× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
File name: LODCTR.EXE
Detection ratio: 60 / 67
Analysis date: 2018-09-14 15:00:21 UTC ( 5 dnů, 3 hodiny ago )
Antivirus Result Update
Ad-Aware Trojan.Ransom.WannaCryptor.L 20180913
AegisLab Trojan.Win32.Wanna.j!c 20180914
AhnLab-V3 Trojan/Win32.WannaCryptor.R200589 20180914
ALYac Trojan.Ransom.WannaCryptor 20180914
Antiy-AVL Trojan/Win32.Deshacop 20180914
Arcabit Trojan.Ransom.WannaCryptor.L 20180914
Avast Win32:WanaCry-A [Trj] 20180914
AVG Win32:WanaCry-A [Trj] 20180914
Avira (no cloud) TR/FileCoder.724645 20180914
AVware Trojan.Win32.Generic!BT 20180914
BitDefender Trojan.Ransom.WannaCryptor.L 20180914
Bkav W32.RansomwareTBK.Trojan 20180914
CAT-QuickHeal Trojan.Mauvaise.SL1 20180912
ClamAV Win.Trojan.Agent-6312824-0 20180914
CMC Trojan-Ransom.Win32.Wanna!O 20180914
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20180723
Cybereason malicious.f2a205 20180225
Cylance Unsafe 20180914
Cyren W32/Trojan.FMLA-6191 20180914
DrWeb Trojan.Encoder.11432 20180914
Emsisoft Trojan.Ransom.WannaCryptor.L (B) 20180914
Endgame malicious (high confidence) 20180730
ESET-NOD32 Win32/Filecoder.WannaCryptor.D 20180914
F-Prot W32/WannaCrypt.A 20180914
F-Secure Trojan.Ransom.WannaCryptor.L 20180914
Fortinet W32/GenKryptik.1C25!tr 20180914
GData Win32.Trojan-Ransom.WannaCry.E 20180914
Ikarus Trojan-Ransom.FileCoder 20180914
Sophos ML heuristic 20180717
Jiangmin Trojan.WanaCry.a 20180914
K7AntiVirus Trojan ( 0001140e1 ) 20180914
K7GW Trojan ( 0001140e1 ) 20180914
Kaspersky Trojan-Ransom.Win32.Wanna.c 20180914
Malwarebytes Ransom.WannaCrypt 20180914
MAX malware (ai score=100) 20180914
McAfee Ransom-O 20180914
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.dh 20180914
Microsoft Ransom:Win32/WannaCrypt 20180914
eScan Trojan.Ransom.WannaCryptor.L 20180914
NANO-Antivirus Trojan.Win32.Wanna.eottwl 20180914
Palo Alto Networks (Known Signatures) generic.ml 20180914
Panda Trj/RansomCrypt.K 20180914
Qihoo-360 Win32/Trojan.Multi.daf 20180914
SentinelOne (Static ML) static engine - malicious 20180830
Sophos AV Troj/Wanna-D 20180914
SUPERAntiSpyware Ransom.WannaCrypt/Variant 20180907
Symantec Ransom.Wannacry 20180914
TACHYON Ransom/W32.Wanna.245760 20180914
Tencent Trojan.Win32.WannaCry.d 20180914
TheHacker Trojan/Filecoder.WannaCryptor.d 20180914
TrendMicro RANSOM_WCRY.I 20180914
TrendMicro-HouseCall RANSOM_WCRY.I 20180914
VBA32 Trojan-Ransom.Wanna 20180914
VIPRE Trojan.Win32.Generic!BT 20180914
ViRobot Trojan.Win32.S.WannaCry.245760 20180914
Webroot W32.Ransom.Wannacry 20180914
Yandex Trojan.Filecoder!vJ8G5Dz20yg 20180914
Zillya Trojan.WannaCryptGen.Win32.1 20180914
ZoneAlarm by Check Point Trojan-Ransom.Win32.Wanna.c 20180914
Zoner Trojan.Wannacry 20180914
Alibaba 20180713
Avast-Mobile 20180914
Babable 20180907
Baidu 20180914
Comodo 20180914
eGambit 20180914
Kingsoft 20180914
Rising 20180914
Symantec Mobile Insight 20180911
Trustlook 20180914
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name LODCTR.EXE
Internal name LODCTR.EXE
File version 6.1.7600.16385 (win7_rtm.090713-1255)
Description Load PerfMon Counters
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-07-13 23:19:35
Entry Point 0x00013102
Number of sections 4
PE sections
PE imports
CryptReleaseContext
RegCloseKey
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
RegCreateKeyW
GetUserNameA
CheckTokenMembership
Ord(8)
_TrackMouseEvent
GetDeviceCaps
GetObjectA
CreateCompatibleDC
CreateRectRgn
GetWindowOrgEx
PatBlt
GetTextExtentPoint32A
RectVisible
TextOutA
CreateFontIndirectA
ExtTextOutA
PtVisible
Escape
BitBlt
GetViewportOrgEx
DeleteObject
CreateCompatibleBitmap
CreateFontA
CreateSolidBrush
CopyFileW
SystemTimeToFileTime
GetUserDefaultLangID
ReadFile
TerminateThread
GetFileAttributesA
GlobalFree
WaitForSingleObject
GetExitCodeProcess
FindNextFileA
EnterCriticalSection
CopyFileA
GetTickCount
SetFileTime
GlobalUnlock
LoadLibraryA
GetFileAttributesW
SystemTimeToTzSpecificLocalTime
DeleteCriticalSection
GetStartupInfoA
GetDriveTypeW
GetLocaleInfoA
GetFileSize
GetDiskFreeSpaceExW
CreateDirectoryA
DeleteFileA
GetCurrentDirectoryA
MultiByteToWideChar
SetFilePointerEx
GetModuleFileNameA
GetProcAddress
GetFileTime
SetFilePointer
GetLogicalDrives
CreateThread
GetModuleHandleA
FindNextFileW
WriteFile
FindFirstFileA
CloseHandle
GetTempFileNameA
GetComputerNameA
FindFirstFileW
WideCharToMultiByte
GlobalLock
TerminateProcess
CreateProcessA
GetTimeZoneInformation
GetExitCodeThread
InitializeCriticalSection
GlobalAlloc
LocalFileTimeToFileTime
FindClose
Sleep
SetEndOfFile
CreateFileA
ExitProcess
SetCurrentDirectoryA
LeaveCriticalSection
Ord(6197)
Ord(2023)
Ord(3998)
Ord(4080)
Ord(537)
Ord(4710)
Ord(2414)
Ord(3597)
Ord(2411)
Ord(939)
Ord(3136)
Ord(341)
Ord(665)
Ord(5678)
Ord(2124)
Ord(5736)
Ord(755)
Ord(3798)
Ord(2621)
Ord(3721)
Ord(5290)
Ord(940)
Ord(2864)
Ord(2446)
Ord(1979)
Ord(6438)
Ord(6215)
Ord(781)
Ord(4441)
Ord(5787)
Ord(5579)
Ord(795)
Ord(616)
Ord(815)
Ord(922)
Ord(641)
Ord(3698)
Ord(654)
Ord(1641)
Ord(5277)
Ord(2514)
Ord(4402)
Ord(3640)
Ord(3089)
Ord(5199)
Ord(3574)
Ord(1134)
Ord(941)
Ord(4465)
Ord(609)
Ord(5300)
Ord(1200)
Ord(2381)
Ord(3797)
Ord(4476)
Ord(5759)
Ord(4425)
Ord(4627)
Ord(1168)
Ord(3738)
Ord(4853)
Ord(2982)
Ord(3402)
Ord(923)
Ord(4234)
Ord(825)
Ord(5781)
Ord(4218)
Ord(5571)
Ord(5710)
Ord(693)
Ord(567)
Ord(4424)
Ord(540)
Ord(6648)
Ord(6136)
Ord(4078)
Ord(2554)
Ord(289)
Ord(6376)
Ord(6194)
Ord(6021)
Ord(1727)
Ord(3370)
Ord(823)
Ord(5785)
Ord(2642)
Ord(283)
Ord(2379)
Ord(2725)
Ord(640)
Ord(3874)
Ord(2578)
Ord(4353)
Ord(6061)
Ord(6189)
Ord(2582)
Ord(3749)
Ord(2512)
Ord(470)
Ord(4274)
Ord(5261)
Ord(6876)
Ord(3259)
Ord(4079)
Ord(1146)
Ord(6663)
Ord(3147)
Ord(2860)
Ord(6375)
Ord(324)
Ord(2370)
Ord(4284)
Ord(4398)
Ord(3301)
Ord(3262)
Ord(2289)
Ord(5241)
Ord(1576)
Ord(2754)
Ord(1775)
Ord(5864)
Ord(6778)
Ord(2575)
Ord(5065)
Ord(4407)
Ord(4275)
Ord(3708)
Ord(3346)
Ord(858)
Ord(2396)
Ord(3831)
Ord(353)
Ord(6374)
Ord(5280)
Ord(6453)
Ord(6192)
Ord(2976)
Ord(4998)
Ord(323)
Ord(3825)
Ord(1089)
Ord(2985)
Ord(6140)
Ord(3663)
Ord(3922)
Ord(6052)
Ord(2818)
Ord(4376)
Ord(2405)
Ord(6734)
Ord(3582)
Ord(800)
Ord(535)
Ord(6172)
Ord(3830)
Ord(5794)
Ord(2385)
Ord(4278)
Ord(3706)
Ord(2971)
Ord(3619)
Ord(3092)
Ord(5875)
Ord(3079)
Ord(4396)
Ord(6334)
Ord(2055)
Ord(3996)
Ord(4837)
Ord(3571)
Ord(4129)
Ord(1776)
Ord(2648)
Ord(5714)
Ord(5289)
Ord(4277)
Ord(4622)
Ord(561)
Ord(6186)
Ord(4330)
Ord(3596)
Ord(1640)
Ord(2302)
Ord(765)
Ord(924)
Ord(3573)
Ord(4486)
Ord(5789)
Ord(3081)
Ord(4698)
Ord(613)
Ord(5756)
Ord(3626)
Ord(5163)
Ord(6055)
Ord(6199)
Ord(5265)
Ord(4673)
Ord(5307)
Ord(5302)
Ord(6170)
Ord(860)
Ord(5731)
Ord(5873)
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
?_Xran@std@@YAXXZ
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z
?_Xlen@std@@YAXXZ
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB
_purecall
__p__fmode
malloc
srand
??0exception@@QAE@ABV0@@Z
_acmdln
??1type_info@@UAE@XZ
fread
_wcsnicmp
__dllonexit
swprintf
fgets
sscanf
fopen
strncpy
_except_handler3
strtok
fwrite
strncmp
??0exception@@QAE@ABQBD@Z
_mbscmp
_onexit
wcslen
wcscmp
??1exception@@UAE@XZ
exit
_XcptFilter
realloc
wcsrchr
__setusermatherr
rand
__p__commode
sprintf
__CxxFrameHandler
_wcsicmp
fclose
_adjust_fdiv
free
wcscat
_CxxThrowException
_mbsstr
__getmainargs
calloc
__p___argv
_exit
__p___argc
_setmbcp
memmove
_local_unwind2
wcscpy
strrchr
_ftol
wcsstr
time
_strnicmp
_initterm
_controlfp
__set_app_type
VariantTimeToSystemTime
SHGetFolderPathW
ShellExecuteExA
ShellExecuteA
SetFocus
RedrawWindow
GetParent
SystemParametersInfoA
OffsetRect
FindWindowW
KillTimer
ShowWindow
SetWindowPos
GetSystemMetrics
EnableWindow
DrawIcon
GrayStringA
GetSysColor
SetActiveWindow
DrawTextA
SetClipboardData
SendMessageA
CloseClipboard
SetWindowTextW
SystemParametersInfoW
BringWindowToTop
IsIconic
InvalidateRect
TabbedTextOutA
wsprintfA
SetTimer
LoadCursorA
LoadIconA
FillRect
GetClientRect
EmptyClipboard
SetForegroundWindow
OpenClipboard
SetCursor
DeleteUrlCacheEntry
__WSAFDIsSet
socket
setsockopt
bind
inet_addr
send
ioctlsocket
WSAStartup
gethostbyname
WSAGetLastError
connect
shutdown
closesocket
inet_ntoa
htons
recv
select
URLDownloadToFileA
Number of PE resources by type
RT_DIALOG 5
RT_ICON 3
RT_BITMAP 3
RT_GROUP_ICON 2
Struct(240) 1
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 16
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
6.1.7600.16385

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Load PerfMon Counters

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
159744

EntryPoint
0x13102

OriginalFileName
LODCTR.EXE

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)

TimeStamp
2009:07:14 00:19:35+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
LODCTR.EXE

ProductVersion
6.1.7600.16385

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
81920

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.1.7600.16385

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
ssdeep
3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo

authentihash ba936082512d7f462df284097992e756bede1cae6146044f72519f8b4b4cff57
imphash dcac8383cc76738eecb5756694c4aeb2
File size 240.0 KB ( 245760 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (41.0%)
Win64 Executable (generic) (36.3%)
Win32 Dynamic Link Library (generic) (8.6%)
Win32 Executable (generic) (5.9%)
OS/2 Executable (generic) (2.6%)
Tags
peexe via-tor

VirusTotal metadata
First submission 2017-05-12 07:32:47 UTC ( 1 rok, 4 měsíce ago )
Last submission 2018-09-10 11:06:37 UTC ( 1 týden, 2 dny ago )
File names @WanaDecryptor@.exe
LODCTR.EXE
VirusShare_7bf2b57f2a205768755c07f238fb32cc
output.111378198.txt
wnry1.exe
WanaDecryptor.ex_
suspicious
@WanaDecryptor@.exe
ToolAntiWannaCRY.exe
localfile~
131
@WanaDecryptor@.exe
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
@WanaDecrypto r@.exe
u.wnry
@wanadecryptor@.exe
Ransom.HydraCrypt.exe
@WanaDecryptor@.exe
b9c5.bin
@WanaDecryptor@.exe
u.wnry
91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9.infected
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25.bin.exe
@WanaDecryptor@.exe
_WanaDecryptor_ .exe.kkkk
Advanced heuristic and reputation engines
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Opened mutexes
Runtime DLLs
UDP communications