f351e1fcca0c4ea05fc44d15a17f8b36

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2009-Jul-14 01:12:55
Detected languages English - United States
CompanyName Microsoft Corporation
FileDescription Latvia Keyboard Layout
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName kbdlv (3.13)
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename kbdlv.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7600.16385

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 6.0 DLL
Microsoft Visual C++
Microsoft Visual C++ v6.0
Suspicious PEiD Signature: Armadillo v1.xx - v2.xx
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentVersion\Run
Miscellaneous malware strings:
  • cmd.exe
Info Cryptographic algorithms detected in the binary: Uses constants related to AES
Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malwares. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Possibly launches other programs:
  • CreateProcessA
Uses Microsoft's cryptographic API:
  • CryptExportKey
  • CryptReleaseContext
  • CryptGenRandom
  • CryptGetKeyParam
Can create temporary files:
  • CreateFileA
  • GetTempPathW
  • CreateFileW
Functions related to the privilege level:
  • CheckTokenMembership
  • OpenProcessToken
Enumerates local disk drives:
  • GetDriveTypeW
Changes object ACLs:
  • SetSecurityInfo
Info The following exploit mitigation techniques have been detected Stack Canary: disabled
SafeSEH: disabled
ASLR: disabled
DEP: disabled
Malicious VirusTotal score: 55/63 (Scanned on 2017-07-03 06:55:12) Bkav: W32.Clode60.Trojan.1e93
MicroWorld-eScan: Trojan.Ransom.WannaCryptor.B
nProtect: Ransom/W32.Wanna.65536
CAT-QuickHeal: Trojan.Zenshirsh.SL7
McAfee: Ransom-O
Malwarebytes: Ransom.WannaCrypt
VIPRE: Trojan.Win32.Generic!BT
AegisLab: Virus.Malware.Shtk!c
K7GW: Trojan ( 0050db011 )
K7AntiVirus: Trojan ( 0050db011 )
Arcabit: Trojan.Ransom.WannaCryptor.B
TrendMicro: Ransom_WCRY.J
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9999
F-Prot: W32/WannaCrypt.O
Symantec: Ransom.Wannacry
TrendMicro-HouseCall: Ransom_WCRY.J
Paloalto: generic.ml
ClamAV: Win.Ransomware.WannaCry-6313053-0
Kaspersky: Trojan-Ransom.Win32.Wanna.q
BitDefender: Trojan.Ransom.WannaCryptor.B
NANO-Antivirus: Trojan.Win32.Wanna.eozzkv
Avast: Win32:Trojan-gen
Tencent: Win32.Trojan.Ransome.wannacry.vvmj
Ad-Aware: Trojan.Ransom.WannaCryptor.B
Emsisoft: Trojan.Ransom.WannaCryptor.B (B)
Comodo: TrojWare.Win32.Ransom.WannaCryptor.a
F-Secure: Trojan.Ransom.WannaCryptor.B
DrWeb: Trojan.Encoder.11432
Zillya: Trojan.WannaCry.Win32.6
McAfee-GW-Edition: BehavesLike.Win32.Ransom.kh
Sophos: Mal/Wanna-A
Cyren: W32/Trojan.WGSY-5918
Jiangmin: Trojan.WanaCry.k
Webroot: W32.Ransom.Wannacry
Avira: TR/FileCoder.hlwro
Antiy-AVL: Trojan[Ransom]/Win32.Wanna
Endgame: malicious (high confidence)
Microsoft: Ransom:Win32/WannaCrypt
ViRobot: Trojan.Win32.S.WannaCry.65536
ZoneAlarm: Trojan-Ransom.Win32.Wanna.q
GData: Win32.Trojan-Ransom.WannaCry.F
AhnLab-V3: Trojan/Win32.WannaCryptor.C1951351
VBA32: Trojan.Filecoder
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=81)
Cylance: Unsafe
ESET-NOD32: a variant of Win32/Filecoder.WannaCryptor.D
Rising: Malware.Generic.6!tfe (cloud:okhkd3pyewB)
Yandex: Trojan.Filecoder!qGn19L8Odcw
Ikarus: Trojan-Ransom.WannaCry
Fortinet: W32/Filecoder_WannaCryptor.A!tr
AVG: Win32:Trojan-gen
Panda: Trj/RansomCrypt.I
CrowdStrike: malicious_confidence_100% (D)
Qihoo-360: Win32/Trojan.Generic.529

Hashes

MD5 f351e1fcca0c4ea05fc44d15a17f8b36
SHA1 7d36a6aa8cb6b504ee9213c200c831eb8d4ef26b
SHA256 1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830
SHA3 db73b40ed01bd156432ba6c89fd886b74f95fd24826c711114f5f08b79ddc7a0
SSDeep 768:edWOTdghGl7Lu/qGrN5r5UF9sBaho9S4AJKqBz8MZK8IgpkCamlniZfO:PGdghGleSGh5resN9S4A3jHaqniZfO
Imports Hash 95f63d1f0a290b1bf8251e7fdeafd080

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2009-Jul-14 01:12:55
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x6000
SizeOfInitializedData 0x9000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x6cdf (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x7000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x10000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics (EMPTY)
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 130bbec7c1e0afa5bc20f52f94fea7c2
SHA1 c27d0f9375a2fe6d856ce3f98999607ae90079d4
SHA256 02869b6d49a07e8cf2c3f7430d414354f8127083d870181c653af629b164bf2c
SHA3 06b43b40f55808ca0169c223da0dad76d78644f9b53eb782f5b107b17dea95bc
VirtualSize 0x5f08
VirtualAddress 0x1000
SizeOfRawData 0x6000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.27503

.rdata

MD5 92c83c16a110e5e8aca4e81295bb2da5
SHA1 4ef0c1865988d02658a8795a1c2d6501560d6a41
SHA256 53caabb024e48baca829ee77361921787a1057325826f99e177332aed77ef1af
SHA3 8d23f5e668df2e2da3b739ee8aafc566590b7247c2fdab2aef586fef71e8fa26
VirtualSize 0x4c07
VirtualAddress 0x7000
SizeOfRawData 0x5000
PointerToRawData 0x7000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.06959

.data

MD5 853b8a86ede6ac0d012f86166ca6fa2d
SHA1 09218bb49eadfa2abf0416dcd5cc36126d9cbbad
SHA256 e297a9428fa886d8cf56e89d7c9fb19eb7beb158b1e3af516ef29172e8413670
SHA3 b52a14fff769f0aa48ece3c1b1cb46c0c8b3cd90f36febe50ac4f44b0c1519ec
VirtualSize 0x1dd4
VirtualAddress 0xc000
SizeOfRawData 0x2000
PointerToRawData 0xc000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.05837

.rsrc

MD5 093738a30785c7dc7f4379e9c13997eb
SHA1 800332dd609158401ba606397fb608aeb61f2069
SHA256 6e5d2936dbf7307a0ce204022e66c0e2f1da1e09d5ab14ab40f97001658dfbaa
SHA3 d333bfc116c3b37d378c4d242de90ea6b2aa604a87d358f3b4c5ef383ddcce54
VirtualSize 0x3ec
VirtualAddress 0xe000
SizeOfRawData 0x1000
PointerToRawData 0xe000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.70534

.reloc

MD5 d929b19cd646f0a10951685c55580289
SHA1 5677d2115225c7c51d91b9d01ae691a472daa1ef
SHA256 41effa541b68bba250da8e21b3a88217d62362b24af2c0b1b1f9eca56637f47d
SHA3 5d0d09e9217a71de770a4bda91470de54aa5adb7021d5a6fb3375cf72758790f
VirtualSize 0xbec
VirtualAddress 0xf000
SizeOfRawData 0x1000
PointerToRawData 0xf000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.80984

Imports

KERNEL32.dll InitializeCriticalSection
SetFileAttributesW
SetFileTime
SetFilePointer
GetFileTime
GetFileSizeEx
MultiByteToWideChar
GetFileAttributesW
FindClose
FindNextFileW
FindFirstFileW
ExitThread
LeaveCriticalSection
EnterCriticalSection
Sleep
GetTempFileNameW
FlushFileBuffers
CopyFileW
WriteFile
CreateFileA
ReadFile
CreateThread
GetFileAttributesA
CreateMutexA
OpenMutexA
GetFullPathNameA
CopyFileA
CreateDirectoryW
GetTempPathW
GetWindowsDirectoryW
DeleteFileW
GetDiskFreeSpaceExW
MoveFileExW
CreateFileW
GetDriveTypeW
WideCharToMultiByte
InterlockedExchange
InterlockedExchangeAdd
GetLogicalDrives
DeleteFileA
SetCurrentDirectoryW
GetModuleFileNameW
DeleteCriticalSection
GetComputerNameW
GetCurrentDirectoryA
LocalFree
GetCurrentProcess
GetLastError
CloseHandle
GlobalAlloc
LoadLibraryA
GetProcAddress
GlobalFree
GetTickCount
CreateProcessA
WaitForSingleObject
TerminateProcess
GetExitCodeProcess
GetFileSize
USER32.dll SystemParametersInfoW
ADVAPI32.dll AllocateAndInitializeSid
CryptExportKey
CryptReleaseContext
GetSecurityInfo
SetEntriesInAclA
SetSecurityInfo
CheckTokenMembership
FreeSid
GetUserNameW
OpenProcessToken
GetTokenInformation
CryptGenRandom
CryptGetKeyParam
SHELL32.dll SHGetFolderPathW
MSVCRT.dll fopen
fprintf
sprintf
rand
time
srand
wcscpy
wcscat
wcslen
??2@YAPAXI@Z
__CxxFrameHandler
??3@YAXPAX@Z
swprintf
_except_handler3
fread
wcsrchr
wcsncpy
wcscmp
_wcsnicmp
strncmp
wcschr
_wfopen
_ftol
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
??1type_info@@UAE@XZ
free
_initterm
malloc
_adjust_fdiv
fwrite
fclose
_wcsicmp
_local_unwind2
wcsstr
MSVCP60.dll ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
?_Xran@std@@YAXXZ
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z

Delayed Imports

TaskStart

Ordinal 1
Address 0x5ae0

1

Type RT_VERSION
Language English - United States
Codepage Latin 1 / Western European
Size 0x394
Entropy 3.58258
MD5 b958dca3db655484adb7f6813b8eeb98
SHA1 5a493b6c7e6a5fd0628b9d5caf40ac540569e52c
SHA256 1995f6d32755206ee4fa8e846a808b3f689da0e3797f36077be735b84590cd68
SHA3 c8641bbc51ea0193fdf794744662ac94a728f74f229deb75348ed719405573af

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
ProductVersion 6.1.7600.16385
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language UNKNOWN
CompanyName Microsoft Corporation
FileDescription Latvia Keyboard Layout
InternalName kbdlv (3.13)
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename kbdlv.dll
ProductName Microsoft® Windows® Operating System
Resource LangID English - United States

TLS Callbacks

Load Configuration

Errors