× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
File name: @wanadecryptor@.exe
Detection ratio: 59 / 63
Analysis date: 2017-07-26 13:24:46 UTC ( 2 days, 1 hour ago )
Antivirus Result Update
Ad-Aware Trojan.Ransom.WannaCryptor.L 20170726
AegisLab Uds.Dangerousobject.Multi!c 20170726
AhnLab-V3 Trojan/Win32.WannaCryptor.R200589 20170726
ALYac Trojan.Ransom.WannaCryptor 20170726
Antiy-AVL Trojan/Win32.Deshacop 20170726
Arcabit Trojan.Ransom.WannaCryptor.L 20170726
Avast Win32:WanaCry-A [Trj] 20170726
AVG Win32:WanaCry-A [Trj] 20170726
Avira (no cloud) TR/FileCoder.724645 20170726
AVware Trojan.Win32.Generic!BT 20170721
BitDefender Trojan.Ransom.WannaCryptor.L 20170726
CAT-QuickHeal Ransom.WanaCry.S962568 20170726
ClamAV Win.Trojan.Agent-6312824-0 20170726
Comodo TrojWare.Win32.Ransom.WannaCryptor.~ 20170726
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170710
Cylance Unsafe 20170726
Cyren W32/Trojan.FMLA-6191 20170726
DrWeb Trojan.Encoder.11432 20170726
Emsisoft Trojan.Ransom.WannaCryptor.L (B) 20170726
Endgame malicious (high confidence) 20170721
ESET-NOD32 Win32/Filecoder.WannaCryptor.D 20170726
F-Prot W32/WannaCrypt.A 20170726
F-Secure Trojan.Ransom.WannaCryptor.L 20170726
Fortinet W32/GenKryptik.1C25!tr 20170726
GData Win32.Trojan-Ransom.WannaCry.E 20170726
Ikarus Trojan-Ransom.WannaCry 20170726
Sophos ML heuristic 20170607
Jiangmin Trojan.WanaCry.a 20170726
K7AntiVirus Trojan ( 0001140e1 ) 20170726
K7GW Trojan ( 0001140e1 ) 20170726
Kaspersky Trojan-Ransom.Win32.Wanna.c 20170726
Malwarebytes Ransom.WannaCrypt 20170726
MAX malware (ai score=100) 20170726
McAfee Ransom-O 20170726
McAfee-GW-Edition BehavesLike.Win32.RansomWannaCry.dh 20170725
Microsoft Ransom:Win32/WannaCrypt 20170726
eScan Trojan.Ransom.WannaCryptor.L 20170726
NANO-Antivirus Trojan.Win32.Wanna.eottwl 20170726
nProtect Ransom/W32.Wanna.245760 20170726
Palo Alto Networks (Known Signatures) generic.ml 20170726
Panda Trj/RansomCrypt.K 20170725
Qihoo-360 Win32/Trojan.Multi.daf 20170726
Rising Malware.Generic.5!tfe (cloud:7SfzBq30iMV) 20170726
SentinelOne (Static ML) static engine - malicious 20170718
Sophos AV Troj/Wanna-D 20170726
SUPERAntiSpyware Ransom.WannaCrypt/Variant 20170726
Symantec Ransom.Wannacry 20170726
Tencent Win32.Trojan.Raas.Ts 20170726
TheHacker Trojan/Filecoder.WannaCryptor.d 20170724
TrendMicro RANSOM_WCRY.I 20170726
TrendMicro-HouseCall RANSOM_WCRY.I 20170726
VBA32 Hoax.Wanna 20170725
VIPRE Trojan.Win32.Generic!BT 20170726
ViRobot Trojan.Win32.S.WannaCry.245760 20170726
Webroot W32.Ransom.Wannacry 20170726
Yandex Trojan.Filecoder!vJ8G5Dz20yg 20170725
Zillya Trojan.WannaCry.Win32.9 20170725
ZoneAlarm by Check Point Trojan-Ransom.Win32.Wanna.c 20170726
Zoner Trojan.Wannacry 20170726
Alibaba 20170726
Baidu 20170726
Bkav 20170726
CMC 20170726
Kingsoft 20170726
Symantec Mobile Insight 20170726
Trustlook 20170726
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name LODCTR.EXE
Internal name LODCTR.EXE
File version 6.1.7600.16385 (win7_rtm.090713-1255)
Description Load PerfMon Counters
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-07-13 23:19:35
Entry Point 0x00013102
Number of sections 4
PE sections
PE imports
CryptReleaseContext
RegCloseKey
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
RegCreateKeyW
GetUserNameA
CheckTokenMembership
Ord(8)
_TrackMouseEvent
GetDeviceCaps
GetObjectA
CreateCompatibleDC
CreateRectRgn
GetWindowOrgEx
PatBlt
GetTextExtentPoint32A
RectVisible
TextOutA
CreateFontIndirectA
ExtTextOutA
PtVisible
Escape
BitBlt
GetViewportOrgEx
DeleteObject
CreateCompatibleBitmap
CreateFontA
CreateSolidBrush
CopyFileW
SystemTimeToFileTime
GetUserDefaultLangID
ReadFile
TerminateThread
GetFileAttributesA
GlobalFree
WaitForSingleObject
GetExitCodeProcess
FindNextFileA
EnterCriticalSection
CopyFileA
GetTickCount
SetFileTime
GlobalUnlock
LoadLibraryA
GetFileAttributesW
SystemTimeToTzSpecificLocalTime
DeleteCriticalSection
GetStartupInfoA
GetDriveTypeW
GetLocaleInfoA
GetFileSize
GetDiskFreeSpaceExW
CreateDirectoryA
DeleteFileA
GetCurrentDirectoryA
MultiByteToWideChar
SetFilePointerEx
GetModuleFileNameA
GetProcAddress
GetFileTime
SetFilePointer
GetLogicalDrives
CreateThread
GetModuleHandleA
FindNextFileW
WriteFile
FindFirstFileA
CloseHandle
GetTempFileNameA
GetComputerNameA
FindFirstFileW
WideCharToMultiByte
GlobalLock
TerminateProcess
CreateProcessA
GetTimeZoneInformation
GetExitCodeThread
InitializeCriticalSection
GlobalAlloc
LocalFileTimeToFileTime
FindClose
Sleep
SetEndOfFile
CreateFileA
ExitProcess
SetCurrentDirectoryA
LeaveCriticalSection
Ord(6197)
Ord(2023)
Ord(3998)
Ord(4080)
Ord(537)
Ord(4710)
Ord(2414)
Ord(3597)
Ord(2411)
Ord(939)
Ord(3136)
Ord(341)
Ord(665)
Ord(5678)
Ord(2124)
Ord(5736)
Ord(755)
Ord(3798)
Ord(2621)
Ord(3721)
Ord(5290)
Ord(940)
Ord(2864)
Ord(2446)
Ord(1979)
Ord(6438)
Ord(6215)
Ord(781)
Ord(4441)
Ord(5787)
Ord(5579)
Ord(795)
Ord(616)
Ord(815)
Ord(922)
Ord(641)
Ord(3698)
Ord(654)
Ord(1641)
Ord(5277)
Ord(2514)
Ord(4402)
Ord(3640)
Ord(3089)
Ord(5199)
Ord(3574)
Ord(1134)
Ord(941)
Ord(4465)
Ord(609)
Ord(5300)
Ord(1200)
Ord(2381)
Ord(3797)
Ord(4476)
Ord(5759)
Ord(4425)
Ord(4627)
Ord(1168)
Ord(3738)
Ord(4853)
Ord(2982)
Ord(3402)
Ord(923)
Ord(4234)
Ord(825)
Ord(5781)
Ord(4218)
Ord(5571)
Ord(5710)
Ord(693)
Ord(567)
Ord(4424)
Ord(540)
Ord(6648)
Ord(6136)
Ord(4078)
Ord(2554)
Ord(289)
Ord(6376)
Ord(6194)
Ord(6021)
Ord(1727)
Ord(3370)
Ord(823)
Ord(5785)
Ord(2642)
Ord(283)
Ord(2379)
Ord(2725)
Ord(640)
Ord(3874)
Ord(2578)
Ord(4353)
Ord(6061)
Ord(6189)
Ord(2582)
Ord(3749)
Ord(2512)
Ord(470)
Ord(4274)
Ord(5261)
Ord(6876)
Ord(3259)
Ord(4079)
Ord(1146)
Ord(6663)
Ord(3147)
Ord(2860)
Ord(6375)
Ord(324)
Ord(2370)
Ord(4284)
Ord(4398)
Ord(3301)
Ord(3262)
Ord(2289)
Ord(5241)
Ord(1576)
Ord(2754)
Ord(1775)
Ord(5864)
Ord(6778)
Ord(2575)
Ord(5065)
Ord(4407)
Ord(4275)
Ord(3708)
Ord(3346)
Ord(858)
Ord(2396)
Ord(3831)
Ord(353)
Ord(6374)
Ord(5280)
Ord(6453)
Ord(6192)
Ord(2976)
Ord(4998)
Ord(323)
Ord(3825)
Ord(1089)
Ord(2985)
Ord(6140)
Ord(3663)
Ord(3922)
Ord(6052)
Ord(2818)
Ord(4376)
Ord(2405)
Ord(6734)
Ord(3582)
Ord(800)
Ord(535)
Ord(6172)
Ord(3830)
Ord(5794)
Ord(2385)
Ord(4278)
Ord(3706)
Ord(2971)
Ord(3619)
Ord(3092)
Ord(5875)
Ord(3079)
Ord(4396)
Ord(6334)
Ord(2055)
Ord(3996)
Ord(4837)
Ord(3571)
Ord(4129)
Ord(1776)
Ord(2648)
Ord(5714)
Ord(5289)
Ord(4277)
Ord(4622)
Ord(561)
Ord(6186)
Ord(4330)
Ord(3596)
Ord(1640)
Ord(2302)
Ord(765)
Ord(924)
Ord(3573)
Ord(4486)
Ord(5789)
Ord(3081)
Ord(4698)
Ord(613)
Ord(5756)
Ord(3626)
Ord(5163)
Ord(6055)
Ord(6199)
Ord(5265)
Ord(4673)
Ord(5307)
Ord(5302)
Ord(6170)
Ord(860)
Ord(5731)
Ord(5873)
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
?_Xran@std@@YAXXZ
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z
?_Xlen@std@@YAXXZ
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB
_purecall
__p__fmode
malloc
srand
??0exception@@QAE@ABV0@@Z
_acmdln
??1type_info@@UAE@XZ
fread
_wcsnicmp
__dllonexit
swprintf
fgets
sscanf
fopen
strncpy
_except_handler3
strtok
fwrite
strncmp
??0exception@@QAE@ABQBD@Z
_mbscmp
_onexit
wcslen
wcscmp
??1exception@@UAE@XZ
exit
_XcptFilter
realloc
wcsrchr
__setusermatherr
rand
__p__commode
sprintf
__CxxFrameHandler
_wcsicmp
fclose
_adjust_fdiv
free
wcscat
_CxxThrowException
_mbsstr
__getmainargs
calloc
__p___argv
_exit
__p___argc
_setmbcp
memmove
_local_unwind2
wcscpy
strrchr
_ftol
wcsstr
time
_strnicmp
_initterm
_controlfp
__set_app_type
VariantTimeToSystemTime
SHGetFolderPathW
ShellExecuteExA
ShellExecuteA
SetFocus
RedrawWindow
GetParent
SystemParametersInfoA
OffsetRect
FindWindowW
KillTimer
ShowWindow
SetWindowPos
GetSystemMetrics
EnableWindow
DrawIcon
GrayStringA
GetSysColor
SetActiveWindow
DrawTextA
SetClipboardData
SendMessageA
CloseClipboard
SetWindowTextW
SystemParametersInfoW
BringWindowToTop
IsIconic
InvalidateRect
TabbedTextOutA
wsprintfA
SetTimer
LoadCursorA
LoadIconA
FillRect
GetClientRect
EmptyClipboard
SetForegroundWindow
OpenClipboard
SetCursor
DeleteUrlCacheEntry
__WSAFDIsSet
socket
setsockopt
bind
inet_addr
send
ioctlsocket
WSAStartup
gethostbyname
WSAGetLastError
connect
shutdown
closesocket
inet_ntoa
htons
recv
select
URLDownloadToFileA
Number of PE resources by type
RT_DIALOG 5
RT_ICON 3
RT_BITMAP 3
RT_GROUP_ICON 2
Struct(240) 1
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 16
PE resources
ExifTool file metadata
SubsystemVersion
4.0

InitializedDataSize
159744

ImageVersion
0.0

ProductName
Microsoft Windows Operating System

FileVersionNumber
6.1.7600.16385

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
6.0

FileTypeExtension
exe

OriginalFileName
LODCTR.EXE

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)

TimeStamp
2009:07:14 00:19:35+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
LODCTR.EXE

ProductVersion
6.1.7600.16385

FileDescription
Load PerfMon Counters

OSVersion
4.0

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
81920

FileSubtype
0

ProductVersionNumber
6.1.7600.16385

EntryPoint
0x13102

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
ssdeep
3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo

authentihash ba936082512d7f462df284097992e756bede1cae6146044f72519f8b4b4cff57
imphash dcac8383cc76738eecb5756694c4aeb2
File size 240.0 KB ( 245760 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe via-tor

VirusTotal metadata
First submission 2017-05-12 07:32:47 UTC ( 2 months, 2 weeks ago )
Last submission 2017-07-26 13:24:46 UTC ( 2 days, 1 hour ago )
File names @WanaDecryptor@.exe
LODCTR.EXE
mare.txt
output.111378198.txt
wnry1.exe
WanaDecryptor.ex_
suspicious
@WanaDecryptor@.exe
ToolAntiWannaCRY.exe
localfile~
170513-2.Ransom.WannaCryptor.exe
@WanaDecryptor@.exe
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
dxdiag.exe
@WanaDecrypto r@.exe
b9c5d4339809e0ad_u.wnry
Ransom.HydraCrypt.exe
@WanaDecryptor@.exe
b9c5.bin
@WanaDecryptor@.exe
u.wnry
91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9.infected
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25.bin.exe
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25.exe
_WanaDecryptor_ .exe.kkkk
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Opened mutexes
Runtime DLLs
UDP communications