509c41ec97bb81b0567b059aa2f50fe8

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2010-Nov-20 09:05:05
Detected languages English - United States
CompanyName Microsoft Corporation
FileDescription DiskPart
FileVersion 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName diskpart.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename diskpart.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7601.17514

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to AES
Microsoft's Cryptography API
Malicious This program contains valid cryptocurrency addresses. Contains a valid Bitcoin address:
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Can access the registry:
  • RegCreateKeyW
  • RegSetValueExA
  • RegQueryValueExA
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessA
 Uses Microsoft's cryptographic API:
  • CryptReleaseContext
 Can create temporary files:
  • CreateFileA
  • GetTempPathW
 Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
 Interacts with services:
  • CreateServiceA
  • OpenServiceA
  • OpenSCManagerA
Suspicious The PE is possibly a dropper. Resources amount for 98.1255% of the executable.
Malicious VirusTotal score: 50/61 (Scanned on 2017-05-15 16:13:02) Bkav: W32.RansomwareTBE.Trojan
MicroWorld-eScan: Trojan.GenericKD.5057849
nProtect: Ransom/W32.Wanna.3514368
CAT-QuickHeal: Ransom.WannaCrypt.A4
McAfee: Ransom-WannaCry!509C41EC97BB
Malwarebytes: Ransom.WanaCrypt0r
K7GW: Trojan ( 0050d7171 )
K7AntiVirus: Trojan ( 0050d7171 )
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9973
F-Prot: W32/WannaCrypt.D
Symantec: Ransom.Wannacry
ESET-NOD32: Win32/Filecoder.WannaCryptor.D
TrendMicro-HouseCall: Ransom_WCRY.I
Paloalto: generic.ml
ClamAV: Win.Ransomware.WannaCry-6313787-0
Kaspersky: Trojan-Ransom.Win32.Wanna.b
BitDefender: Trojan.GenericKD.5057849
NANO-Antivirus: Trojan.Win32.Wanna.eopvyl
AegisLab: Uds.Dangerousobject.Multi!c
Avast: Win32:WanaCry-A [Trj]
Tencent: Win32.Trojan.Ransome.wannacry.pxgj
Ad-Aware: Trojan.GenericKD.5057849
Sophos: Mal/Wanna-A
Comodo: TrojWare.Win32.Ransom.WannaCryptor.a
F-Secure: Trojan.GenericKD.5057849
DrWeb: Trojan.Encoder.11432
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: Ransom_WCRY.I
McAfee-GW-Edition: BehavesLike.Win32.Backdoor.wc
Emsisoft: Trojan.GenericKD.5057849 (B)
Cyren: W32/Trojan.ZTSA-8671
Jiangmin: Trojan.WanaCry.b
Webroot: W32.Ransomware.Wcry
Avira: TR/AD.RansomHeur.aexdn
Antiy-AVL: Trojan[Ransom]/Win32.Scatter
Microsoft: Ransom:Win32/WannaCrypt
Arcabit: Trojan.Generic.D4D2D39
ViRobot: Trojan.Win32.S.WannaCry.3514368.G[h]
ZoneAlarm: Trojan-Ransom.Win32.Wanna.b
GData: Win32.Trojan-Ransom.WannaCry.A
AhnLab-V3: Trojan/Win32.WannaCryptor.R200571
ALYac: Trojan.Ransom.WannaCryptor
AVware: Trojan.Win32.Generic!BT
VBA32: Trojan.Filecoder
Ikarus: Trojan-Ransom.WanaCrypt
Fortinet: W32/WannaCryptor.D!tr
AVG: Ransom_r.CFY
Panda: Trj/RansomCrypt.F
CrowdStrike: malicious_confidence_69% (W)
Qihoo-360: Win32/Trojan.Ransom.3ae

Hashes

MD5 509c41ec97bb81b0567b059aa2f50fe8
SHA1 87420a2791d18dad3f18be436045280a4cc16fc4
SHA256 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
SHA3 914382a031041157e2e9541fe970a6d43c630cc96362a63aaae7a6ae2c1afb86
SSDeep 98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Imports Hash 68f013d7437aa653a8a98a05807afeb1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2010-Nov-20 09:05:05
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x7000
SizeOfInitializedData 0x352000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000077BA (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x35a000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 920e964050a1a5dd60dd00083fd541a2
SHA1 2eb82dfb19006b8970dcc5d72b2cf3fa1479538b
SHA256 55cda830ff2543783350fb781ed2bf77e72aa123134d2513acfb944487773054
SHA3 a294e1ddbf3569c07492fe333b75c73cc03c30219af55adf0b9cddcb00a33c4a
VirtualSize 0x69b0
VirtualAddress 0x1000
SizeOfRawData 0x7000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40424

.rdata

MD5 2c42611802d585e6eed68595876d1a15
SHA1 18a834d08f616a6175c6e2281597d760c77c3d81
SHA256 a2acc94d242d28b6dd0a0859ec59ecc7f6b98d4ea09346b819d486b8827d2d79
SHA3 1d9c922261f7a5f4dc2a63f47b46e2e22d5c4bf3abffad17b8a1596c4bcadd01
VirtualSize 0x5f70
VirtualAddress 0x8000
SizeOfRawData 0x6000
PointerToRawData 0x8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.66357

.data

MD5 83506e37bd8b50cacabd480f8eb3849b
SHA1 7bd2238995e2286a24e92667f161a3c14506d4e1
SHA256 110357de37bd422f6c68b66035e4652b99767819353f4c398953249a930fa823
SHA3 bea827e605da35d81e7fcf0b14dd94e3a8b65f1da641d4c60a4501d88ed3b243
VirtualSize 0x1958
VirtualAddress 0xe000
SizeOfRawData 0x2000
PointerToRawData 0xe000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.45575

.rsrc

MD5 4ddc9b76f38b5823f69e1f505a0a152d
SHA1 430088edeae231eede453a0c43098815d67003ba
SHA256 0265fe1fab8a22472a3e779d6e3ebd8fee81092e72873d89fef2ead9df7a3a36
SHA3 70e00f4ea8362218225e241224d7c18c03ce642e45637badd3b9413b294db24d
VirtualSize 0x349fa0
VirtualAddress 0x10000
SizeOfRawData 0x34a000
PointerToRawData 0x10000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.99987

Imports

KERNEL32.dll GetFileAttributesW
GetFileSizeEx
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
ReadFile
GetFileSize
WriteFile
LeaveCriticalSection
EnterCriticalSection
SetFileAttributesW
SetCurrentDirectoryW
CreateDirectoryW
GetTempPathW
GetWindowsDirectoryW
GetFileAttributesA
SizeofResource
LockResource
LoadResource
MultiByteToWideChar
Sleep
OpenMutexA
GetFullPathNameA
CopyFileA
GetModuleFileNameA
VirtualAlloc
VirtualFree
FreeLibrary
HeapAlloc
GetProcessHeap
GetModuleHandleA
SetLastError
VirtualProtect
IsBadReadPtr
HeapFree
SystemTimeToFileTime
LocalFileTimeToFileTime
CreateDirectoryA
GetStartupInfoA
SetFilePointer
SetFileTime
GetComputerNameW
GetCurrentDirectoryA
SetCurrentDirectoryA
GlobalAlloc
LoadLibraryA
GetProcAddress
GlobalFree
CreateProcessA
CloseHandle
WaitForSingleObject
TerminateProcess
GetExitCodeProcess
FindResourceA
USER32.dll wsprintfA
ADVAPI32.dll CreateServiceA
OpenServiceA
StartServiceA
CloseServiceHandle
CryptReleaseContext
RegCreateKeyW
RegSetValueExA
RegQueryValueExA
RegCloseKey
OpenSCManagerA
MSVCRT.dll realloc
fclose
fwrite
fread
fopen
sprintf
rand
srand
strcpy
memset
strlen
wcscat
wcslen
__CxxFrameHandler
??3@YAXPAX@Z
memcmp
_except_handler3
_local_unwind2
wcsrchr
swprintf
??2@YAPAXI@Z
memcpy
strcmp
strrchr
__p___argv
__p___argc
_stricmp
free
malloc
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
calloc
strcat
_mbsstr
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp

Delayed Imports

2058

Type XIA
Language English - United States
Codepage Latin 1 / Western European
Size 0x349635
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.99991
Detected Filetype Zip Compressed Archive
MD5 5b225149abb8c8eb245445f707e6f0d2
SHA1 9a8dc36e140fc5efca1d3b9b9a60c79b4cd3e629
SHA256 e5dc596982f00061bf64e4d89d7d9665ce42feaddf62f1d9e40c240ec0f6d7e1
SHA3 01b3f99c01ab93e278638270824e6cbf4cd4c3bf72b53aa587a52ae06764197a

1

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x388
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.52974
MD5 0e14014289c29078069237196bd3ea72
SHA1 466a736f7f6987b34cd7a130e26a8af13d3cf76c
SHA256 f8cbc0ddb17a85f2ba099416961efef915f8eba926681df7cd2c1fa69f3c2b6a
SHA3 0f32d24563bec84c879a217df97c162c36ccfc4f0905018de48fc22c5a7b39c4

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x4ef
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.03919
MD5 a31cf56465371581763e9f0a86d41987
SHA1 4a6cdd3cb3dab86effefdf7e4b29538c45f77440
SHA256 590b5bae6a9c329da6d5b836e3ec9baeb9607b8ea88e7015a01e021fc416707f
SHA3 57e03e5f85a9c20ef2e09b404a322f0c81f20df1c6c57ca65793fc9646bc2445

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.1.7601.17514
ProductVersion 6.1.7601.17514
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Microsoft Corporation
FileDescription DiskPart
FileVersion (#2) 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName diskpart.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename diskpart.exe
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.1.7601.17514
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x8254a4a4
Unmarked objects 0
12 (7291) 2
C++ objects (8047) 1
14 (7299) 4
C objects (8047) 11
Linker (8047) 4
Imports (VS2003 (.NET) build 4035) 13
Total imports 163
C++ objects (VS98 SP6 build 8804) 7
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

<-- -->