Malicious
Classifications
Ransomware
Threat Names
CryptoLocker Mal/Generic-S
Dynamic Analysis Report
Created on 2024-03-29T05:49:55+00:00
asih.exe
Windows Exe (x86-32)
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\OqXZRaykm\Desktop\asih.exe | Sample File | Binary |
Malicious
|
...
|
»
File Reputation Information
»
Verdict |
Malicious
|
Names | Mal/Generic-S |
PE Information
»
Image Base | 0x00500000 |
Entry Point | 0x00501000 |
Size Of Code | 0x00003000 |
Size Of Initialized Data | 0x00003000 |
Size Of Uninitialized Data | 0x00008000 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2013-10-02 12:59 (UTC) |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
UPX0 | 0x00501000 | 0x00008000 | 0x00005200 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.22 |
UPX1 | 0x00509000 | 0x00003000 | 0x00002800 | 0x00005600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.02 |
.rsrc | 0x0050C000 | 0x00003000 | 0x00002C00 | 0x00007E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.07 |
.imports | 0x0050F000 | 0x00001000 | 0x00000400 | 0x0000AA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.97 |
Imports (3)
»
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFontIndirectA | - | 0x00504000 | 0x00004000 | 0x00003400 | 0x00000000 |
KERNEL32.DLL (12)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastError | - | 0x00504008 | 0x00004008 | 0x00003408 | 0x00000000 |
lstrcpyA | - | 0x0050400C | 0x0000400C | 0x0000340C | 0x00000000 |
GetModuleHandleA | - | 0x00504010 | 0x00004010 | 0x00003410 | 0x00000000 |
GetCommandLineA | - | 0x00504014 | 0x00004014 | 0x00003414 | 0x00000000 |
FindFirstFileA | - | 0x00504018 | 0x00004018 | 0x00003418 | 0x00000000 |
FormatMessageA | - | 0x0050401C | 0x0000401C | 0x0000341C | 0x00000000 |
FindClose | - | 0x00504020 | 0x00004020 | 0x00003420 | 0x00000000 |
FindNextFileA | - | 0x00504024 | 0x00004024 | 0x00003424 | 0x00000000 |
DeleteFileA | - | 0x00504028 | 0x00004028 | 0x00003428 | 0x00000000 |
CloseHandle | - | 0x0050402C | 0x0000402C | 0x0000342C | 0x00000000 |
GetACP | - | 0x00504030 | 0x00004030 | 0x00003430 | 0x00000000 |
CreateFileA | - | 0x00504034 | 0x00004034 | 0x00003434 | 0x00000000 |
user32.dll (18)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
PostQuitMessage | - | 0x0050403C | 0x0000403C | 0x0000343C | 0x00000000 |
GetMessageA | - | 0x00504040 | 0x00004040 | 0x00003440 | 0x00000000 |
UpdateWindow | - | 0x00504044 | 0x00004044 | 0x00003444 | 0x00000000 |
EndPaint | - | 0x00504048 | 0x00004048 | 0x00003448 | 0x00000000 |
DispatchMessageA | - | 0x0050404C | 0x0000404C | 0x0000344C | 0x00000000 |
BeginPaint | - | 0x00504050 | 0x00004050 | 0x00003450 | 0x00000000 |
TranslateMessage | - | 0x00504054 | 0x00004054 | 0x00003454 | 0x00000000 |
MoveWindow | - | 0x00504058 | 0x00004058 | 0x00003458 | 0x00000000 |
CreateWindowExA | - | 0x0050405C | 0x0000405C | 0x0000345C | 0x00000000 |
RegisterClassExA | - | 0x00504060 | 0x00004060 | 0x00003460 | 0x00000000 |
DefWindowProcA | - | 0x00504064 | 0x00004064 | 0x00003464 | 0x00000000 |
MessageBoxA | - | 0x00504068 | 0x00004068 | 0x00003468 | 0x00000000 |
SendMessageA | - | 0x0050406C | 0x0000406C | 0x0000346C | 0x00000000 |
DestroyWindow | - | 0x00504070 | 0x00004070 | 0x00003470 | 0x00000000 |
LoadCursorA | - | 0x00504074 | 0x00004074 | 0x00003474 | 0x00000000 |
LoadIconA | - | 0x00504078 | 0x00004078 | 0x00003478 | 0x00000000 |
ShowWindow | - | 0x0050407C | 0x0000407C | 0x0000347C | 0x00000000 |
GetWindowRect | - | 0x00504080 | 0x00004080 | 0x00003480 | 0x00000000 |
Memory Dumps (9)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
asih.exe | 1 | 0x00500000 | 0x0050FFFF | First Execution | 32-bit | 0x00501000 |
...
|
||
buffer | 1 | 0x00560000 | 0x00565FFF | First Execution | 32-bit | 0x00560009 |
...
|
||
buffer | 1 | 0x00580000 | 0x00585FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00580000 | 0x00585FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00580000 | 0x00585FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00580000 | 0x00585FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 1 | 0x00580000 | 0x00585FFF | First Execution | 32-bit | 0x00581020 |
...
|
||
buffer | 1 | 0x02160048 | 0x0216C97B | Image In Buffer | 32-bit | - |
...
|
||
asih.exe | 1 | 0x00500000 | 0x0050FFFF | Process Termination | 32-bit | - |
...
|
YARA Matches (2)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
CryptoLocker_rule2 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
CryptoLocker_set1 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
C:\Users\OQXZRA~1\AppData\Local\Temp\asih.exe | Dropped File | Binary |
Malicious
|
...
|
»
PE Information
»
Image Base | 0x00500000 |
Entry Point | 0x00501000 |
Size Of Code | 0x00003000 |
Size Of Initialized Data | 0x00003000 |
Size Of Uninitialized Data | 0x00008000 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2013-10-02 12:59 (UTC) |
Sections (4)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
UPX0 | 0x00501000 | 0x00008000 | 0x00005200 | 0x00000400 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.22 |
UPX1 | 0x00509000 | 0x00003000 | 0x00002800 | 0x00005600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.02 |
.rsrc | 0x0050C000 | 0x00003000 | 0x00002C00 | 0x00007E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.07 |
.imports | 0x0050F000 | 0x00001000 | 0x00000400 | 0x0000AA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.97 |
Imports (3)
»
gdi32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreateFontIndirectA | - | 0x00504000 | 0x00004000 | 0x00003400 | 0x00000000 |
KERNEL32.DLL (12)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetLastError | - | 0x00504008 | 0x00004008 | 0x00003408 | 0x00000000 |
lstrcpyA | - | 0x0050400C | 0x0000400C | 0x0000340C | 0x00000000 |
GetModuleHandleA | - | 0x00504010 | 0x00004010 | 0x00003410 | 0x00000000 |
GetCommandLineA | - | 0x00504014 | 0x00004014 | 0x00003414 | 0x00000000 |
FindFirstFileA | - | 0x00504018 | 0x00004018 | 0x00003418 | 0x00000000 |
FormatMessageA | - | 0x0050401C | 0x0000401C | 0x0000341C | 0x00000000 |
FindClose | - | 0x00504020 | 0x00004020 | 0x00003420 | 0x00000000 |
FindNextFileA | - | 0x00504024 | 0x00004024 | 0x00003424 | 0x00000000 |
DeleteFileA | - | 0x00504028 | 0x00004028 | 0x00003428 | 0x00000000 |
CloseHandle | - | 0x0050402C | 0x0000402C | 0x0000342C | 0x00000000 |
GetACP | - | 0x00504030 | 0x00004030 | 0x00003430 | 0x00000000 |
CreateFileA | - | 0x00504034 | 0x00004034 | 0x00003434 | 0x00000000 |
user32.dll (18)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
PostQuitMessage | - | 0x0050403C | 0x0000403C | 0x0000343C | 0x00000000 |
GetMessageA | - | 0x00504040 | 0x00004040 | 0x00003440 | 0x00000000 |
UpdateWindow | - | 0x00504044 | 0x00004044 | 0x00003444 | 0x00000000 |
EndPaint | - | 0x00504048 | 0x00004048 | 0x00003448 | 0x00000000 |
DispatchMessageA | - | 0x0050404C | 0x0000404C | 0x0000344C | 0x00000000 |
BeginPaint | - | 0x00504050 | 0x00004050 | 0x00003450 | 0x00000000 |
TranslateMessage | - | 0x00504054 | 0x00004054 | 0x00003454 | 0x00000000 |
MoveWindow | - | 0x00504058 | 0x00004058 | 0x00003458 | 0x00000000 |
CreateWindowExA | - | 0x0050405C | 0x0000405C | 0x0000345C | 0x00000000 |
RegisterClassExA | - | 0x00504060 | 0x00004060 | 0x00003460 | 0x00000000 |
DefWindowProcA | - | 0x00504064 | 0x00004064 | 0x00003464 | 0x00000000 |
MessageBoxA | - | 0x00504068 | 0x00004068 | 0x00003468 | 0x00000000 |
SendMessageA | - | 0x0050406C | 0x0000406C | 0x0000346C | 0x00000000 |
DestroyWindow | - | 0x00504070 | 0x00004070 | 0x00003470 | 0x00000000 |
LoadCursorA | - | 0x00504074 | 0x00004074 | 0x00003474 | 0x00000000 |
LoadIconA | - | 0x00504078 | 0x00004078 | 0x00003478 | 0x00000000 |
ShowWindow | - | 0x0050407C | 0x0000407C | 0x0000347C | 0x00000000 |
GetWindowRect | - | 0x00504080 | 0x00004080 | 0x00003480 | 0x00000000 |
Memory Dumps (14)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
asih.exe | 4 | 0x00500000 | 0x0050FFFF | First Execution | 32-bit | 0x00501000 |
...
|
||
buffer | 4 | 0x005E0000 | 0x005E5FFF | First Execution | 32-bit | 0x005E0009 |
...
|
||
buffer | 4 | 0x00610000 | 0x00615FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 4 | 0x00610000 | 0x00615FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 4 | 0x00610000 | 0x00615FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 4 | 0x00610000 | 0x00615FFF | Marked Executable | 32-bit | - |
...
|
||
buffer | 4 | 0x00610000 | 0x00615FFF | First Execution | 32-bit | 0x00611020 |
...
|
||
buffer | 4 | 0x0019C000 | 0x0019FFFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 4 | 0x005D0000 | 0x005D5FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 4 | 0x005E0000 | 0x005E5FFF | First Network Behavior | 32-bit | - |
...
|
||
buffer | 4 | 0x00610000 | 0x00615FFF | First Network Behavior | 32-bit | 0x006112B8 |
...
|
||
buffer | 4 | 0x01FE0048 | 0x01FEC9D9 | First Network Behavior | 32-bit | - |
...
|
||
buffer | 4 | 0x02180000 | 0x0237FFFF | First Network Behavior | 32-bit | - |
...
|
||
asih.exe | 4 | 0x00500000 | 0x0050FFFF | First Network Behavior | 32-bit | - |
...
|
YARA Matches (2)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
CryptoLocker_rule2 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|
CryptoLocker_set1 | CryptoLocker ransomware | Ransomware |
5/5
|
...
|