Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Nov-20 09:05:05 |
Detected languages |
English - United States
|
CompanyName | Microsoft Corporation |
FileDescription | DiskPart |
FileVersion | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
InternalName | diskpart.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | diskpart.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7601.17514 |
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ Microsoft Visual C++ v6.0 Microsoft Visual C++ v5.0/v6.0 (MFC) |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Miscellaneous malware strings:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to AES Microsoft's Cryptography API |
Malicious | This program may be a ransomware. |
Contains a valid Bitcoin address:
|
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Suspicious | The PE is possibly a dropper. | Resources amount for 98.1255% of the executable. |
Malicious | VirusTotal score: 68/72 (Scanned on 2022-11-22 23:12:13) |
Bkav:
W32.WannaCrypLTQ.Trojan
Lionic: Trojan.Win32.Wanna.toNn tehtris: Generic.Malware DrWeb: Trojan.Encoder.11432 MicroWorld-eScan: Trojan.Ransom.WannaCryptor.A CAT-QuickHeal: Ransom.WannaCrypt.A4 McAfee: Ransom-O.g Cylance: Unsafe VIPRE: Trojan.Ransom.WannaCryptor.A Sangfor: Ransom.Win32.Wannacrypt_0.se2 K7AntiVirus: Trojan ( 0050d7171 ) Alibaba: Ransom:Win32/WannaCry.ali1020010 K7GW: Trojan ( 0050d7171 ) Cybereason: malicious.5a5d21 BitDefenderTheta: Gen:NN.ZexaF.34796.wt0@aGEmS3di VirIT: Trojan.Win32.WannaCry.B Cyren: W32/Trojan.ZTSA-8671 Symantec: Ransom.Wannacry Elastic: malicious (high confidence) ESET-NOD32: Win32/Filecoder.WannaCryptor.D APEX: Malicious TrendMicro-HouseCall: Ransom_WANA.A ClamAV: Win.Ransomware.Wannacryptor-9940180-0 Kaspersky: Trojan-Ransom.Win32.Wanna.zbu BitDefender: Trojan.Ransom.WannaCryptor.A NANO-Antivirus: Trojan.Win32.Ransom.eoptnj ViRobot: Trojan.Win32.S.WannaCry.3514368.N Avast: Win32:WanaCry-A [Trj] Tencent: Trojan-Ransom.Win32.Wcry.a Ad-Aware: Trojan.Ransom.WannaCryptor.A Sophos: ML/PE-A + Troj/Ransom-EMG Comodo: TrojWare.Win32.Ransom.WannaCrypt.B@719b9h Baidu: Win32.Trojan.WannaCry.c Zillya: Trojan.WannaCry.Win32.2 TrendMicro: Ransom_WANA.A McAfee-GW-Edition: BehavesLike.Win32.Generic.wc Trapmine: malicious.high.ml.score FireEye: Generic.mg.84c82835a5d21bbc Emsisoft: Trojan.Ransom.WannaCryptor.A (B) Ikarus: Trojan-Ransom.WannaCry GData: Win32.Trojan-Ransom.WannaCry.A Jiangmin: Trojan.Wanna.eo Webroot: W32.Ransom.Wannacry Google: Detected Avira: TR/Ransom.JB MAX: malware (ai score=100) Antiy-AVL: Trojan[Ransom]/Win32.Scatter Kingsoft: Win32.Troj.WannaCry.cg.(kcloud) Gridinsoft: Ransom.Win32.Filecoder.dd Arcabit: Trojan.Ransom.WannaCryptor.A ZoneAlarm: Trojan-Ransom.Win32.Wanna.zbu Microsoft: Ransom:Win32/WannaCrypt Cynet: Malicious (score: 100) AhnLab-V3: Trojan/Win32.WannaCryptor.R200571 Acronis: suspicious VBA32: TrojanRansom.WannaCrypt ALYac: Trojan.Ransom.WannaCryptor TACHYON: Ransom/W32.WannaCry.Zen Malwarebytes: Generic.Ransom.FileCryptor.DDS Zoner: Trojan.Win32.55605 Rising: Trojan.Win32.Rasftuby.a (CLASSIC) Yandex: Trojan.Igent.bUj9pX.12 SentinelOne: Static AI - Suspicious PE MaxSecure: Trojan.Ransom.Wanna.d Fortinet: W32/WannaCryptor.6F87!tr.ransom AVG: Win32:WanaCry-A [Trj] Panda: Trj/RansomCrypt.K CrowdStrike: win/malicious_confidence_100% (W) |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2010-Nov-20 09:05:05 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x7000 |
SizeOfInitializedData | 0x352000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000077BA (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x8000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x1000 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x35a000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetFileAttributesW
GetFileSizeEx CreateFileA InitializeCriticalSection DeleteCriticalSection ReadFile GetFileSize WriteFile LeaveCriticalSection EnterCriticalSection SetFileAttributesW SetCurrentDirectoryW CreateDirectoryW GetTempPathW GetWindowsDirectoryW GetFileAttributesA SizeofResource LockResource LoadResource MultiByteToWideChar Sleep OpenMutexA GetFullPathNameA CopyFileA GetModuleFileNameA VirtualAlloc VirtualFree FreeLibrary HeapAlloc GetProcessHeap GetModuleHandleA SetLastError VirtualProtect IsBadReadPtr HeapFree SystemTimeToFileTime LocalFileTimeToFileTime CreateDirectoryA GetStartupInfoA SetFilePointer SetFileTime GetComputerNameW GetCurrentDirectoryA SetCurrentDirectoryA GlobalAlloc LoadLibraryA GetProcAddress GlobalFree CreateProcessA CloseHandle WaitForSingleObject TerminateProcess GetExitCodeProcess FindResourceA |
---|---|
USER32.dll |
wsprintfA
|
ADVAPI32.dll |
CreateServiceA
OpenServiceA StartServiceA CloseServiceHandle CryptReleaseContext RegCreateKeyW RegSetValueExA RegQueryValueExA RegCloseKey OpenSCManagerA |
MSVCRT.dll |
realloc
fclose fwrite fread fopen sprintf rand srand strcpy memset strlen wcscat wcslen __CxxFrameHandler ??3@YAXPAX@Z memcmp _except_handler3 _local_unwind2 wcsrchr swprintf ??2@YAPAXI@Z memcpy strcmp strrchr __p___argv __p___argc _stricmp free malloc ??0exception@@QAE@ABV0@@Z ??1exception@@UAE@XZ ??0exception@@QAE@ABQBD@Z _CxxThrowException calloc strcat _mbsstr ??1type_info@@UAE@XZ _exit _XcptFilter exit _acmdln __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type _controlfp |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.1.7601.17514 |
ProductVersion | 6.1.7601.17514 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_DLL
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | DiskPart |
FileVersion (#2) | 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
InternalName | diskpart.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | diskpart.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 6.1.7601.17514 |
Resource LangID | English - United States |
---|
XOR Key | 0x8254a4a4 |
---|---|
Unmarked objects | 0 |
12 (7291) | 2 |
C++ objects (8047) | 1 |
14 (7299) | 4 |
C objects (8047) | 11 |
Linker (8047) | 4 |
Imports (VS2003 (.NET) build 4035) | 13 |
Total imports | 163 |
C++ objects (VS98 SP6 build 8804) | 7 |
Resource objects (VS98 SP6 cvtres build 1736) | 1 |