272d02d9694b6108ce0cb93be8af8f16

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2010-Nov-20 09:03:08
Detected languages English - United States

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ 6.0 DLL
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to AES
Microsoft's Cryptography API
Malicious This program contains valid cryptocurrency addresses. Contains a valid Bitcoin address:
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Suspicious The PE contains functions most legitimate programs don't use. Uses Microsoft's cryptographic API:
  • CryptGenRandom
  • CryptAcquireContextA
Has Internet access capabilities:
  • InternetOpenA
  • InternetOpenUrlA
  • InternetCloseHandle
Leverages the raw socket API to access the Internet:
  • #3
  • #16
  • #19
  • #8
  • #14
  • #115
  • #12
  • #10
  • #18
  • #9
  • #23
  • #4
  • #11
Interacts with services:
  • OpenSCManagerA
  • CreateServiceA
  • OpenServiceA
Malicious The PE is possibly a dropper. Resource 1831 detected as a PE Executable.
Resource 1 is possibly compressed or encrypted.
Resources amount for 94.4148% of the executable.
Malicious VirusTotal score: 65/71 (Scanned on 2019-02-02 23:31:07) Bkav: W32.WannaCrypLTE.Trojan
MicroWorld-eScan: Trojan.Ransom.WannaCryptor.H
CMC: Trojan-Ransom.Win32.Wanna!O
CAT-QuickHeal: Trojan.Mauvaise.SL1
McAfee: Ransom-WannaCry!272D02D9694B
Malwarebytes: Ransom.WannaCrypt
SUPERAntiSpyware: Ransom.WannaCrypt/Variant
TheHacker: Trojan/Exploit.CVE-2017-0147.a
BitDefender: Trojan.Ransom.WannaCryptor.H
K7GW: Exploit ( 0050d7a31 )
K7AntiVirus: Exploit ( 0050d7a31 )
Arcabit: Trojan.Ransom.WannaCryptor.H
Invincea: heuristic
Baidu: Win32.Worm.Rbot.a
F-Prot: W32/WannaCrypt.D
Symantec: Ransom.Wannacry
TrendMicro-HouseCall: Ransom_WCRY.SM2
Paloalto: generic.ml
ClamAV: Win.Ransomware.WannaCry-6313787-0
Kaspersky: Trojan-Ransom.Win32.Wanna.m
Alibaba: Ransom:Win32/Wanna.4f6bbaf0
NANO-Antivirus: Trojan.Win32.Wanna.epclsl
ViRobot: Trojan.Win32.WannaCry.3723264.A
Avast: Sf:WNCryLdr-A [Trj]
Tencent: Trojan.Win32.WannaCry.b
Ad-Aware: Trojan.Ransom.WannaCryptor.H
Emsisoft: Trojan.Ransom.WannaCryptor.H (B)
Comodo: TrojWare.Win32.WannaCry.jet@714um4
F-Secure: Trojan:W32/WannaCry.D
DrWeb: Trojan.Encoder.11432
Zillya: Trojan.WannaCry.Win32.1
TrendMicro: Ransom_WCRY.SM2
McAfee-GW-Edition: BehavesLike.Win32.RansomWannaCry.wc
Fortinet: W32/WannaCryptor.H!tr.ransom
Trapmine: malicious.high.ml.score
Sophos: Troj/Ransom-EMG
Ikarus: Trojan-Ransom.WannaCry
Cyren: W32/WannaCrypt.E.gen!Eldorado
Jiangmin: Trojan.WanaCry.i
Webroot: W32.Ransom.Wannacry
Avira: TR/Ransom.UL
MAX: malware (ai score=100)
Antiy-AVL: Trojan[Ransom]/Win32.Scatter
Endgame: malicious (high confidence)
Microsoft: Ransom:Win32/WannaCrypt.H
AegisLab: Trojan.Win32.Wanna.u!c
ZoneAlarm: Trojan-Ransom.Win32.Wanna.m
AhnLab-V3: Trojan/Win32.WannaCryptor.R200572
Acronis: suspicious
VBA32: TrojanRansom.Wanna
ALYac: Trojan.Ransom.WannaCryptor
TACHYON: Ransom/W32.WannaCry.Zen
Cylance: Unsafe
Zoner: Trojan.Win32.59562
ESET-NOD32: Win32/Exploit.CVE-2017-0147.A
Rising: Exploit.EternalBlue!1.AAED (CLASSIC)
Yandex: Exploit.CVE-2017-0147!
SentinelOne: static engine - malicious
eGambit: Trojan.Generic
GData: Win32.Trojan-Ransom.WannaCry.D
AVG: Sf:WNCryLdr-A [Trj]
Cybereason: malicious.9694b6
Panda: Trj/RansomCrypt.I
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Worm.WannaCrypt.B

Hashes

MD5 272d02d9694b6108ce0cb93be8af8f16
SHA1 6e34070d194e33e9eef908f71e6cc597d3283f5d
SHA256 79f1263d4f4c1c3fcb3698f6ebb2214999e4fc462cc15f5fe9f366c1e44d2bb8
SHA3 7162a621c8db08934cfb09950fd3160add92b7da20f83f1ff2d566e3f044c447
SSDeep 98304:ZDqPoBhz1aRxcSUZk36SAEdhvxWa9P593R8yAVp2HI:ZDqPe1Cxc7k3ZAEUadzR8yc4HI
Imports Hash f13e2041cdff3dd5acef675d56aa3d19

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2010-Nov-20 09:03:08
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x9000
SizeOfInitializedData 0x383000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00009A16 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xa000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x66b000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 570b25a22563c416fafb8a553e60afda
SHA1 4aadc2b9141d5a3026effd139b2679308f7cd5a9
SHA256 c70b5004cbabd931b3976dbd2ea42d3f8b5110e5753fba29a45636dc209adf7c
SHA3 1b02ac078bd307f6154989427c9ab92a78e7113492c4d09b410b8fc23202a13d
VirtualSize 0x8bca
VirtualAddress 0x1000
SizeOfRawData 0x9000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.13445

.rdata

MD5 d8037d744b539326c06e897625751cc9
SHA1 8c528f41cd4533228264ee639fad17e5be8bf817
SHA256 532e9419f23eaf5eb0e8828b211a7164cbf80ad54461bc748c1ec2349552e6a2
SHA3 5d39450e3d956e25cae7060d586eba36290927433c53df9b26f417ec5d91052d
VirtualSize 0x998
VirtualAddress 0xa000
SizeOfRawData 0x1000
PointerToRawData 0xa000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.50362

.data

MD5 22a8598dc29cad7078c291e94612ce26
SHA1 26a45092c8e8e59cb26e39d75f64ae7eb5ad5196
SHA256 6f93fb1b241a990ecc281f9c782f0da471628f6068925aaf580c1b1de86bce8a
SHA3 a9aa57a7ab5bd1318785a61d60d5c8d7564d9e83e2220be6bc22431d1688db7d
VirtualSize 0x30489c
VirtualAddress 0xb000
SizeOfRawData 0x27000
PointerToRawData 0xb000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.10032

.rsrc

MD5 dba3b1a338eefa838946a6f4cda98411
SHA1 7f418bf4f667ceef206700b4c57e399324fe3909
SHA256 1dd2c8482322cdb1d7292c0579661acc624f86112baa0247dacb468fecaae90b
SHA3 c64def1441fd2a30b8ac65f90ac9d94e4301f7e44a14723eee09a4dc751d39d5
VirtualSize 0x35a454
VirtualAddress 0x310000
SizeOfRawData 0x35b000
PointerToRawData 0x32000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.99449

Imports

KERNEL32.dll WaitForSingleObject
InterlockedIncrement
GetCurrentThreadId
GetCurrentThread
ReadFile
GetFileSize
CreateFileA
MoveFileExA
SizeofResource
TerminateThread
LoadResource
FindResourceA
GetProcAddress
GetModuleHandleW
ExitProcess
GetModuleFileNameA
LocalFree
LocalAlloc
CloseHandle
InterlockedDecrement
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
GlobalAlloc
GlobalFree
QueryPerformanceFrequency
QueryPerformanceCounter
GetTickCount
LockResource
Sleep
GetStartupInfoA
GetModuleHandleA
ADVAPI32.dll StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA
ChangeServiceConfig2A
SetServiceStatus
OpenSCManagerA
CreateServiceA
CloseServiceHandle
StartServiceA
CryptGenRandom
CryptAcquireContextA
OpenServiceA
WS2_32.dll #3
#16
#19
#8
#14
#115
#12
#10
#18
#9
#23
#4
#11
MSVCP60.dll ??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ
iphlpapi.dll GetAdaptersInfo
GetPerAdapterInfo
WININET.dll InternetOpenA
InternetOpenUrlA
InternetCloseHandle
MSVCRT.dll __set_app_type
_stricmp
__p__fmode
__p__commode
_except_handler3
__setusermatherr
_initterm
__getmainargs
_acmdln
_adjust_fdiv
_controlfp
exit
_XcptFilter
_exit
_onexit
__dllonexit
free
??2@YAPAXI@Z
_ftol
sprintf
_endthreadex
strncpy
rand
_beginthreadex
__CxxFrameHandler
srand
time
__p___argc

Delayed Imports

1831

Type R
Language English - United States
Codepage Latin 1 / Western European
Size 0x35a000
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.99453
Detected Filetype PE Executable
MD5 c88722ef42a6ee08cbed91406ea5c0e5
SHA1 643960f48a68ba0778621871f37389215642c423
SHA256 efbc1542b29b798dbbeeb531bbb4b84d422843f9c66d3aff9f301ab9296d8b4c
SHA3 0f2f94f383ed97062534222cf2e63f74a807255169da568029ca537e4e55c362

1

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x3b0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.81153
MD5 c99fdebb72785acef8c8f29966b7f545
SHA1 44a9c6a0d87458ab64d39a5c0202e075bc09e428
SHA256 a60ece3d3c202e3a55910cd7c4b71f6b1b4510df6b8d982f9273f982dc1f1e22
SHA3 fd1a5b8b99c6661380caa194b0fa93f5a0ccb17cadc66f20e9ed56759f775bc6

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xc33d5d11
Unmarked objects 0
12 (7291) 1
14 (7299) 4
C objects (8047) 11
C++ objects (8047) 1
Linker (8047) 4
Imports (VS2003 (.NET) build 4035) 11
Total imports 91
C++ objects (VS98 SP6 build 8804) 1
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8! [!] Error: Could not read a VS_FIXED_FILE_INFO! [*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8! [!] Error: Could not read a VS_FIXED_FILE_INFO! [*] Warning: Could not parse a VERSION_INFO resource!