Manalyze report for 272d02d9694b6108ce0cb93be8af8f16

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Nov-20 09:03:08
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 DLL (Debug)` `Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++ 6.0 DLL` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to AES` `Microsoft's Cryptography API`
Malicious	This program contains valid cryptocurrency addresses.	`Contains a valid Bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94`
Suspicious	The PE contains functions most legitimate programs don't use.	`Uses Microsoft's cryptographic API: CryptGenRandom CryptAcquireContextA` `Has Internet access capabilities: InternetOpenA InternetOpenUrlA InternetCloseHandle` `Leverages the raw socket API to access the Internet: #3 #16 #19 #8 #14 #115 #12 #10 #18 #9 #23 #4 #11` `Interacts with services: OpenSCManagerA CreateServiceA OpenServiceA`
Malicious	The PE is possibly a dropper.	`Resource 1831 detected as a PE Executable.` `Resource 1 is possibly compressed or encrypted.` `Resources amount for 94.4148% of the executable.`
Malicious	VirusTotal score: 65/71 (Scanned on 2019-02-02 23:31:07)	`Bkav: W32.WannaCrypLTE.Trojan` `MicroWorld-eScan: Trojan.Ransom.WannaCryptor.H` `CMC: Trojan-Ransom.Win32.Wanna!O` `CAT-QuickHeal: Trojan.Mauvaise.SL1` `McAfee: Ransom-WannaCry!272D02D9694B` `Malwarebytes: Ransom.WannaCrypt` `SUPERAntiSpyware: Ransom.WannaCrypt/Variant` `TheHacker: Trojan/Exploit.CVE-2017-0147.a` `BitDefender: Trojan.Ransom.WannaCryptor.H` `K7GW: Exploit ( 0050d7a31 )` `K7AntiVirus: Exploit ( 0050d7a31 )` `Arcabit: Trojan.Ransom.WannaCryptor.H` `Invincea: heuristic` `Baidu: Win32.Worm.Rbot.a` `F-Prot: W32/WannaCrypt.D` `Symantec: Ransom.Wannacry` `TrendMicro-HouseCall: Ransom_WCRY.SM2` `Paloalto: generic.ml` `ClamAV: Win.Ransomware.WannaCry-6313787-0` `Kaspersky: Trojan-Ransom.Win32.Wanna.m` `Alibaba: Ransom:Win32/Wanna.4f6bbaf0` `NANO-Antivirus: Trojan.Win32.Wanna.epclsl` `ViRobot: Trojan.Win32.WannaCry.3723264.A` `Avast: Sf:WNCryLdr-A [Trj]` `Tencent: Trojan.Win32.WannaCry.b` `Ad-Aware: Trojan.Ransom.WannaCryptor.H` `Emsisoft: Trojan.Ransom.WannaCryptor.H (B)` `Comodo: TrojWare.Win32.WannaCry.jet@714um4` `F-Secure: Trojan:W32/WannaCry.D` `DrWeb: Trojan.Encoder.11432` `Zillya: Trojan.WannaCry.Win32.1` `TrendMicro: Ransom_WCRY.SM2` `McAfee-GW-Edition: BehavesLike.Win32.RansomWannaCry.wc` `Fortinet: W32/WannaCryptor.H!tr.ransom` `Trapmine: malicious.high.ml.score` `Sophos: Troj/Ransom-EMG` `Ikarus: Trojan-Ransom.WannaCry` `Cyren: W32/WannaCrypt.E.gen!Eldorado` `Jiangmin: Trojan.WanaCry.i` `Webroot: W32.Ransom.Wannacry` `Avira: TR/Ransom.UL` `MAX: malware (ai score=100)` `Antiy-AVL: Trojan[Ransom]/Win32.Scatter` `Endgame: malicious (high confidence)` `Microsoft: Ransom:Win32/WannaCrypt.H` `AegisLab: Trojan.Win32.Wanna.u!c` `ZoneAlarm: Trojan-Ransom.Win32.Wanna.m` `AhnLab-V3: Trojan/Win32.WannaCryptor.R200572` `Acronis: suspicious` `VBA32: TrojanRansom.Wanna` `ALYac: Trojan.Ransom.WannaCryptor` `TACHYON: Ransom/W32.WannaCry.Zen` `Cylance: Unsafe` `Zoner: Trojan.Win32.59562` `ESET-NOD32: Win32/Exploit.CVE-2017-0147.A` `Rising: Exploit.EternalBlue!1.AAED (CLASSIC)` `Yandex: Exploit.CVE-2017-0147!` `SentinelOne: static engine - malicious` `eGambit: Trojan.Generic` `GData: Win32.Trojan-Ransom.WannaCry.D` `AVG: Sf:WNCryLdr-A [Trj]` `Cybereason: malicious.9694b6` `Panda: Trj/RansomCrypt.I` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: Win32/Worm.WannaCrypt.B`

Hashes

MD5	`272d02d9694b6108ce0cb93be8af8f16`
SHA1	`6e34070d194e33e9eef908f71e6cc597d3283f5d`
SHA256	`79f1263d4f4c1c3fcb3698f6ebb2214999e4fc462cc15f5fe9f366c1e44d2bb8`
SHA3	`7162a621c8db08934cfb09950fd3160add92b7da20f83f1ff2d566e3f044c447`
SSDeep	`98304:ZDqPoBhz1aRxcSUZk36SAEdhvxWa9P593R8yAVp2HI:ZDqPe1Cxc7k3ZAEUadzR8yc4HI`
Imports Hash	`f13e2041cdff3dd5acef675d56aa3d19`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2010-Nov-20 09:03:08
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x9000`
SizeOfInitializedData	`0x383000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00009A16 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xa000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x66b000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`570b25a22563c416fafb8a553e60afda`
SHA1	`4aadc2b9141d5a3026effd139b2679308f7cd5a9`
SHA256	`c70b5004cbabd931b3976dbd2ea42d3f8b5110e5753fba29a45636dc209adf7c`
SHA3	`1b02ac078bd307f6154989427c9ab92a78e7113492c4d09b410b8fc23202a13d`
VirtualSize	`0x8bca`
VirtualAddress	`0x1000`
SizeOfRawData	`0x9000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.13445`

.rdata

MD5	`d8037d744b539326c06e897625751cc9`
SHA1	`8c528f41cd4533228264ee639fad17e5be8bf817`
SHA256	`532e9419f23eaf5eb0e8828b211a7164cbf80ad54461bc748c1ec2349552e6a2`
SHA3	`5d39450e3d956e25cae7060d586eba36290927433c53df9b26f417ec5d91052d`
VirtualSize	`0x998`
VirtualAddress	`0xa000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xa000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.50362`

.data

MD5	`22a8598dc29cad7078c291e94612ce26`
SHA1	`26a45092c8e8e59cb26e39d75f64ae7eb5ad5196`
SHA256	`6f93fb1b241a990ecc281f9c782f0da471628f6068925aaf580c1b1de86bce8a`
SHA3	`a9aa57a7ab5bd1318785a61d60d5c8d7564d9e83e2220be6bc22431d1688db7d`
VirtualSize	`0x30489c`
VirtualAddress	`0xb000`
SizeOfRawData	`0x27000`
PointerToRawData	`0xb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.10032`

.rsrc

MD5	`dba3b1a338eefa838946a6f4cda98411`
SHA1	`7f418bf4f667ceef206700b4c57e399324fe3909`
SHA256	`1dd2c8482322cdb1d7292c0579661acc624f86112baa0247dacb468fecaae90b`
SHA3	`c64def1441fd2a30b8ac65f90ac9d94e4301f7e44a14723eee09a4dc751d39d5`
VirtualSize	`0x35a454`
VirtualAddress	`0x310000`
SizeOfRawData	`0x35b000`
PointerToRawData	`0x32000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.99449`

Imports

KERNEL32.dll	`WaitForSingleObject` `InterlockedIncrement` `GetCurrentThreadId` `GetCurrentThread` `ReadFile` `GetFileSize` `CreateFileA` `MoveFileExA` `SizeofResource` `TerminateThread` `LoadResource` `FindResourceA` `GetProcAddress` `GetModuleHandleW` `ExitProcess` `GetModuleFileNameA` `LocalFree` `LocalAlloc` `CloseHandle` `InterlockedDecrement` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSection` `GlobalAlloc` `GlobalFree` `QueryPerformanceFrequency` `QueryPerformanceCounter` `GetTickCount` `LockResource` `Sleep` `GetStartupInfoA` `GetModuleHandleA`
ADVAPI32.dll	`StartServiceCtrlDispatcherA` `RegisterServiceCtrlHandlerA` `ChangeServiceConfig2A` `SetServiceStatus` `OpenSCManagerA` `CreateServiceA` `CloseServiceHandle` `StartServiceA` `CryptGenRandom` `CryptAcquireContextA` `OpenServiceA`
WS2_32.dll	`#3` `#16` `#19` `#8` `#14` `#115` `#12` `#10` `#18` `#9` `#23` `#4` `#11`
MSVCP60.dll	`??1_Lockit@std@@QAE@XZ` `??0_Lockit@std@@QAE@XZ`
iphlpapi.dll	`GetAdaptersInfo` `GetPerAdapterInfo`
WININET.dll	`InternetOpenA` `InternetOpenUrlA` `InternetCloseHandle`
MSVCRT.dll	`__set_app_type` `_stricmp` `__p__fmode` `__p__commode` `_except_handler3` `__setusermatherr` `_initterm` `__getmainargs` `_acmdln` `_adjust_fdiv` `_controlfp` `exit` `_XcptFilter` `_exit` `_onexit` `__dllonexit` `free` `??2@YAPAXI@Z` `_ftol` `sprintf` `_endthreadex` `strncpy` `rand` `_beginthreadex` `__CxxFrameHandler` `srand` `time` `__p___argc`

Delayed Imports

1831

Type	`R`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x35a000`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99453`
Detected Filetype	PE Executable
MD5	`c88722ef42a6ee08cbed91406ea5c0e5`
SHA1	`643960f48a68ba0778621871f37389215642c423`
SHA256	`efbc1542b29b798dbbeeb531bbb4b84d422843f9c66d3aff9f301ab9296d8b4c`
SHA3	`0f2f94f383ed97062534222cf2e63f74a807255169da568029ca537e4e55c362`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x3b0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.81153`
MD5	`c99fdebb72785acef8c8f29966b7f545`
SHA1	`44a9c6a0d87458ab64d39a5c0202e075bc09e428`
SHA256	`a60ece3d3c202e3a55910cd7c4b71f6b1b4510df6b8d982f9273f982dc1f1e22`
SHA3	`fd1a5b8b99c6661380caa194b0fa93f5a0ccb17cadc66f20e9ed56759f775bc6`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xc33d5d11`
Unmarked objects	`0`
12 (7291)	`1`
14 (7299)	`4`
C objects (8047)	`11`
C++ objects (8047)	`1`
Linker (8047)	`4`
Imports (VS2003 (.NET) build 4035)	`11`
Total imports	`91`
C++ objects (VS98 SP6 build 8804)	`1`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[*] Warning: Could not parse a VERSION_INFO resource!