Manalyze report for b7f7ad4970506e8547e0f493c80ba441

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Nov-20 09:05:05
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to AES` `Microsoft's Cryptography API`
Malicious	This program contains valid cryptocurrency addresses.	`Contains a valid Bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegCreateKeyW RegSetValueExA RegQueryValueExA RegCloseKey` `Possibly launches other programs: CreateProcessA` `Uses Microsoft's cryptographic API: CryptReleaseContext` `Can create temporary files: CreateFileA GetTempPathW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Interacts with services: CreateServiceA OpenServiceA OpenSCManagerA`
Suspicious	The PE is possibly a dropper.	`Resource 1 is possibly compressed or encrypted.` `Resource 1 is possibly compressed or encrypted.` `Resources amount for 98.1255% of the executable.`
Malicious	VirusTotal score: 52/61 (Scanned on 2017-05-22 16:46:16)	`Bkav: W32.RansomwareTBJ.Trojan` `MicroWorld-eScan: Trojan.Ransom.WannaCryptor.A` `nProtect: Ransom/W32.WannaCry.Zen` `CAT-QuickHeal: Ransom.WannaCrypt.A4` `ALYac: Trojan.Ransom.WannaCryptor` `Malwarebytes: Ransom.WannaCrypt` `Zillya: Trojan.WannaCry.Win32.2` `K7GW: Trojan ( 0050d7171 )` `K7AntiVirus: Trojan ( 0050d7171 )` `Arcabit: Trojan.Ransom.WannaCryptor.A` `Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9936` `F-Prot: W32/WannaCrypt.D` `Symantec: Trojan.Gen.2` `TrendMicro-HouseCall: Ransom_WCRY.J` `Paloalto: generic.ml` `ClamAV: Win.Ransomware.WannaCry-6313787-0` `Kaspersky: Trojan-Ransom.Win32.Wanna.d` `BitDefender: Trojan.Ransom.WannaCryptor.A` `NANO-Antivirus: Trojan.Win32.Wanna.eorfmq` `ViRobot: Trojan.Win32.S.WannaCry.3514368.Q[h]` `Avast: Win32:WanaCry-A [Trj]` `Tencent: Win32.Trojan.Ransome.wannacry.ldzq` `Ad-Aware: Trojan.Ransom.WannaCryptor.A` `Emsisoft: Trojan.Ransom.WannaCryptor.A (B)` `Comodo: TrojWare.Win32.Ransom.WannaCryptor.a` `F-Secure: Trojan.Ransom.WannaCryptor.A` `DrWeb: Trojan.Encoder.11432` `VIPRE: Trojan.Win32.Generic!BT` `TrendMicro: Ransom_WCRY.J` `McAfee-GW-Edition: Ransom-WannaCry!B7F7AD497050` `Sophos: Troj/Ransom-EMG` `SentinelOne: static engine - malicious` `Cyren: W32/Trojan.ZTSA-8671` `Jiangmin: Trojan.WanaCry.b` `Webroot: W32.Ransomware.Wcry` `Avira: TR/Agent.hlwss` `Microsoft: Ransom:Win32/WannaCrypt!rfn` `AegisLab: Gen.Variant.Graftor!c` `ZoneAlarm: Trojan-Ransom.Win32.Wanna.d` `GData: Win32.Trojan-Ransom.WannaCry.A` `AhnLab-V3: Trojan/Win32.WannaCryptor.R200571` `McAfee: Ransom-WannaCry!B7F7AD497050` `AVware: Trojan.Win32.Generic!BT` `ESET-NOD32: Win32/Filecoder.WannaCryptor.D` `Rising: Malware.Heuristic!ET#89% (cloud:vZkqDj6QDKF)` `Yandex: Trojan.Filecoder!cfsqa4THfJY` `Ikarus: Trojan-Ransom.WannaCry` `Fortinet: W32/WannaCryptor.D!tr` `AVG: FileCryptor.OYP` `Panda: Trj/RansomCrypt.F` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: Trojan.Generic`

Hashes

MD5	`b7f7ad4970506e8547e0f493c80ba441`
SHA1	`c433f7f00f0f58a933be3f2b795a1f41f7c68e44`
SHA256	`190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e`
SHA3	`ebf893f0323bc9f6a0bdad2e7e0c118d1360d6f632f10f90f8aa28ab27778b5c`
SSDeep	`98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3oj:QqPe1Cxcxk3ZAEUadzR8yc4g4j`
Imports Hash	`68f013d7437aa653a8a98a05807afeb1`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2010-Nov-20 09:05:05
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x7000`
SizeOfInitializedData	`0x352000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000077BA (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x35a000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`920e964050a1a5dd60dd00083fd541a2`
SHA1	`2eb82dfb19006b8970dcc5d72b2cf3fa1479538b`
SHA256	`55cda830ff2543783350fb781ed2bf77e72aa123134d2513acfb944487773054`
SHA3	`a294e1ddbf3569c07492fe333b75c73cc03c30219af55adf0b9cddcb00a33c4a`
VirtualSize	`0x69b0`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.40424`

.rdata

MD5	`2c42611802d585e6eed68595876d1a15`
SHA1	`18a834d08f616a6175c6e2281597d760c77c3d81`
SHA256	`a2acc94d242d28b6dd0a0859ec59ecc7f6b98d4ea09346b819d486b8827d2d79`
SHA3	`1d9c922261f7a5f4dc2a63f47b46e2e22d5c4bf3abffad17b8a1596c4bcadd01`
VirtualSize	`0x5f70`
VirtualAddress	`0x8000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.66357`

.data

MD5	`83506e37bd8b50cacabd480f8eb3849b`
SHA1	`7bd2238995e2286a24e92667f161a3c14506d4e1`
SHA256	`110357de37bd422f6c68b66035e4652b99767819353f4c398953249a930fa823`
SHA3	`bea827e605da35d81e7fcf0b14dd94e3a8b65f1da641d4c60a4501d88ed3b243`
VirtualSize	`0x1958`
VirtualAddress	`0xe000`
SizeOfRawData	`0x2000`
PointerToRawData	`0xe000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.45575`

.rsrc

MD5	`ef1aa40f5b067426a6024eb1e9c658ee`
SHA1	`9b9489a6512422d07b0cf816fd18d95039a78874`
SHA256	`ecc6240296d7ff6d7620d5edd8e5d9ad9d862b3cec6ed5d5f375a85bb6b0ec68`
SHA3	`cc1665415445e5830f1fef3c42b837f4736f2411dc196a1b8cfff768c383b8af`
VirtualSize	`0x349fa0`
VirtualAddress	`0x10000`
SizeOfRawData	`0x34a000`
PointerToRawData	`0x10000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.99994`

Imports

KERNEL32.dll	`GetFileAttributesW` `GetFileSizeEx` `CreateFileA` `InitializeCriticalSection` `DeleteCriticalSection` `ReadFile` `GetFileSize` `WriteFile` `LeaveCriticalSection` `EnterCriticalSection` `SetFileAttributesW` `SetCurrentDirectoryW` `CreateDirectoryW` `GetTempPathW` `GetWindowsDirectoryW` `GetFileAttributesA` `SizeofResource` `LockResource` `LoadResource` `MultiByteToWideChar` `Sleep` `OpenMutexA` `GetFullPathNameA` `CopyFileA` `GetModuleFileNameA` `VirtualAlloc` `VirtualFree` `FreeLibrary` `HeapAlloc` `GetProcessHeap` `GetModuleHandleA` `SetLastError` `VirtualProtect` `IsBadReadPtr` `HeapFree` `SystemTimeToFileTime` `LocalFileTimeToFileTime` `CreateDirectoryA` `GetStartupInfoA` `SetFilePointer` `SetFileTime` `GetComputerNameW` `GetCurrentDirectoryA` `SetCurrentDirectoryA` `GlobalAlloc` `LoadLibraryA` `GetProcAddress` `GlobalFree` `CreateProcessA` `CloseHandle` `WaitForSingleObject` `TerminateProcess` `GetExitCodeProcess` `FindResourceA`
USER32.dll	`wsprintfA`
ADVAPI32.dll	`CreateServiceA` `OpenServiceA` `StartServiceA` `CloseServiceHandle` `CryptReleaseContext` `RegCreateKeyW` `RegSetValueExA` `RegQueryValueExA` `RegCloseKey` `OpenSCManagerA`
MSVCRT.dll	`realloc` `fclose` `fwrite` `fread` `fopen` `sprintf` `rand` `srand` `strcpy` `memset` `strlen` `wcscat` `wcslen` `__CxxFrameHandler` `??3@YAXPAX@Z` `memcmp` `_except_handler3` `_local_unwind2` `wcsrchr` `swprintf` `??2@YAPAXI@Z` `memcpy` `strcmp` `strrchr` `__p___argv` `__p___argc` `_stricmp` `free` `malloc` `??0exception@@QAE@ABV0@@Z` `??1exception@@UAE@XZ` `??0exception@@QAE@ABQBD@Z` `_CxxThrowException` `calloc` `strcat` `_mbsstr` `??1type_info@@UAE@XZ` `_exit` `_XcptFilter` `exit` `_acmdln` `__getmainargs` `_initterm` `__setusermatherr` `_adjust_fdiv` `__p__commode` `__p__fmode` `__set_app_type` `_controlfp`

Delayed Imports

2058

Type	`XIA`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x349635`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99994`
Detected Filetype	Zip Compressed Archive
MD5	`e708250a6880ab5586f0e529f4686ac0`
SHA1	`2845302d052dfd39ff2a78003822271b7fa95800`
SHA256	`e532ced0a0f321d9dcbacc9ace35e7ffaeade98f29497f80aa3dd963594ac21a`
SHA3	`e28491ad1f4e90c4c13c3a0f183619488d1f4c9eae2535d190d305c1f026310a`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x388`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.76583`
MD5	`91cc4a627c878fc9ae4ba1c2c860aad3`
SHA1	`f779ac10d7999499a7fea384c5ca1a4329dc5686`
SHA256	`60365ec2fec56a28bde12b5492204e3f1db2603093d8873443f68f37fa98b557`
SHA3	`ccfe1b194c6919005695f192b1a2c6bb965b343bc3fc01333920b9e736745449`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x4ef`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.85083`
MD5	`20f49642bece96f1fc1e1b236edad074`
SHA1	`293f1458ed91f4950a9720e9804fbda7e83dc938`
SHA256	`17aa35cff450792f875380b55e229b036ec4b835092bb7cd6e62b97aac10e9d2`
SHA3	`8aeba872b8ed2600d3418598efdc28ff0f4ce0e7b267dd972a79f57b1da49660`

Version Info

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x8254a4a4`
Unmarked objects	`0`
12 (7291)	`2`
C++ objects (8047)	`1`
14 (7299)	`4`
C objects (8047)	`11`
Linker (8047)	`4`
Imports (VS2003 (.NET) build 4035)	`13`
Total imports	`163`
C++ objects (VS98 SP6 build 8804)	`7`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[*] Warning: Couldn't convert a string from a RT_STRING resource to UTF-8!
[!] Error: Could not read a VS_FIXED_FILE_INFO!
[*] Warning: Could not parse a VERSION_INFO resource!