84c82835a5d21bbcf75a61706d8ab549

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2010-Nov-20 09:05:05
Detected languages English - United States
CompanyName Microsoft Corporation
FileDescription DiskPart
FileVersion 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName diskpart.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename diskpart.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7601.17514

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++
Microsoft Visual C++ v6.0
Microsoft Visual C++ v5.0/v6.0 (MFC)
Suspicious Strings found in the binary may indicate undesirable behavior: Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to AES
Microsoft's Cryptography API
Malicious This program may be a ransomware. Contains a valid Bitcoin address:
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Possibly launches other programs:
  • CreateProcessA
Uses Microsoft's cryptographic API:
  • CryptReleaseContext
Can create temporary files:
  • CreateFileA
  • GetTempPathW
Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Interacts with services:
  • CreateServiceA
  • OpenServiceA
  • OpenSCManagerA
Suspicious The PE is possibly a dropper. Resources amount for 98.1255% of the executable.
Info The following exploit mitigation techniques have been detected Stack Canary: disabled
SafeSEH: disabled
ASLR: disabled
DEP: disabled
Malicious VirusTotal score: 58/62 (Scanned on 2017-07-08 14:55:28) Bkav: W32.WanaCryptBTTc.Worm
MicroWorld-eScan: Trojan.Ransom.WannaCryptor.A
nProtect: Ransom/W32.WannaCry.Zen
CAT-QuickHeal: Ransom.WannaCrypt.A4
McAfee: Ransom-O
Cylance: Unsafe
TheHacker: Trojan/Filecoder.WannaCryptor.d
K7GW: Trojan ( 0050d7171 )
K7AntiVirus: Trojan ( 0050d7171 )
Baidu: Win32.Trojan.WannaCry.c
F-Prot: W32/WannaCrypt.D
Symantec: Ransom.Wannacry
ESET-NOD32: Win32/Filecoder.WannaCryptor.D
TrendMicro-HouseCall: Ransom_WANA.A
Paloalto: generic.ml
ClamAV: Win.Trojan.Agent-6312832-0
Kaspersky: Trojan-Ransom.Win32.Wanna.zbu
BitDefender: Trojan.Ransom.WannaCryptor.A
NANO-Antivirus: Trojan.Win32.Ransom.eoptnj
ViRobot: Trojan.Win32.S.WannaCry.3514368.N
Avast: Win32:WanaCry-A [Trj]
Rising: Malware.Heuristic!ET#89% (cloud:vZkqDj6QDKF)
Ad-Aware: Trojan.Ransom.WannaCryptor.A
Sophos: Troj/Ransom-EMG
Comodo: UnclassifiedMalware
F-Secure: Trojan.Ransom.WannaCryptor.A
DrWeb: Trojan.Encoder.12624
VIPRE: Trojan.Win32.Generic!BT
TrendMicro: Ransom_WANA.A
McAfee-GW-Edition: BehavesLike.Win32.RansomWannaCry.wc
Emsisoft: Trojan.Ransom.WannaCryptor.A (B)
SentinelOne: static engine - malicious
Cyren: W32/Trojan.ZTSA-8671
Jiangmin: Trojan.WanaCry.b
Webroot: W32.Ransomware.Wcry
Avira: TR/AD.RansomHeur.aexdn
Antiy-AVL: Trojan[Ransom]/Win32.Scatter
Microsoft: Ransom:Win32/WannaCrypt
Endgame: malicious (high confidence)
Arcabit: Trojan.Ransom.WannaCryptor.A
AegisLab: Uds.Dangerousobject.Multi!c
ZoneAlarm: Trojan-Ransom.Win32.Wanna.zbu
GData: Win32.Trojan-Ransom.WannaCry.A
AhnLab-V3: Trojan/Win32.WannaCryptor.R200571
ALYac: Trojan.Ransom.WannaCryptor
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=100)
VBA32: Trojan.Filecoder
Malwarebytes: Ransom.WannaCrypt
Zoner: Trojan.Wanna
Tencent: Win32.Trojan.Ransomlocker.Rokl
Yandex: Trojan.Filecoder!LcLqI1eM+lA
Ikarus: Trojan-Ransom.WannaCry
Fortinet: W32/WannaCryptor.D!tr
AVG: Win32:WanaCry-A [Trj]
Panda: Trj/RansomCrypt.K
CrowdStrike: malicious_confidence_100% (W)
Qihoo-360: Win32/Trojan.Multi.daf

Hashes

MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA3 e4e2faf3a139c7d9505b38028b15cabafcc92072b82b335da7f56e77e83196a6
SSDeep 98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Imports Hash 68f013d7437aa653a8a98a05807afeb1

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2010-Nov-20 09:05:05
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x7000
SizeOfInitializedData 0x352000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x77ba (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x8000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x35a000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics (EMPTY)
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 920e964050a1a5dd60dd00083fd541a2
SHA1 2eb82dfb19006b8970dcc5d72b2cf3fa1479538b
SHA256 55cda830ff2543783350fb781ed2bf77e72aa123134d2513acfb944487773054
SHA3 a2822a8d35b415acb431f13377894219256f8a437ee80cd899c8f0a042afb9af
VirtualSize 0x69b0
VirtualAddress 0x1000
SizeOfRawData 0x7000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.40424

.rdata

MD5 2c42611802d585e6eed68595876d1a15
SHA1 18a834d08f616a6175c6e2281597d760c77c3d81
SHA256 a2acc94d242d28b6dd0a0859ec59ecc7f6b98d4ea09346b819d486b8827d2d79
SHA3 d2169cb2dc1c47dc927a5a2decd56b054a1b4836fdca1dbe4f01f3564f9655fe
VirtualSize 0x5f70
VirtualAddress 0x8000
SizeOfRawData 0x6000
PointerToRawData 0x8000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.66357

.data

MD5 83506e37bd8b50cacabd480f8eb3849b
SHA1 7bd2238995e2286a24e92667f161a3c14506d4e1
SHA256 110357de37bd422f6c68b66035e4652b99767819353f4c398953249a930fa823
SHA3 faef36d967ea3370ca162c028893a07c1662ce5519201de3a8bd51f9b48225a5
VirtualSize 0x1958
VirtualAddress 0xe000
SizeOfRawData 0x2000
PointerToRawData 0xe000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.45575

.rsrc

MD5 f99ce7dc94308f0a149a19e022e4c316
SHA1 9782e77f3f117b9c50867e778a9e940cbc6cf080
SHA256 418c45aa8ad5b74ea7a820a4cf19b2fbc688502752d600a7800d3cbe1d058e44
SHA3 c9fd13f5f2cce5d3e19f500044e24ea2fb8d1b82a52fabb5fe142641650cb708
VirtualSize 0x349fa0
VirtualAddress 0x10000
SizeOfRawData 0x34a000
PointerToRawData 0x10000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.99987

Imports

KERNEL32.dll GetFileAttributesW
GetFileSizeEx
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
ReadFile
GetFileSize
WriteFile
LeaveCriticalSection
EnterCriticalSection
SetFileAttributesW
SetCurrentDirectoryW
CreateDirectoryW
GetTempPathW
GetWindowsDirectoryW
GetFileAttributesA
SizeofResource
LockResource
LoadResource
MultiByteToWideChar
Sleep
OpenMutexA
GetFullPathNameA
CopyFileA
GetModuleFileNameA
VirtualAlloc
VirtualFree
FreeLibrary
HeapAlloc
GetProcessHeap
GetModuleHandleA
SetLastError
VirtualProtect
IsBadReadPtr
HeapFree
SystemTimeToFileTime
LocalFileTimeToFileTime
CreateDirectoryA
GetStartupInfoA
SetFilePointer
SetFileTime
GetComputerNameW
GetCurrentDirectoryA
SetCurrentDirectoryA
GlobalAlloc
LoadLibraryA
GetProcAddress
GlobalFree
CreateProcessA
CloseHandle
WaitForSingleObject
TerminateProcess
GetExitCodeProcess
FindResourceA
USER32.dll wsprintfA
ADVAPI32.dll CreateServiceA
OpenServiceA
StartServiceA
CloseServiceHandle
CryptReleaseContext
RegCreateKeyW
RegSetValueExA
RegQueryValueExA
RegCloseKey
OpenSCManagerA
MSVCRT.dll realloc
fclose
fwrite
fread
fopen
sprintf
rand
srand
strcpy
memset
strlen
wcscat
wcslen
__CxxFrameHandler
??3@YAXPAX@Z
memcmp
_except_handler3
_local_unwind2
wcsrchr
swprintf
??2@YAPAXI@Z
memcpy
strcmp
strrchr
__p___argv
__p___argc
_stricmp
free
malloc
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
calloc
strcat
_mbsstr
??1type_info@@UAE@XZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp

Delayed Imports

2058

Type XIA
Language English - United States
Codepage Latin 1 / Western European
Size 0x349635
Entropy 7.99991
Detected Filetype Zip Compressed Archive
MD5 b576ada3366908875e5ce4cb3da6153a
SHA1 30f8820cf93a627c66195f0d77d6a409024c6e52
SHA256 5873c1b5b246c80ab88172d3294140a83d711cd64520a0c7dd7837f028146b80
SHA3 6a5a8e87dc83cc793d5c680eb7a51ca159f868c6b10cabd350befbca2144ad4c

1

Type RT_MANIFEST
Language English - United States
Codepage Latin 1 / Western European
Size 0x4ef
Entropy 5.03919
MD5 a31cf56465371581763e9f0a86d41987
SHA1 4a6cdd3cb3dab86effefdf7e4b29538c45f77440
SHA256 590b5bae6a9c329da6d5b836e3ec9baeb9607b8ea88e7015a01e021fc416707f
SHA3 2a78a9724e8d29bf17a13767eae321c3d3132fd02203b993fc6158574837498e

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.1.7601.17514 (win7sp1_rtm.101119-1850)
ProductVersion 6.1.7601.17514
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Microsoft Corporation
FileDescription DiskPart
InternalName diskpart.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename diskpart.exe
ProductName Microsoft® Windows® Operating System
Resource LangID English - United States

TLS Callbacks

Load Configuration

Errors