Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2009-Jul-14 01:12:55 |
Detected languages |
English - United States
|
CompanyName | Microsoft Corporation |
FileDescription | Latvia Keyboard Layout |
FileVersion | 6.1.7600.16385 (win7_rtm.090713-1255) |
InternalName | kbdlv (3.13) |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | kbdlv.dll |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7600.16385 |
Info | Matching compiler(s): |
Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 DLL (Debug) Microsoft Visual C++ 6.0 DLL Microsoft Visual C++ Microsoft Visual C++ v6.0 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to AES
Microsoft's Cryptography API |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 55/63 (Scanned on 2017-07-03 06:55:12) |
Bkav:
W32.Clode60.Trojan.1e93
MicroWorld-eScan: Trojan.Ransom.WannaCryptor.B nProtect: Ransom/W32.Wanna.65536 CAT-QuickHeal: Trojan.Zenshirsh.SL7 McAfee: Ransom-O Malwarebytes: Ransom.WannaCrypt VIPRE: Trojan.Win32.Generic!BT AegisLab: Virus.Malware.Shtk!c K7GW: Trojan ( 0050db011 ) K7AntiVirus: Trojan ( 0050db011 ) Arcabit: Trojan.Ransom.WannaCryptor.B TrendMicro: Ransom_WCRY.J Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9999 F-Prot: W32/WannaCrypt.O Symantec: Ransom.Wannacry TrendMicro-HouseCall: Ransom_WCRY.J Paloalto: generic.ml ClamAV: Win.Ransomware.WannaCry-6313053-0 Kaspersky: Trojan-Ransom.Win32.Wanna.q BitDefender: Trojan.Ransom.WannaCryptor.B NANO-Antivirus: Trojan.Win32.Wanna.eozzkv Avast: Win32:Trojan-gen Tencent: Win32.Trojan.Ransome.wannacry.vvmj Ad-Aware: Trojan.Ransom.WannaCryptor.B Emsisoft: Trojan.Ransom.WannaCryptor.B (B) Comodo: TrojWare.Win32.Ransom.WannaCryptor.a F-Secure: Trojan.Ransom.WannaCryptor.B DrWeb: Trojan.Encoder.11432 Zillya: Trojan.WannaCry.Win32.6 McAfee-GW-Edition: BehavesLike.Win32.Ransom.kh Sophos: Mal/Wanna-A Cyren: W32/Trojan.WGSY-5918 Jiangmin: Trojan.WanaCry.k Webroot: W32.Ransom.Wannacry Avira: TR/FileCoder.hlwro Antiy-AVL: Trojan[Ransom]/Win32.Wanna Endgame: malicious (high confidence) Microsoft: Ransom:Win32/WannaCrypt ViRobot: Trojan.Win32.S.WannaCry.65536 ZoneAlarm: Trojan-Ransom.Win32.Wanna.q GData: Win32.Trojan-Ransom.WannaCry.F AhnLab-V3: Trojan/Win32.WannaCryptor.C1951351 VBA32: Trojan.Filecoder AVware: Trojan.Win32.Generic!BT MAX: malware (ai score=81) Cylance: Unsafe ESET-NOD32: a variant of Win32/Filecoder.WannaCryptor.D Rising: Malware.Generic.6!tfe (cloud:okhkd3pyewB) Yandex: Trojan.Filecoder!qGn19L8Odcw Ikarus: Trojan-Ransom.WannaCry Fortinet: W32/Filecoder_WannaCryptor.A!tr AVG: Win32:Trojan-gen Panda: Trj/RansomCrypt.I CrowdStrike: malicious_confidence_100% (D) Qihoo-360: Win32/Trojan.Generic.529 |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2009-Jul-14 01:12:55 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x6000 |
SizeOfInitializedData | 0x9000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00006CDF (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x7000 |
ImageBase | 0x10000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x1000 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x10000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
InitializeCriticalSection
SetFileAttributesW SetFileTime SetFilePointer GetFileTime GetFileSizeEx MultiByteToWideChar GetFileAttributesW FindClose FindNextFileW FindFirstFileW ExitThread LeaveCriticalSection EnterCriticalSection Sleep GetTempFileNameW FlushFileBuffers CopyFileW WriteFile CreateFileA ReadFile CreateThread GetFileAttributesA CreateMutexA OpenMutexA GetFullPathNameA CopyFileA CreateDirectoryW GetTempPathW GetWindowsDirectoryW DeleteFileW GetDiskFreeSpaceExW MoveFileExW CreateFileW GetDriveTypeW WideCharToMultiByte InterlockedExchange InterlockedExchangeAdd GetLogicalDrives DeleteFileA SetCurrentDirectoryW GetModuleFileNameW DeleteCriticalSection GetComputerNameW GetCurrentDirectoryA LocalFree GetCurrentProcess GetLastError CloseHandle GlobalAlloc LoadLibraryA GetProcAddress GlobalFree GetTickCount CreateProcessA WaitForSingleObject TerminateProcess GetExitCodeProcess GetFileSize |
---|---|
USER32.dll |
SystemParametersInfoW
|
ADVAPI32.dll |
AllocateAndInitializeSid
CryptExportKey CryptReleaseContext GetSecurityInfo SetEntriesInAclA SetSecurityInfo CheckTokenMembership FreeSid GetUserNameW OpenProcessToken GetTokenInformation CryptGenRandom CryptGetKeyParam |
SHELL32.dll |
SHGetFolderPathW
|
MSVCRT.dll |
fopen
fprintf sprintf rand time srand wcscpy wcscat wcslen ??2@YAPAXI@Z __CxxFrameHandler ??3@YAXPAX@Z swprintf _except_handler3 fread wcsrchr wcsncpy wcscmp _wcsnicmp strncmp wcschr _wfopen _ftol ??0exception@@QAE@ABV0@@Z ??1exception@@UAE@XZ ??0exception@@QAE@ABQBD@Z _CxxThrowException ??1type_info@@UAE@XZ free _initterm malloc _adjust_fdiv fwrite fclose _wcsicmp _local_unwind2 wcsstr |
MSVCP60.dll |
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB ?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB ?_Xran@std@@YAXXZ ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z |
Ordinal | 1 |
---|---|
Address | 0x5ae0 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.1.7600.16385 |
ProductVersion | 6.1.7600.16385 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_DLL
|
Language | UNKNOWN |
CompanyName | Microsoft Corporation |
FileDescription | Latvia Keyboard Layout |
FileVersion (#2) | 6.1.7600.16385 (win7_rtm.090713-1255) |
InternalName | kbdlv (3.13) |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | kbdlv.dll |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 6.1.7600.16385 |
Resource LangID | English - United States |
---|
XOR Key | 0x75042c57 |
---|---|
Unmarked objects | 0 |
12 (7291) | 2 |
14 (7299) | 2 |
C++ objects (8047) | 1 |
C objects (8047) | 4 |
Linker (8047) | 4 |
Total imports | 129 |
Imports (VS2003 (.NET) build 4035) | 11 |
C++ objects (VS98 SP6 build 8804) | 6 |
Linker (VC++ 6.0 SP5 imp/exp build 8447) | 1 |