Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Nov-20 09:05:05 |
Detected languages |
English - United States
|
CompanyName | Microsoft Corporation |
FileDescription | DiskPart |
FileVersion | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
InternalName | diskpart.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | diskpart.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7601.17514 |
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ Microsoft Visual C++ v6.0 Microsoft Visual C++ v5.0/v6.0 (MFC) |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Miscellaneous malware strings:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to AES Microsoft's Cryptography API |
Malicious | This program contains valid cryptocurrency addresses. |
Contains a valid Bitcoin address:
|
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE is possibly a dropper. | Resources amount for 98.1255% of the executable. |
Malicious | VirusTotal score: 50/61 (Scanned on 2017-05-15 16:13:02) |
Bkav:
W32.RansomwareTBE.Trojan
MicroWorld-eScan: Trojan.GenericKD.5057849 nProtect: Ransom/W32.Wanna.3514368 CAT-QuickHeal: Ransom.WannaCrypt.A4 McAfee: Ransom-WannaCry!509C41EC97BB Malwarebytes: Ransom.WanaCrypt0r K7GW: Trojan ( 0050d7171 ) K7AntiVirus: Trojan ( 0050d7171 ) Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9973 F-Prot: W32/WannaCrypt.D Symantec: Ransom.Wannacry ESET-NOD32: Win32/Filecoder.WannaCryptor.D TrendMicro-HouseCall: Ransom_WCRY.I Paloalto: generic.ml ClamAV: Win.Ransomware.WannaCry-6313787-0 Kaspersky: Trojan-Ransom.Win32.Wanna.b BitDefender: Trojan.GenericKD.5057849 NANO-Antivirus: Trojan.Win32.Wanna.eopvyl AegisLab: Uds.Dangerousobject.Multi!c Avast: Win32:WanaCry-A [Trj] Tencent: Win32.Trojan.Ransome.wannacry.pxgj Ad-Aware: Trojan.GenericKD.5057849 Sophos: Mal/Wanna-A Comodo: TrojWare.Win32.Ransom.WannaCryptor.a F-Secure: Trojan.GenericKD.5057849 DrWeb: Trojan.Encoder.11432 VIPRE: Trojan.Win32.Generic!BT TrendMicro: Ransom_WCRY.I McAfee-GW-Edition: BehavesLike.Win32.Backdoor.wc Emsisoft: Trojan.GenericKD.5057849 (B) Cyren: W32/Trojan.ZTSA-8671 Jiangmin: Trojan.WanaCry.b Webroot: W32.Ransomware.Wcry Avira: TR/AD.RansomHeur.aexdn Antiy-AVL: Trojan[Ransom]/Win32.Scatter Microsoft: Ransom:Win32/WannaCrypt Arcabit: Trojan.Generic.D4D2D39 ViRobot: Trojan.Win32.S.WannaCry.3514368.G[h] ZoneAlarm: Trojan-Ransom.Win32.Wanna.b GData: Win32.Trojan-Ransom.WannaCry.A AhnLab-V3: Trojan/Win32.WannaCryptor.R200571 ALYac: Trojan.Ransom.WannaCryptor AVware: Trojan.Win32.Generic!BT VBA32: Trojan.Filecoder Ikarus: Trojan-Ransom.WanaCrypt Fortinet: W32/WannaCryptor.D!tr AVG: Ransom_r.CFY Panda: Trj/RansomCrypt.F CrowdStrike: malicious_confidence_69% (W) Qihoo-360: Win32/Trojan.Ransom.3ae |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2010-Nov-20 09:05:05 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x7000 |
SizeOfInitializedData | 0x352000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000077BA (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x8000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x1000 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x35a000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetFileAttributesW
GetFileSizeEx CreateFileA InitializeCriticalSection DeleteCriticalSection ReadFile GetFileSize WriteFile LeaveCriticalSection EnterCriticalSection SetFileAttributesW SetCurrentDirectoryW CreateDirectoryW GetTempPathW GetWindowsDirectoryW GetFileAttributesA SizeofResource LockResource LoadResource MultiByteToWideChar Sleep OpenMutexA GetFullPathNameA CopyFileA GetModuleFileNameA VirtualAlloc VirtualFree FreeLibrary HeapAlloc GetProcessHeap GetModuleHandleA SetLastError VirtualProtect IsBadReadPtr HeapFree SystemTimeToFileTime LocalFileTimeToFileTime CreateDirectoryA GetStartupInfoA SetFilePointer SetFileTime GetComputerNameW GetCurrentDirectoryA SetCurrentDirectoryA GlobalAlloc LoadLibraryA GetProcAddress GlobalFree CreateProcessA CloseHandle WaitForSingleObject TerminateProcess GetExitCodeProcess FindResourceA |
---|---|
USER32.dll |
wsprintfA
|
ADVAPI32.dll |
CreateServiceA
OpenServiceA StartServiceA CloseServiceHandle CryptReleaseContext RegCreateKeyW RegSetValueExA RegQueryValueExA RegCloseKey OpenSCManagerA |
MSVCRT.dll |
realloc
fclose fwrite fread fopen sprintf rand srand strcpy memset strlen wcscat wcslen __CxxFrameHandler ??3@YAXPAX@Z memcmp _except_handler3 _local_unwind2 wcsrchr swprintf ??2@YAPAXI@Z memcpy strcmp strrchr __p___argv __p___argc _stricmp free malloc ??0exception@@QAE@ABV0@@Z ??1exception@@UAE@XZ ??0exception@@QAE@ABQBD@Z _CxxThrowException calloc strcat _mbsstr ??1type_info@@UAE@XZ _exit _XcptFilter exit _acmdln __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type _controlfp |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.1.7601.17514 |
ProductVersion | 6.1.7601.17514 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_DLL
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | DiskPart |
FileVersion (#2) | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
InternalName | diskpart.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | diskpart.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 6.1.7601.17514 |
Resource LangID | English - United States |
---|
XOR Key | 0x8254a4a4 |
---|---|
Unmarked objects | 0 |
12 (7291) | 2 |
C++ objects (8047) | 1 |
14 (7299) | 4 |
C objects (8047) | 11 |
Linker (8047) | 4 |
Imports (VS2003 (.NET) build 4035) | 13 |
Total imports | 163 |
C++ objects (VS98 SP6 build 8804) | 7 |
Resource objects (VS98 SP6 cvtres build 1736) | 1 |