Manalyze report for f351e1fcca0c4ea05fc44d15a17f8b36

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2009-Jul-14 01:12:55
Detected languages	English - United States
CompanyName	Microsoft Corporation
FileDescription	Latvia Keyboard Layout
FileVersion	`6.1.7600.16385 (win7_rtm.090713-1255)`
InternalName	kbdlv (3.13)
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	kbdlv.dll
ProductName	Microsoft® Windows® Operating System
ProductVersion	`6.1.7600.16385`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ v6.0 DLL` `Microsoft Visual C++ 6.0 DLL (Debug)` `Microsoft Visual C++ 6.0 DLL` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentVersion\Run` `Miscellaneous malware strings: cmd.exe`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to AES` `Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Possibly launches other programs: CreateProcessA` `Uses Microsoft's cryptographic API: CryptExportKey CryptReleaseContext CryptGenRandom CryptGetKeyParam` `Can create temporary files: CreateFileA GetTempPathW CreateFileW` `Functions related to the privilege level: CheckTokenMembership OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW` `Changes object ACLs: SetSecurityInfo`
Malicious	VirusTotal score: 55/63 (Scanned on 2017-07-03 06:55:12)	`Bkav: W32.Clode60.Trojan.1e93` `MicroWorld-eScan: Trojan.Ransom.WannaCryptor.B` `nProtect: Ransom/W32.Wanna.65536` `CAT-QuickHeal: Trojan.Zenshirsh.SL7` `McAfee: Ransom-O` `Malwarebytes: Ransom.WannaCrypt` `VIPRE: Trojan.Win32.Generic!BT` `AegisLab: Virus.Malware.Shtk!c` `K7GW: Trojan ( 0050db011 )` `K7AntiVirus: Trojan ( 0050db011 )` `Arcabit: Trojan.Ransom.WannaCryptor.B` `TrendMicro: Ransom_WCRY.J` `Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9999` `F-Prot: W32/WannaCrypt.O` `Symantec: Ransom.Wannacry` `TrendMicro-HouseCall: Ransom_WCRY.J` `Paloalto: generic.ml` `ClamAV: Win.Ransomware.WannaCry-6313053-0` `Kaspersky: Trojan-Ransom.Win32.Wanna.q` `BitDefender: Trojan.Ransom.WannaCryptor.B` `NANO-Antivirus: Trojan.Win32.Wanna.eozzkv` `Avast: Win32:Trojan-gen` `Tencent: Win32.Trojan.Ransome.wannacry.vvmj` `Ad-Aware: Trojan.Ransom.WannaCryptor.B` `Emsisoft: Trojan.Ransom.WannaCryptor.B (B)` `Comodo: TrojWare.Win32.Ransom.WannaCryptor.a` `F-Secure: Trojan.Ransom.WannaCryptor.B` `DrWeb: Trojan.Encoder.11432` `Zillya: Trojan.WannaCry.Win32.6` `McAfee-GW-Edition: BehavesLike.Win32.Ransom.kh` `Sophos: Mal/Wanna-A` `Cyren: W32/Trojan.WGSY-5918` `Jiangmin: Trojan.WanaCry.k` `Webroot: W32.Ransom.Wannacry` `Avira: TR/FileCoder.hlwro` `Antiy-AVL: Trojan[Ransom]/Win32.Wanna` `Endgame: malicious (high confidence)` `Microsoft: Ransom:Win32/WannaCrypt` `ViRobot: Trojan.Win32.S.WannaCry.65536` `ZoneAlarm: Trojan-Ransom.Win32.Wanna.q` `GData: Win32.Trojan-Ransom.WannaCry.F` `AhnLab-V3: Trojan/Win32.WannaCryptor.C1951351` `VBA32: Trojan.Filecoder` `AVware: Trojan.Win32.Generic!BT` `MAX: malware (ai score=81)` `Cylance: Unsafe` `ESET-NOD32: a variant of Win32/Filecoder.WannaCryptor.D` `Rising: Malware.Generic.6!tfe (cloud:okhkd3pyewB)` `Yandex: Trojan.Filecoder!qGn19L8Odcw` `Ikarus: Trojan-Ransom.WannaCry` `Fortinet: W32/Filecoder_WannaCryptor.A!tr` `AVG: Win32:Trojan-gen` `Panda: Trj/RansomCrypt.I` `CrowdStrike: malicious_confidence_100% (D)` `Qihoo-360: Win32/Trojan.Generic.529`

Hashes

MD5	`f351e1fcca0c4ea05fc44d15a17f8b36`
SHA1	`7d36a6aa8cb6b504ee9213c200c831eb8d4ef26b`
SHA256	`1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830`
SHA3	`76d1adeb01675a8dd1abbc28ab734e976059bb986b4345e76125161626e7ba94`
SSDeep	`768:edWOTdghGl7Lu/qGrN5r5UF9sBaho9S4AJKqBz8MZK8IgpkCamlniZfO:PGdghGleSGh5resN9S4A3jHaqniZfO`
Imports Hash	`95f63d1f0a290b1bf8251e7fdeafd080`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2009-Jul-14 01:12:55
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6000`
SizeOfInitializedData	`0x9000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00006CDF (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x7000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x10000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`130bbec7c1e0afa5bc20f52f94fea7c2`
SHA1	`c27d0f9375a2fe6d856ce3f98999607ae90079d4`
SHA256	`02869b6d49a07e8cf2c3f7430d414354f8127083d870181c653af629b164bf2c`
SHA3	`efc871b2ca289d39eecd5d8c87302d5dfe379173cb1bf39ede50d262b74e5f83`
VirtualSize	`0x5f08`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.27503`

.rdata

MD5	`92c83c16a110e5e8aca4e81295bb2da5`
SHA1	`4ef0c1865988d02658a8795a1c2d6501560d6a41`
SHA256	`53caabb024e48baca829ee77361921787a1057325826f99e177332aed77ef1af`
SHA3	`2106460a36ce1134282ef8900b6747b81cd5123764fa79620b915bfca46016e7`
VirtualSize	`0x4c07`
VirtualAddress	`0x7000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x7000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.06959`

.data

MD5	`853b8a86ede6ac0d012f86166ca6fa2d`
SHA1	`09218bb49eadfa2abf0416dcd5cc36126d9cbbad`
SHA256	`e297a9428fa886d8cf56e89d7c9fb19eb7beb158b1e3af516ef29172e8413670`
SHA3	`cb1fb9aedbfb5959a60a8ca23bcacad167f8190d1af55d027da22808cde46258`
VirtualSize	`0x1dd4`
VirtualAddress	`0xc000`
SizeOfRawData	`0x2000`
PointerToRawData	`0xc000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.05837`

.rsrc

MD5	`093738a30785c7dc7f4379e9c13997eb`
SHA1	`800332dd609158401ba606397fb608aeb61f2069`
SHA256	`6e5d2936dbf7307a0ce204022e66c0e2f1da1e09d5ab14ab40f97001658dfbaa`
SHA3	`656db2406f164e5d4585f4ab5135199ae7f3f07d051cfb9e39a030d202849b7b`
VirtualSize	`0x3ec`
VirtualAddress	`0xe000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xe000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.70534`

.reloc

MD5	`d929b19cd646f0a10951685c55580289`
SHA1	`5677d2115225c7c51d91b9d01ae691a472daa1ef`
SHA256	`41effa541b68bba250da8e21b3a88217d62362b24af2c0b1b1f9eca56637f47d`
SHA3	`f00e4429c5a5cd9da9581fba6a2b3a08b0db570c79b8534dd3b431d18ca4d35f`
VirtualSize	`0xbec`
VirtualAddress	`0xf000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xf000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.80984`

Imports

KERNEL32.dll	`InitializeCriticalSection` `SetFileAttributesW` `SetFileTime` `SetFilePointer` `GetFileTime` `GetFileSizeEx` `MultiByteToWideChar` `GetFileAttributesW` `FindClose` `FindNextFileW` `FindFirstFileW` `ExitThread` `LeaveCriticalSection` `EnterCriticalSection` `Sleep` `GetTempFileNameW` `FlushFileBuffers` `CopyFileW` `WriteFile` `CreateFileA` `ReadFile` `CreateThread` `GetFileAttributesA` `CreateMutexA` `OpenMutexA` `GetFullPathNameA` `CopyFileA` `CreateDirectoryW` `GetTempPathW` `GetWindowsDirectoryW` `DeleteFileW` `GetDiskFreeSpaceExW` `MoveFileExW` `CreateFileW` `GetDriveTypeW` `WideCharToMultiByte` `InterlockedExchange` `InterlockedExchangeAdd` `GetLogicalDrives` `DeleteFileA` `SetCurrentDirectoryW` `GetModuleFileNameW` `DeleteCriticalSection` `GetComputerNameW` `GetCurrentDirectoryA` `LocalFree` `GetCurrentProcess` `GetLastError` `CloseHandle` `GlobalAlloc` `LoadLibraryA` `GetProcAddress` `GlobalFree` `GetTickCount` `CreateProcessA` `WaitForSingleObject` `TerminateProcess` `GetExitCodeProcess` `GetFileSize`
USER32.dll	`SystemParametersInfoW`
ADVAPI32.dll	`AllocateAndInitializeSid` `CryptExportKey` `CryptReleaseContext` `GetSecurityInfo` `SetEntriesInAclA` `SetSecurityInfo` `CheckTokenMembership` `FreeSid` `GetUserNameW` `OpenProcessToken` `GetTokenInformation` `CryptGenRandom` `CryptGetKeyParam`
SHELL32.dll	`SHGetFolderPathW`
MSVCRT.dll	`fopen` `fprintf` `sprintf` `rand` `time` `srand` `wcscpy` `wcscat` `wcslen` `??2@YAPAXI@Z` `__CxxFrameHandler` `??3@YAXPAX@Z` `swprintf` `_except_handler3` `fread` `wcsrchr` `wcsncpy` `wcscmp` `_wcsnicmp` `strncmp` `wcschr` `_wfopen` `_ftol` `??0exception@@QAE@ABV0@@Z` `??1exception@@UAE@XZ` `??0exception@@QAE@ABQBD@Z` `_CxxThrowException` `??1type_info@@UAE@XZ` `free` `_initterm` `malloc` `_adjust_fdiv` `fwrite` `fclose` `_wcsicmp` `_local_unwind2` `wcsstr`
MSVCP60.dll	`?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z` `?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB` `?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB` `?_Xran@std@@YAXXZ` `?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ` `?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z` `??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ` `?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z` `?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z`

Delayed Imports

TaskStart

Ordinal	`1`
Address	`0x5ae0`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x394`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.58258`
MD5	`b958dca3db655484adb7f6813b8eeb98`
SHA1	`5a493b6c7e6a5fd0628b9d5caf40ac540569e52c`
SHA256	`1995f6d32755206ee4fa8e846a808b3f689da0e3797f36077be735b84590cd68`
SHA3	`23b852d1868fbaf657fa93a434092aa91fd3fbda13f85df6208ccff3de9e6d89`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.1.7600.16385
ProductVersion	6.1.7600.16385
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	UNKNOWN
CompanyName	Microsoft Corporation
FileDescription	Latvia Keyboard Layout
FileVersion (#2)	6.1.7600.16385 (win7_rtm.090713-1255)
InternalName	kbdlv (3.13)
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	kbdlv.dll
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	6.1.7600.16385

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x75042c57`
Unmarked objects	`0`
12 (7291)	`2`
14 (7299)	`2`
C++ objects (8047)	`1`
C objects (8047)	`4`
Linker (8047)	`4`
Total imports	`129`
Imports (VS2003 (.NET) build 4035)	`11`
C++ objects (VS98 SP6 build 8804)	`6`
Linker (VC++ 6.0 SP5 imp/exp build 8447)	`1`

f351e1fcca0c4ea05fc44d15a17f8b36

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

TaskStart

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors