× الكوكيز معطل! هذا الموقع يتطلب تمكين الكوكيز للعمل بشكل صحيح
SHA256: b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
إسم الملف: LODCTR.EXE
نسبة الفحص: 56 / 65
تاريخ الفحص 2017-10-23 01:45:38 UTC ( 5 ساعات، 54 دقيقة مضت )
مكافح الفيروسات النتيجة التحديث
Ad-Aware Trojan.Ransom.WannaCryptor.L 20171023
AegisLab Uds.Dangerousobject.Multi!c 20171023
AhnLab-V3 Trojan/Win32.WannaCryptor.R200589 20171022
ALYac Trojan.Ransom.WannaCryptor 20171023
Antiy-AVL Trojan/Win32.Deshacop 20171023
Arcabit Trojan.Ransom.WannaCryptor.L 20171023
Avast Win32:WanaCry-A [Trj] 20171023
AVG Win32:WanaCry-A [Trj] 20171023
Avira (no cloud) TR/FileCoder.724645 20171022
AVware Trojan.Win32.Generic!BT 20171023
BitDefender Trojan.Ransom.WannaCryptor.L 20171023
CAT-QuickHeal Ransom.WanaCry.S962568 20171020
ClamAV Win.Trojan.Agent-6312824-0 20171022
Comodo TrojWare.Win32.Ransom.WannaCryptor.~ 20171022
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20171016
Cylance Unsafe 20171023
Cyren W32/Trojan.FMLA-6191 20171023
DrWeb Trojan.Encoder.11432 20171023
Emsisoft Trojan.Ransom.WannaCryptor.L (B) 20171023
Endgame malicious (high confidence) 20171016
ESET-NOD32 Win32/Filecoder.WannaCryptor.D 20171023
F-Prot W32/WannaCrypt.A 20171023
F-Secure Trojan.Ransom.WannaCryptor.L 20171023
Fortinet W32/GenKryptik.1C25!tr 20171023
GData Win32.Trojan-Ransom.WannaCry.E 20171023
Ikarus Trojan-Ransom.WannaCry 20171022
Sophos ML heuristic 20170914
Jiangmin Trojan.WanaCry.a 20171022
K7AntiVirus Trojan ( 0001140e1 ) 20171019
K7GW Trojan ( 0001140e1 ) 20171023
Kaspersky Trojan-Ransom.Win32.Wanna.c 20171022
Malwarebytes Ransom.WannaCrypt 20171022
MAX malware (ai score=100) 20171023
McAfee Ransom-O 20171023
McAfee-GW-Edition BehavesLike.Win32.Dropper.dh 20171023
Microsoft Ransom:Win32/WannaCrypt 20171022
eScan Trojan.Ransom.WannaCryptor.L 20171022
NANO-Antivirus Trojan.Win32.Wanna.eottwl 20171022
nProtect Ransom/W32.Wanna.245760 20171023
Palo Alto Networks (Known Signatures) generic.ml 20171023
Panda Trj/RansomCrypt.K 20171022
Qihoo-360 Win32/Trojan.Multi.daf 20171023
Rising Ransom.WanaCrypt!1.AAEF (CLASSIC) 20171023
Sophos AV Troj/Wanna-D 20171023
SUPERAntiSpyware Ransom.WannaCrypt/Variant 20171022
Symantec Ransom.Wannacry 20171022
Tencent Trojan.Win32.WannaCry.d 20171023
TheHacker Trojan/Filecoder.WannaCryptor.d 20171017
TrendMicro RANSOM_WCRY.I 20171022
TrendMicro-HouseCall RANSOM_WCRY.I 20171022
VBA32 Trojan-Ransom.Wanna 20171020
VIPRE Trojan.Win32.Generic!BT 20171022
ViRobot Trojan.Win32.S.WannaCry.245760 20171022
Yandex Trojan.Filecoder!vJ8G5Dz20yg 20171021
ZoneAlarm by Check Point Trojan-Ransom.Win32.Wanna.c 20171023
Zoner Trojan.Wannacry 20171023
Alibaba 20170911
Avast-Mobile 20171022
Baidu 20171020
Bkav 20171020
CMC 20171022
eGambit 20171023
Kingsoft 20171023
SentinelOne (Static ML) 20171019
Symantec Mobile Insight 20171011
TotalDefense 20171022
Trustlook 20171023
WhiteArmor 20171016
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name LODCTR.EXE
Internal name LODCTR.EXE
File version 6.1.7600.16385 (win7_rtm.090713-1255)
Description Load PerfMon Counters
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-07-13 23:19:35
Entry Point 0x00013102
Number of sections 4
PE sections
PE imports
CryptReleaseContext
RegCloseKey
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
RegCreateKeyW
GetUserNameA
CheckTokenMembership
Ord(8)
_TrackMouseEvent
GetDeviceCaps
GetObjectA
CreateCompatibleDC
CreateRectRgn
GetWindowOrgEx
PatBlt
GetTextExtentPoint32A
RectVisible
TextOutA
CreateFontIndirectA
ExtTextOutA
PtVisible
Escape
BitBlt
GetViewportOrgEx
DeleteObject
CreateCompatibleBitmap
CreateFontA
CreateSolidBrush
CopyFileW
SystemTimeToFileTime
GetUserDefaultLangID
ReadFile
TerminateThread
GetFileAttributesA
GlobalFree
WaitForSingleObject
GetExitCodeProcess
FindNextFileA
EnterCriticalSection
CopyFileA
GetTickCount
SetFileTime
GlobalUnlock
LoadLibraryA
GetFileAttributesW
SystemTimeToTzSpecificLocalTime
DeleteCriticalSection
GetStartupInfoA
GetDriveTypeW
GetLocaleInfoA
GetFileSize
GetDiskFreeSpaceExW
CreateDirectoryA
DeleteFileA
GetCurrentDirectoryA
MultiByteToWideChar
SetFilePointerEx
GetModuleFileNameA
GetProcAddress
GetFileTime
SetFilePointer
GetLogicalDrives
CreateThread
GetModuleHandleA
FindNextFileW
WriteFile
FindFirstFileA
CloseHandle
GetTempFileNameA
GetComputerNameA
FindFirstFileW
WideCharToMultiByte
GlobalLock
TerminateProcess
CreateProcessA
GetTimeZoneInformation
GetExitCodeThread
InitializeCriticalSection
GlobalAlloc
LocalFileTimeToFileTime
FindClose
Sleep
SetEndOfFile
CreateFileA
ExitProcess
SetCurrentDirectoryA
LeaveCriticalSection
Ord(6197)
Ord(2023)
Ord(3998)
Ord(4080)
Ord(537)
Ord(4710)
Ord(2414)
Ord(3597)
Ord(2411)
Ord(939)
Ord(3136)
Ord(341)
Ord(665)
Ord(5678)
Ord(2124)
Ord(5736)
Ord(755)
Ord(3798)
Ord(2621)
Ord(3721)
Ord(5290)
Ord(940)
Ord(2864)
Ord(2446)
Ord(1979)
Ord(6438)
Ord(6215)
Ord(781)
Ord(4441)
Ord(5787)
Ord(5579)
Ord(795)
Ord(616)
Ord(815)
Ord(922)
Ord(641)
Ord(3698)
Ord(654)
Ord(1641)
Ord(5277)
Ord(2514)
Ord(4402)
Ord(3640)
Ord(3089)
Ord(5199)
Ord(3574)
Ord(1134)
Ord(941)
Ord(4465)
Ord(609)
Ord(5300)
Ord(1200)
Ord(2381)
Ord(3797)
Ord(4476)
Ord(5759)
Ord(4425)
Ord(4627)
Ord(1168)
Ord(3738)
Ord(4853)
Ord(2982)
Ord(3402)
Ord(923)
Ord(4234)
Ord(825)
Ord(5781)
Ord(4218)
Ord(5571)
Ord(5710)
Ord(693)
Ord(567)
Ord(4424)
Ord(540)
Ord(6648)
Ord(6136)
Ord(4078)
Ord(2554)
Ord(289)
Ord(6376)
Ord(6194)
Ord(6021)
Ord(1727)
Ord(3370)
Ord(823)
Ord(5785)
Ord(2642)
Ord(283)
Ord(2379)
Ord(2725)
Ord(640)
Ord(3874)
Ord(2578)
Ord(4353)
Ord(6061)
Ord(6189)
Ord(2582)
Ord(3749)
Ord(2512)
Ord(470)
Ord(4274)
Ord(5261)
Ord(6876)
Ord(3259)
Ord(4079)
Ord(1146)
Ord(6663)
Ord(3147)
Ord(2860)
Ord(6375)
Ord(324)
Ord(2370)
Ord(4284)
Ord(4398)
Ord(3301)
Ord(3262)
Ord(2289)
Ord(5241)
Ord(1576)
Ord(2754)
Ord(1775)
Ord(5864)
Ord(6778)
Ord(2575)
Ord(5065)
Ord(4407)
Ord(4275)
Ord(3708)
Ord(3346)
Ord(858)
Ord(2396)
Ord(3831)
Ord(353)
Ord(6374)
Ord(5280)
Ord(6453)
Ord(6192)
Ord(2976)
Ord(4998)
Ord(323)
Ord(3825)
Ord(1089)
Ord(2985)
Ord(6140)
Ord(3663)
Ord(3922)
Ord(6052)
Ord(2818)
Ord(4376)
Ord(2405)
Ord(6734)
Ord(3582)
Ord(800)
Ord(535)
Ord(6172)
Ord(3830)
Ord(5794)
Ord(2385)
Ord(4278)
Ord(3706)
Ord(2971)
Ord(3619)
Ord(3092)
Ord(5875)
Ord(3079)
Ord(4396)
Ord(6334)
Ord(2055)
Ord(3996)
Ord(4837)
Ord(3571)
Ord(4129)
Ord(1776)
Ord(2648)
Ord(5714)
Ord(5289)
Ord(4277)
Ord(4622)
Ord(561)
Ord(6186)
Ord(4330)
Ord(3596)
Ord(1640)
Ord(2302)
Ord(765)
Ord(924)
Ord(3573)
Ord(4486)
Ord(5789)
Ord(3081)
Ord(4698)
Ord(613)
Ord(5756)
Ord(3626)
Ord(5163)
Ord(6055)
Ord(6199)
Ord(5265)
Ord(4673)
Ord(5307)
Ord(5302)
Ord(6170)
Ord(860)
Ord(5731)
Ord(5873)
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
?_Xran@std@@YAXXZ
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z
?_Xlen@std@@YAXXZ
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB
_purecall
__p__fmode
malloc
srand
??0exception@@QAE@ABV0@@Z
_acmdln
??1type_info@@UAE@XZ
fread
_wcsnicmp
__dllonexit
swprintf
fgets
sscanf
fopen
strncpy
_except_handler3
strtok
fwrite
strncmp
??0exception@@QAE@ABQBD@Z
_mbscmp
_onexit
wcslen
wcscmp
??1exception@@UAE@XZ
exit
_XcptFilter
realloc
wcsrchr
__setusermatherr
rand
__p__commode
sprintf
__CxxFrameHandler
_wcsicmp
fclose
_adjust_fdiv
free
wcscat
_CxxThrowException
_mbsstr
__getmainargs
calloc
__p___argv
_exit
__p___argc
_setmbcp
memmove
_local_unwind2
wcscpy
strrchr
_ftol
wcsstr
time
_strnicmp
_initterm
_controlfp
__set_app_type
VariantTimeToSystemTime
SHGetFolderPathW
ShellExecuteExA
ShellExecuteA
SetFocus
RedrawWindow
GetParent
SystemParametersInfoA
OffsetRect
FindWindowW
KillTimer
ShowWindow
SetWindowPos
GetSystemMetrics
EnableWindow
DrawIcon
GrayStringA
GetSysColor
SetActiveWindow
DrawTextA
SetClipboardData
SendMessageA
CloseClipboard
SetWindowTextW
SystemParametersInfoW
BringWindowToTop
IsIconic
InvalidateRect
TabbedTextOutA
wsprintfA
SetTimer
LoadCursorA
LoadIconA
FillRect
GetClientRect
EmptyClipboard
SetForegroundWindow
OpenClipboard
SetCursor
DeleteUrlCacheEntry
__WSAFDIsSet
socket
setsockopt
bind
inet_addr
send
ioctlsocket
WSAStartup
gethostbyname
WSAGetLastError
connect
shutdown
closesocket
inet_ntoa
htons
recv
select
URLDownloadToFileA
Number of PE resources by type
RT_DIALOG 5
RT_ICON 3
RT_BITMAP 3
RT_GROUP_ICON 2
Struct(240) 1
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 16
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
6.1.7600.16385

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
159744

EntryPoint
0x13102

OriginalFileName
LODCTR.EXE

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)

TimeStamp
2009:07:14 00:19:35+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
LODCTR.EXE

ProductVersion
6.1.7600.16385

FileDescription
Load PerfMon Counters

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
81920

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.1.7600.16385

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
ssdeep
3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo

authentihash ba936082512d7f462df284097992e756bede1cae6146044f72519f8b4b4cff57
imphash dcac8383cc76738eecb5756694c4aeb2
File size 240.0 ك.ب ( 245760 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe via-tor

VirusTotal metadata
First submission 2017-05-12 07:32:47 UTC ( 5 أشهر، 2 أسبوعان مضت )
Last submission 2017-10-22 18:58:47 UTC ( 12 ساعة، 41 دقيقة مضت )
أسماء الملفات @WanaDecryptor@.exe
LODCTR.EXE
mare.txt
output.111378198.txt
wnry1.exe
WanaDecryptor.ex_
suspicious
@WanaDecryptor@.exe
ToolAntiWannaCRY.exe
localfile~
170513-2.Ransom.WannaCryptor.exe
@WanaDecryptor@.exe
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
dxdiag.exe
@WanaDecrypto r@.exe
b9c5d4339809e0ad_u.wnry
Ransom.HydraCrypt.exe
@WanaDecryptor@.exe
b9c5.bin
@WanaDecryptor@.exe
u.wnry
91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9.infected
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25.bin.exe
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25.exe
_WanaDecryptor_ .exe.kkkk
Behaviour characterization
Zemana
dll-injection

لا توجد تعليقات. لا يوجد أحد من أعضاء مجتمع فايروس توتال قام بالتعليق على هذا الملف حتى الآن، كٌن اول شخص يفعل ذلك!

أترك تعليقك...

?
إضافة تعليق

لم تقم بتسجيل الدخول.فقط الأعضاء المسجلون لدينا يملكون صلاحية الرد, قم بتسجيل الدخول وشارك بصوتك !

لا توجد تصويتات. لا احد صوت على هذا الملف من قبل، كٌن اول شخص يفعل ذلك!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Opened mutexes
Runtime DLLs
UDP communications