84c82835a5d21bbcf75a61706d8ab549

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2010-Nov-20 09:05:05
Detected languages English - United States
CompanyName Microsoft Corporation
FileDescription DiskPart
FileVersion 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName diskpart.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename diskpart.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7601.17514

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to AES
Microsoft's Cryptography API
Malicious This program may be a ransomware. Contains a valid Bitcoin address:
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
 Can access the registry:
  • RegCreateKeyW
  • RegSetValueExA
  • RegQueryValueExA
  • RegCloseKey
 Possibly launches other programs:
  • CreateProcessA
 Uses Microsoft's cryptographic API:
  • CryptReleaseContext
 Can create temporary files:
  • CreateFileA
  • GetTempPathW
 Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
 Interacts with services:
  • CreateServiceA
  • OpenServiceA
  • OpenSCManagerA
Suspicious The PE is possibly a dropper. Resources amount for 98.1255% of the executable.
Malicious VirusTotal score: 69/73 (Scanned on 2024-07-17 23:01:46) ALYac: Trojan.Ransom.WannaCryptor
APEX: Malicious
AVG: Win32:WanaCry-A [Trj]
AhnLab-V3: Trojan/Win32.WannaCryptor.R200571
Alibaba: Ransom:Win32/WannaCry.ali1020010
Antiy-AVL: Trojan[Ransom]/Win32.Scatter
Arcabit: Trojan.Ransom.WannaCryptor.A
Avast: Win32:WanaCry-A [Trj]
Avira: TR/Ransom.JB
Baidu: Win32.Trojan.WannaCry.c
BitDefender: Trojan.Ransom.WannaCryptor.A
BitDefenderTheta: Gen:NN.ZexaF.36808.wt0@aGEmS3di
Bkav: W32.WanaCryptBTTc.Worm
CAT-QuickHeal: Ransom.WannaCrypt.A4
CrowdStrike: win/malicious_confidence_100% (W)
Cybereason: malicious.5a5d21
Cylance: Unsafe
Cynet: Malicious (score: 100)
DeepInstinct: MALICIOUS
DrWeb: Trojan.Encoder.11432
ESET-NOD32: Win32/Filecoder.WannaCryptor.D
Elastic: malicious (high confidence)
Emsisoft: Trojan.Ransom.WannaCryptor.A (B)
F-Secure: Trojan.TR/Ransom.JB
FireEye: Generic.mg.84c82835a5d21bbc
Fortinet: W32/WannaCryptor.6F87!tr.ransom
GData: Win32.Trojan-Ransom.WannaCry.A
Gridinsoft: Ransom.Win32.Filecoder.dd
Ikarus: Trojan-Ransom.WannaCry
Jiangmin: Trojan.Wanna.eo
K7AntiVirus: Trojan ( 0050d7171 )
K7GW: Trojan ( 0050d7171 )
Kaspersky: Trojan-Ransom.Win32.Wanna.zbu
Kingsoft: Win32.Troj.Undef.a
Lionic: Trojan.Win32.Wanna.toNn
MAX: malware (ai score=100)
Malwarebytes: Generic.Malware.AI.DDS
MaxSecure: Trojan.Ransom.Wanna.d
McAfee: Ransom-O.g
McAfeeD: ti!ED01EBFBC9EB
MicroWorld-eScan: Trojan.Ransom.WannaCryptor.A
Microsoft: Ransom:Win32/WannaCrypt
NANO-Antivirus: Trojan.Win32.Ransom.eoptnj
Paloalto: generic.ml
Panda: Trj/RansomCrypt.K
Rising: Ransom.WanaCrypt!1.AAEB (CLASSIC)
Sangfor: Ransom.Win32.Save.WannaCry
SentinelOne: Static AI - Malicious PE
Skyhigh: BehavesLike.Win32.Generic.wc
Sophos: Troj/Ransom-EMG
Symantec: Ransom.Wannacry
TACHYON: Ransom/W32.WannaCry.Zen
Tencent: Trojan-Ransom.Win32.WannaCry.kd
Trapmine: malicious.high.ml.score
TrendMicro: Ransom_WANA.A
TrendMicro-HouseCall: Ransom_WANA.A
VBA32: TrojanRansom.WannaCrypt
VIPRE: Trojan.Ransom.WannaCryptor.A
Varist: W32/Trojan.ZTSA-8671
ViRobot: Trojan.Win32.S.WannaCry.3514368.N
VirIT: Trojan.Win32.WannaCry.B
Webroot: W32.Ransomware.Wcry
Xcitium: Malware@#4gwtqo9z2tkf
Yandex: Trojan.Igent.bUj9pX.12
Zillya: Trojan.WannaCry.Win32.2
ZoneAlarm: Trojan-Ransom.Win32.Wanna.zbu
Zoner: Trojan.Win32.55605
alibabacloud: RansomWare
tehtris: Generic.Malware

Hashes

MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA3 b0e240ef9f18786c588c4cffa777e35b1741189d543cf2220f25291bab2d2214
SSDeep 98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Imports Hash 68f013d7437aa653a8a98a05807afeb1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2010-Nov-20 09:05:05
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x7000
SizeOfInitializedData 0x352000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000077BA (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x35a000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 920e964050a1a5dd60dd00083fd541a2
SHA1 2eb82dfb19006b8970dcc5d72b2cf3fa1479538b
SHA256 55cda830ff2543783350fb781ed2bf77e72aa123134d2513acfb944487773054
SHA3 a294e1ddbf3569c07492fe333b75c73cc03c30219af55adf0b9cddcb00a33c4a
VirtualSize 0x69b0
VirtualAddress 0x1000
SizeOfRawData 0x7000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40424

.rdata

MD5 2c42611802d585e6eed68595876d1a15
SHA1 18a834d08f616a6175c6e2281597d760c77c3d81
SHA256 a2acc94d242d28b6dd0a0859ec59ecc7f6b98d4ea09346b819d486b8827d2d79
SHA3 1d9c922261f7a5f4dc2a63f47b46e2e22d5c4bf3abffad17b8a1596c4bcadd01
VirtualSize 0x5f70
VirtualAddress 0x8000
SizeOfRawData 0x6000
PointerToRawData 0x8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.66357

.data

MD5 83506e37bd8b50cacabd480f8eb3849b
SHA1 7bd2238995e2286a24e92667f161a3c14506d4e1
SHA256 110357de37bd422f6c68b66035e4652b99767819353f4c398953249a930fa823
SHA3 bea827e605da35d81e7fcf0b14dd94e3a8b65f1da641d4c60a4501d88ed3b243
VirtualSize 0x1958
VirtualAddress 0xe000
SizeOfRawData 0x2000
PointerToRawData 0xe000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.45575

.rsrc

MD5 f99ce7dc94308f0a149a19e022e4c316
SHA1 9782e77f3f117b9c50867e778a9e940cbc6cf080
SHA256 418c45aa8ad5b74ea7a820a4cf19b2fbc688502752d600a7800d3cbe1d058e44
SHA3 59f65388ffe5231f04c0e3e3c3053d952ea052f4eb722b788e628bd22347539d
VirtualSize 0x349fa0
VirtualAddress 0x10000
SizeOfRawData 0x34a000
PointerToRawData 0x10000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.99987

Imports

KERNEL32.dll GetFileAttributesW
GetFileSizeEx
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
ReadFile
GetFileSize
WriteFile
LeaveCriticalSection
EnterCriticalSection
SetFileAttributesW
SetCurrentDirectoryW
CreateDirectoryW
GetTempPathW
GetWindowsDirectoryW
GetFileAttributesA
SizeofResource
LockResource
LoadResource
MultiByteToWideChar
Sleep
OpenMutexA
GetFullPathNameA
CopyFileA
GetModuleFileNameA
VirtualAlloc
VirtualFree
FreeLibrary
HeapAlloc
GetProcessHeap
GetModuleHandleA
SetLastError
VirtualProtect
IsBadReadPtr
HeapFree
SystemTimeToFileTime
LocalFileTimeToFileTime
CreateDirectoryA
GetStartupInfoA
SetFilePointer
SetFileTime
GetComputerNameW
GetCurrentDirectoryA
SetCurrentDirectoryA
GlobalAlloc
LoadLibraryA
GetProcAddress
GlobalFree
CreateProcessA
CloseHandle
WaitForSingleObject
TerminateProcess
GetExitCodeProcess
FindResourceA
USER32.dll wsprintfA
ADVAPI32.dll CreateServiceA
OpenServiceA
StartServiceA
CloseServiceHandle
CryptReleaseContext
RegCreateKeyW
RegSetValueExA
RegQueryValueExA
RegCloseKey
OpenSCManagerA
MSVCRT.dll realloc
fclose
fwrite
fread
fopen
sprintf
rand
srand
strcpy
memset
strlen
wcscat
wcslen
__CxxFrameHandler
??3@YAXPAX@Z
memcmp
_except_handler3
_local_unwind2
wcsrchr
swprintf
??2@YAPAXI@Z
memcpy
strcmp
strrchr
__p___argv
__p___argc
_stricmp
free
malloc
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
calloc
strcat
_mbsstr
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp

Delayed Imports

2058

Type XIA
Language English - United States
Codepage Latin 1 / Western European
Size 0x349635
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.99991
Detected Filetype Zip Compressed Archive
MD5 b576ada3366908875e5ce4cb3da6153a
SHA1 30f8820cf93a627c66195f0d77d6a409024c6e52
SHA256 5873c1b5b246c80ab88172d3294140a83d711cd64520a0c7dd7837f028146b80
SHA3 5f53b458ac8c5913f05bbb355b081e249293d4c61fe05c434b85c42381d54587

1

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x388
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.52974
MD5 0e14014289c29078069237196bd3ea72
SHA1 466a736f7f6987b34cd7a130e26a8af13d3cf76c
SHA256 f8cbc0ddb17a85f2ba099416961efef915f8eba926681df7cd2c1fa69f3c2b6a
SHA3 0f32d24563bec84c879a217df97c162c36ccfc4f0905018de48fc22c5a7b39c4

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x4ef
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.03919
MD5 a31cf56465371581763e9f0a86d41987
SHA1 4a6cdd3cb3dab86effefdf7e4b29538c45f77440
SHA256 590b5bae6a9c329da6d5b836e3ec9baeb9607b8ea88e7015a01e021fc416707f
SHA3 57e03e5f85a9c20ef2e09b404a322f0c81f20df1c6c57ca65793fc9646bc2445

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.1.7601.17514
ProductVersion 6.1.7601.17514
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Microsoft Corporation
FileDescription DiskPart
FileVersion (#2) 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName diskpart.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename diskpart.exe
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.1.7601.17514
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x8254a4a4
Unmarked objects 0
12 (7291) 2
C++ objects (8047) 1
14 (7299) 4
C objects (8047) 11
Linker (8047) 4
Imports (VS2003 (.NET) build 4035) 13
Total imports 163
C++ objects (VS98 SP6 build 8804) 7
Resource objects (VS98 SP6 cvtres build 1736) 1

Errors

<-- -->