x00000400	0x0000AA00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.97

Imports (3)

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontIndirectA	-	0x00504000	0x00004000	0x00003400	0x00000000

KERNEL32.DLL (12)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetLastError	-	0x00504008	0x00004008	0x00003408	0x00000000
lstrcpyA	-	0x0050400C	0x0000400C	0x0000340C	0x00000000
GetModuleHandleA	-	0x00504010	0x00004010	0x00003410	0x00000000
GetCommandLineA	-	0x00504014	0x00004014	0x00003414	0x00000000
FindFirstFileA	-	0x00504018	0x00004018	0x00003418	0x00000000
FormatMessageA	-	0x0050401C	0x0000401C	0x0000341C	0x00000000
FindClose	-	0x00504020	0x00004020	0x00003420	0x00000000
FindNextFileA	-	0x00504024	0x00004024	0x00003424	0x00000000
DeleteFileA	-	0x00504028	0x00004028	0x00003428	0x00000000
CloseHandle	-	0x0050402C	0x0000402C	0x0000342C	0x00000000
GetACP	-	0x00504030	0x00004030	0x00003430	0x00000000
CreateFileA	-	0x00504034	0x00004034	0x00003434	0x00000000

user32.dll (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
PostQuitMessage	-	0x0050403C	0x0000403C	0x0000343C	0x00000000
GetMessageA	-	0x00504040	0x00004040	0x00003440	0x00000000
UpdateWindow	-	0x00504044	0x00004044	0x00003444	0x00000000
EndPaint	-	0x00504048	0x00004048	0x00003448	0x00000000
DispatchMessageA	-	0x0050404C	0x0000404C	0x0000344C	0x00000000
BeginPaint	-	0x00504050	0x00004050	0x00003450	0x00000000
TranslateMessage	-	0x00504054	0x00004054	0x00003454	0x00000000
MoveWindow	-	0x00504058	0x00004058	0x00003458	0x00000000
CreateWindowExA	-	0x0050405C	0x0000405C	0x0000345C	0x00000000
RegisterClassExA	-	0x00504060	0x00004060	0x00003460	0x00000000
DefWindowProcA	-	0x00504064	0x00004064	0x00003464	0x00000000
MessageBoxA	-	0x00504068	0x00004068	0x00003468	0x00000000
SendMessageA	-	0x0050406C	0x0000406C	0x0000346C	0x00000000
DestroyWindow	-	0x00504070	0x00004070	0x00003470	0x00000000
LoadCursorA	-	0x00504074	0x00004074	0x00003474	0x00000000
LoadIconA	-	0x00504078	0x00004078	0x00003478	0x00000000
ShowWindow	-	0x0050407C	0x0000407C	0x0000347C	0x00000000
GetWindowRect	-	0x00504080	0x00004080	0x00003480	0x00000000

Memory Dumps (9)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
asih.exe	1	0x00500000	0x0050FFFF	First Execution	32-bit	0x00501000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x00560000	0x00565FFF	First Execution	32-bit	0x00560009	... Actions Go to Process Download Dump
buffer	1	0x00580000	0x00585FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00580000	0x00585FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00580000	0x00585FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00580000	0x00585FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00580000	0x00585FFF	First Execution	32-bit	0x00581020	... Actions Go to Process Download Dump
buffer	1	0x02160048	0x0216C97B	Image In Buffer	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
asih.exe	1	0x00500000	0x0050FFFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (2)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match
CryptoLocker_set1	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

C:\Users\OQXZRA~1\AppData\Local\Temp\asih.exe

Dropped File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	50.30 KB
MD5	a9f5c00d04a95ec854b5c6cb0d62c117
SHA1	263eb48fa7781404731f4edfb44153a1544aad74
SHA256	8d8cd2b7378b09f4887ffb43f84fa8b61ff62198b7a2e6a4bf59aa66a6cee8a6
SSDeep	768:z6LsoEEeegiZPvEhHSG+gzum/kLyMro2GtOOtEvwDpj/YY1J+OT7:z6QFElP6n+gKmddpMOtEvwDpj31P
ImpHash	bd2f03255beebcd07c02192dbb770be8
Static Analysis Parser Error	malformed string file info

PE Information

Image Base	0x00500000
Entry Point	0x00501000
Size Of Code	0x00003000
Size Of Initialized Data	0x00003000
Size Of Uninitialized Data	0x00008000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2013-10-02 12:59 (UTC)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
UPX0	0x00501000	0x00008000	0x00005200	0x00000400	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.22
UPX1	0x00509000	0x00003000	0x00002800	0x00005600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.02
.rsrc	0x0050C000	0x00003000	0x00002C00	0x00007E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.07
.imports	0x0050F000	0x00001000	0x00000400	0x0000AA00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.97

Imports (3)

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontIndirectA	-	0x00504000	0x00004000	0x00003400	0x00000000

KERNEL32.DLL (12)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetLastError	-	0x00504008	0x00004008	0x00003408	0x00000000
lstrcpyA	-	0x0050400C	0x0000400C	0x0000340C	0x00000000
GetModuleHandleA	-	0x00504010	0x00004010	0x00003410	0x00000000
GetCommandLineA	-	0x00504014	0x00004014	0x00003414	0x00000000
FindFirstFileA	-	0x00504018	0x00004018	0x00003418	0x00000000
FormatMessageA	-	0x0050401C	0x0000401C	0x0000341C	0x00000000
FindClose	-	0x00504020	0x00004020	0x00003420	0x00000000
FindNextFileA	-	0x00504024	0x00004024	0x00003424	0x00000000
DeleteFileA	-	0x00504028	0x00004028	0x00003428	0x00000000
CloseHandle	-	0x0050402C	0x0000402C	0x0000342C	0x00000000
GetACP	-	0x00504030	0x00004030	0x00003430	0x00000000
CreateFileA	-	0x00504034	0x00004034	0x00003434	0x00000000

user32.dll (18)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
PostQuitMessage	-	0x0050403C	0x0000403C	0x0000343C	0x00000000
GetMessageA	-	0x00504040	0x00004040	0x00003440	0x00000000
UpdateWindow	-	0x00504044	0x00004044	0x00003444	0x00000000
EndPaint	-	0x00504048	0x00004048	0x00003448	0x00000000
DispatchMessageA	-	0x0050404C	0x0000404C	0x0000344C	0x00000000
BeginPaint	-	0x00504050	0x00004050	0x00003450	0x00000000
TranslateMessage	-	0x00504054	0x00004054	0x00003454	0x00000000
MoveWindow	-	0x00504058	0x00004058	0x00003458	0x00000000
CreateWindowExA	-	0x0050405C	0x0000405C	0x0000345C	0x00000000
RegisterClassExA	-	0x00504060	0x00004060	0x00003460	0x00000000
DefWindowProcA	-	0x00504064	0x00004064	0x00003464	0x00000000
MessageBoxA	-	0x00504068	0x00004068	0x00003468	0x00000000
SendMessageA	-	0x0050406C	0x0000406C	0x0000346C	0x00000000
DestroyWindow	-	0x00504070	0x00004070	0x00003470	0x00000000
LoadCursorA	-	0x00504074	0x00004074	0x00003474	0x00000000
LoadIconA	-	0x00504078	0x00004078	0x00003478	0x00000000
ShowWindow	-	0x0050407C	0x0000407C	0x0000347C	0x00000000
GetWindowRect	-	0x00504080	0x00004080	0x00003480	0x00000000

Memory Dumps (14)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
asih.exe	4	0x00500000	0x0050FFFF	First Execution	32-bit	0x00501000	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x005E0000	0x005E5FFF	First Execution	32-bit	0x005E0009	... Actions Go to Process Download Dump
buffer	4	0x00610000	0x00615FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00610000	0x00615FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00610000	0x00615FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00610000	0x00615FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00610000	0x00615FFF	First Execution	32-bit	0x00611020	... Actions Go to Process Download Dump
buffer	4	0x0019C000	0x0019FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x005D0000	0x005D5FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x005E0000	0x005E5FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	4	0x00610000	0x00615FFF	First Network Behavior	32-bit	0x006112B8	... Actions Go to Process Download Dump
buffer	4	0x01FE0048	0x01FEC9D9	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	4	0x02180000	0x0237FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
asih.exe	4	0x00500000	0x0050FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (2)

Rule Name	Rule Description	Classification	Score	Actions
CryptoLocker_rule2	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match
CryptoLocker_set1	CryptoLocker ransomware	Ransomware	5/5	... Actions Show Ruleset Show Match

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information