Manalyze report for d5dcd28612f4d6ffca0cfeaefd606bcf

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2010-Nov-20 09:03:08
Detected languages	English - United States
CompanyName	Microsoft Corporation
FileDescription	Microsoft® Disk Defragmenter
FileVersion	`6.1.7601.17514 (win7sp1_rtm.101119-1850)`
InternalName	lhdfrgui.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	lhdfrgui.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion	`6.1.7601.17514`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 DLL (Debug)` `Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++ 6.0 DLL` `Microsoft Visual C++` `Microsoft Visual C++ v6.0` `Microsoft Visual C++ v5.0/v6.0 (MFC)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Miscellaneous malware strings: cmd.exe`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to AES` `Microsoft's Cryptography API`
Malicious	This program contains valid cryptocurrency addresses.	`Contains a valid Bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94`
Suspicious	The PE contains functions most legitimate programs don't use.	`Uses Microsoft's cryptographic API: CryptGenRandom CryptAcquireContextA` `Has Internet access capabilities: InternetOpenA InternetOpenUrlA InternetCloseHandle` `Leverages the raw socket API to access the Internet: #3 #16 #19 #8 #14 #115 #12 #10 #18 #9 #23 #4 #11` `Interacts with services: OpenSCManagerA CreateServiceA OpenServiceA`
Malicious	The PE is possibly a dropper.	`Resource 1831 detected as a PE Executable.` `Resources amount for 94.4148% of the executable.`
Malicious	VirusTotal score: 62/67 (Scanned on 2018-06-19 15:01:47)	`Bkav: W32.WannaCrypLTE.Trojan` `MicroWorld-eScan: Trojan.Ransom.WannaCryptor.H` `CAT-QuickHeal: Ransom.WannaCrypt.A4` `McAfee: Ransom-WannaCry!D5DCD28612F4` `Cylance: Unsafe` `VIPRE: Trojan.Win32.Generic!BT` `TheHacker: Trojan/Exploit.CVE-2017-0147.a` `BitDefender: Trojan.Ransom.WannaCryptor.H` `K7GW: Exploit ( 0050d7a31 )` `K7AntiVirus: Exploit ( 0050d7a31 )` `Arcabit: Trojan.Ransom.WannaCryptor.H` `TrendMicro: Ransom_WCRY.SM2` `Baidu: Win32.Worm.Rbot.a` `F-Prot: W32/WannaCrypt.D` `Symantec: Ransom.Wannacry` `ESET-NOD32: Win32/Exploit.CVE-2017-0147.A` `TrendMicro-HouseCall: Ransom_WCRY.SM2` `Paloalto: generic.ml` `ClamAV: Win.Malware.Agent-6395172-0` `Kaspersky: Trojan-Ransom.Win32.Wanna.m` `Cybereason: malicious.612f4d` `NANO-Antivirus: Trojan.Win32.Wanna.eovgam` `ViRobot: Trojan.Win32.S.WannaCry.3723264.BA` `SUPERAntiSpyware: Ransom.WannaCrypt/Variant` `Avast: Win32:WanaCry-A [Trj]` `Rising: Ransom.WanaCrypt!1.AAED (KTSE)` `Ad-Aware: Trojan.Ransom.WannaCryptor.H` `Emsisoft: Trojan-Ransom.WanaCrypt0r (A)` `Comodo: TrojWare.Win32.Ransom.WannaCryptor.B` `F-Secure: Trojan.Ransom.WannaCryptor.H` `DrWeb: Trojan.Encoder.11432` `Zillya: Trojan.WannaCryptGen.Win32.2` `Invincea: heuristic` `McAfee-GW-Edition: BehavesLike.Win32.RansomWannaCry.wc` `Sophos: Troj/Ransom-EMG` `SentinelOne: static engine - malicious` `Cyren: W32/Trojan.ZTSA-8671` `Jiangmin: Trojan.WanaCry.i` `Webroot: W32.Ransom.Wannacry` `Avira: TR/Ransom.IZ` `Antiy-AVL: Trojan[Ransom]/Win32.Scatter` `Endgame: malicious (high confidence)` `Microsoft: Ransom:Win32/WannaCrypt.A!rsm` `AegisLab: Troj.Ransom.W32!c` `ZoneAlarm: Trojan-Ransom.Win32.Wanna.m` `GData: Win32.Trojan-Ransom.WannaCry.D` `TACHYON: Ransom/W32.WannaCry.Zen` `AhnLab-V3: Trojan/Win32.WannaCryptor.R200572` `ALYac: Trojan.Ransom.WannaCryptor` `AVware: Trojan.Win32.Generic!BT` `MAX: malware (ai score=100)` `VBA32: TrojanRansom.Wanna` `Malwarebytes: Ransom.WannaCrypt` `Zoner: Trojan.Wannacry` `Tencent: Trojan-Ransom.Win32.Wcry.a` `Yandex: Exploit.CVE-2017-0147!` `Ikarus: Trojan-Ransom.WannaCry` `Fortinet: W32/WannaCryptor.H!tr.ransom` `AVG: Win32:WanaCry-A [Trj]` `Panda: Trj/RansomCrypt.I` `CrowdStrike: malicious_confidence_100% (W)` `Qihoo-360: Win32/Backdoor.80f`

Hashes

MD5	`d5dcd28612f4d6ffca0cfeaefd606bcf`
SHA1	`cf60fa60d2f461dddfdfcebf16368e6b539cd9ba`
SHA256	`32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf`
SHA3	`c9fdfa03ac2070f405b1c569a8902d49c4209ae0debb7f38605c69f5a1a73c19`
SSDeep	`98304:whqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3R:whqPe1Cxcxk3ZAEUadzR8yc4gB`
Imports Hash	`f13e2041cdff3dd5acef675d56aa3d19`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2010-Nov-20 09:03:08
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x9000`
SizeOfInitializedData	`0x383000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00009A16 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xa000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x66b000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`c7613102e2ecec5dcefc144f83189153`
SHA1	`79c2158426a696ba552e9d0092008ada753dc3e1`
SHA256	`7609ecc798a357dd1a2f0134f9a6ea06511a8885ec322c7acd0d84c569398678`
SHA3	`a276c0d450e68e0a95e54eb9faa4dc7c18aad0d2048e560c476f7837a34fe2d7`
VirtualSize	`0x8bca`
VirtualAddress	`0x1000`
SizeOfRawData	`0x9000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.13459`

.rdata

MD5	`d8037d744b539326c06e897625751cc9`
SHA1	`8c528f41cd4533228264ee639fad17e5be8bf817`
SHA256	`532e9419f23eaf5eb0e8828b211a7164cbf80ad54461bc748c1ec2349552e6a2`
SHA3	`5d39450e3d956e25cae7060d586eba36290927433c53df9b26f417ec5d91052d`
VirtualSize	`0x998`
VirtualAddress	`0xa000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xa000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.50362`

.data

MD5	`c99c49de96e0ac4054602e4302bf8f29`
SHA1	`77641a4b11b6269535af54f039ec6bef495c36c0`
SHA256	`b0c72d1ca42bb1e978c3775e24730e2c2d94bbbcc7ead72c81580da6b6a4b48e`
SHA3	`e421320f944361e814e4e36af79415251aa502ecae4f480a7af6b69f9069e2bf`
VirtualSize	`0x30489c`
VirtualAddress	`0xb000`
SizeOfRawData	`0x27000`
PointerToRawData	`0xb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.10032`

.rsrc

MD5	`12e1bd7375d82cca3a51ca48fe22d1a9`
SHA1	`4c33b2b6715cc1b982e158401a06fcb156c409a3`
SHA256	`1efe677209c1284357ef0c7996a1318b7de3836dfb11f97d85335d6d3b8a8e42`
SHA3	`dc8d150a763af6e28806d61f6f5194d391a8424dc32d82754d3a456fed15dea5`
VirtualSize	`0x35a454`
VirtualAddress	`0x310000`
SizeOfRawData	`0x35b000`
PointerToRawData	`0x32000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.99523`

Imports

KERNEL32.dll	`WaitForSingleObject` `InterlockedIncrement` `GetCurrentThreadId` `GetCurrentThread` `ReadFile` `GetFileSize` `CreateFileA` `MoveFileExA` `SizeofResource` `TerminateThread` `LoadResource` `FindResourceA` `GetProcAddress` `GetModuleHandleW` `ExitProcess` `GetModuleFileNameA` `LocalFree` `LocalAlloc` `CloseHandle` `InterlockedDecrement` `EnterCriticalSection` `LeaveCriticalSection` `InitializeCriticalSection` `GlobalAlloc` `GlobalFree` `QueryPerformanceFrequency` `QueryPerformanceCounter` `GetTickCount` `LockResource` `Sleep` `GetStartupInfoA` `GetModuleHandleA`
ADVAPI32.dll	`StartServiceCtrlDispatcherA` `RegisterServiceCtrlHandlerA` `ChangeServiceConfig2A` `SetServiceStatus` `OpenSCManagerA` `CreateServiceA` `CloseServiceHandle` `StartServiceA` `CryptGenRandom` `CryptAcquireContextA` `OpenServiceA`
WS2_32.dll	`#3` `#16` `#19` `#8` `#14` `#115` `#12` `#10` `#18` `#9` `#23` `#4` `#11`
MSVCP60.dll	`??1_Lockit@std@@QAE@XZ` `??0_Lockit@std@@QAE@XZ`
iphlpapi.dll	`GetAdaptersInfo` `GetPerAdapterInfo`
WININET.dll	`InternetOpenA` `InternetOpenUrlA` `InternetCloseHandle`
MSVCRT.dll	`__set_app_type` `_stricmp` `__p__fmode` `__p__commode` `_except_handler3` `__setusermatherr` `_initterm` `__getmainargs` `_acmdln` `_adjust_fdiv` `_controlfp` `exit` `_XcptFilter` `_exit` `_onexit` `__dllonexit` `free` `??2@YAPAXI@Z` `_ftol` `sprintf` `_endthreadex` `strncpy` `rand` `_beginthreadex` `__CxxFrameHandler` `srand` `time` `__p___argc`

Delayed Imports

1831

Type	`R`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x35a000`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.99547`
Detected Filetype	PE Executable
MD5	`84c82835a5d21bbcf75a61706d8ab549`
SHA1	`5ff465afaabcbf0150d1a3ab2c2e74f3a4426467`
SHA256	`ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa`
SHA3	`b0e240ef9f18786c588c4cffa777e35b1741189d543cf2220f25291bab2d2214`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x3b0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.53244`
MD5	`1ebdc36976dd611e1a9e221a88e6858e`
SHA1	`7b5a93cd7db3ddc7ff48c6e3c7eefca46807462e`
SHA256	`2f3fc51546ada848dfc8e775554c0de3689d6fae7ba4bf3d40e3c8dec68b277b`
SHA3	`a77c2b3217a99917f52d60ef00bc092b67230a0891eb1c83adf2d0b4f330e1bd`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.1.7601.17514
ProductVersion	6.1.7601.17514
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Microsoft® Disk Defragmenter
FileVersion (#2)	6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName	lhdfrgui.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	lhdfrgui.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	6.1.7601.17514

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xc33d5d11`
Unmarked objects	`0`
12 (7291)	`1`
14 (7299)	`4`
C objects (8047)	`11`
C++ objects (8047)	`1`
Linker (8047)	`4`
Imports (VS2003 (.NET) build 4035)	`11`
Total imports	`91`
C++ objects (VS98 SP6 build 8804)	`1`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

d5dcd28612f4d6ffca0cfeaefd606bcf

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

Imports

Delayed Imports

1831

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors