Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Nov-20 09:03:08 |
Detected languages |
English - United States
|
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 6.0 - 8.0 Microsoft Visual C++ 6.0 DLL Microsoft Visual C++ Microsoft Visual C++ v6.0 Microsoft Visual C++ v5.0/v6.0 (MFC) |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Miscellaneous malware strings:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to AES Microsoft's Cryptography API |
Malicious | This program contains valid cryptocurrency addresses. |
Contains a valid Bitcoin address:
|
Suspicious | The PE contains functions most legitimate programs don't use. |
Uses Microsoft's cryptographic API:
|
Malicious | The PE is possibly a dropper. |
Resource 1831 detected as a PE Executable.
Resource 1 is possibly compressed or encrypted. Resources amount for 94.4148% of the executable. |
Malicious | VirusTotal score: 65/71 (Scanned on 2019-02-02 23:31:07) |
Bkav:
W32.WannaCrypLTE.Trojan
MicroWorld-eScan: Trojan.Ransom.WannaCryptor.H CMC: Trojan-Ransom.Win32.Wanna!O CAT-QuickHeal: Trojan.Mauvaise.SL1 McAfee: Ransom-WannaCry!272D02D9694B Malwarebytes: Ransom.WannaCrypt SUPERAntiSpyware: Ransom.WannaCrypt/Variant TheHacker: Trojan/Exploit.CVE-2017-0147.a BitDefender: Trojan.Ransom.WannaCryptor.H K7GW: Exploit ( 0050d7a31 ) K7AntiVirus: Exploit ( 0050d7a31 ) Arcabit: Trojan.Ransom.WannaCryptor.H Invincea: heuristic Baidu: Win32.Worm.Rbot.a F-Prot: W32/WannaCrypt.D Symantec: Ransom.Wannacry TrendMicro-HouseCall: Ransom_WCRY.SM2 Paloalto: generic.ml ClamAV: Win.Ransomware.WannaCry-6313787-0 Kaspersky: Trojan-Ransom.Win32.Wanna.m Alibaba: Ransom:Win32/Wanna.4f6bbaf0 NANO-Antivirus: Trojan.Win32.Wanna.epclsl ViRobot: Trojan.Win32.WannaCry.3723264.A Avast: Sf:WNCryLdr-A [Trj] Tencent: Trojan.Win32.WannaCry.b Ad-Aware: Trojan.Ransom.WannaCryptor.H Emsisoft: Trojan.Ransom.WannaCryptor.H (B) Comodo: TrojWare.Win32.WannaCry.jet@714um4 F-Secure: Trojan:W32/WannaCry.D DrWeb: Trojan.Encoder.11432 Zillya: Trojan.WannaCry.Win32.1 TrendMicro: Ransom_WCRY.SM2 McAfee-GW-Edition: BehavesLike.Win32.RansomWannaCry.wc Fortinet: W32/WannaCryptor.H!tr.ransom Trapmine: malicious.high.ml.score Sophos: Troj/Ransom-EMG Ikarus: Trojan-Ransom.WannaCry Cyren: W32/WannaCrypt.E.gen!Eldorado Jiangmin: Trojan.WanaCry.i Webroot: W32.Ransom.Wannacry Avira: TR/Ransom.UL MAX: malware (ai score=100) Antiy-AVL: Trojan[Ransom]/Win32.Scatter Endgame: malicious (high confidence) Microsoft: Ransom:Win32/WannaCrypt.H AegisLab: Trojan.Win32.Wanna.u!c ZoneAlarm: Trojan-Ransom.Win32.Wanna.m AhnLab-V3: Trojan/Win32.WannaCryptor.R200572 Acronis: suspicious VBA32: TrojanRansom.Wanna ALYac: Trojan.Ransom.WannaCryptor TACHYON: Ransom/W32.WannaCry.Zen Cylance: Unsafe Zoner: Trojan.Win32.59562 ESET-NOD32: Win32/Exploit.CVE-2017-0147.A Rising: Exploit.EternalBlue!1.AAED (CLASSIC) Yandex: Exploit.CVE-2017-0147! SentinelOne: static engine - malicious eGambit: Trojan.Generic GData: Win32.Trojan-Ransom.WannaCry.D AVG: Sf:WNCryLdr-A [Trj] Cybereason: malicious.9694b6 Panda: Trj/RansomCrypt.I CrowdStrike: malicious_confidence_100% (W) Qihoo-360: Win32/Worm.WannaCrypt.B |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2010-Nov-20 09:03:08 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x9000 |
SizeOfInitializedData | 0x383000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00009A16 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0xa000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x1000 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x66b000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
WaitForSingleObject
InterlockedIncrement GetCurrentThreadId GetCurrentThread ReadFile GetFileSize CreateFileA MoveFileExA SizeofResource TerminateThread LoadResource FindResourceA GetProcAddress GetModuleHandleW ExitProcess GetModuleFileNameA LocalFree LocalAlloc CloseHandle InterlockedDecrement EnterCriticalSection LeaveCriticalSection InitializeCriticalSection GlobalAlloc GlobalFree QueryPerformanceFrequency QueryPerformanceCounter GetTickCount LockResource Sleep GetStartupInfoA GetModuleHandleA |
---|---|
ADVAPI32.dll |
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA ChangeServiceConfig2A SetServiceStatus OpenSCManagerA CreateServiceA CloseServiceHandle StartServiceA CryptGenRandom CryptAcquireContextA OpenServiceA |
WS2_32.dll |
#3
#16 #19 #8 #14 #115 #12 #10 #18 #9 #23 #4 #11 |
MSVCP60.dll |
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ |
iphlpapi.dll |
GetAdaptersInfo
GetPerAdapterInfo |
WININET.dll |
InternetOpenA
InternetOpenUrlA InternetCloseHandle |
MSVCRT.dll |
__set_app_type
_stricmp __p__fmode __p__commode _except_handler3 __setusermatherr _initterm __getmainargs _acmdln _adjust_fdiv _controlfp exit _XcptFilter _exit _onexit __dllonexit free ??2@YAPAXI@Z _ftol sprintf _endthreadex strncpy rand _beginthreadex __CxxFrameHandler srand time __p___argc |
XOR Key | 0xc33d5d11 |
---|---|
Unmarked objects | 0 |
12 (7291) | 1 |
14 (7299) | 4 |
C objects (8047) | 11 |
C++ objects (8047) | 1 |
Linker (8047) | 4 |
Imports (VS2003 (.NET) build 4035) | 11 |
Total imports | 91 |
C++ objects (VS98 SP6 build 8804) | 1 |
Resource objects (VS98 SP6 cvtres build 1736) | 1 |