× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
File name: @WanaDecryptor@.exe
Detection ratio: 32 / 62
Analysis date: 2017-05-12 21:03:00 UTC ( 2 months, 1 week ago ) View latest
Antivirus Result Update
Ad-Aware Generic.Ransom.HydraCrypt.C8B435F4 20170512
AegisLab Uds.Dangerousobject.Multi!c 20170512
ALYac Generic.Ransom.HydraCrypt.C8B435F4 20170512
Antiy-AVL Trojan/Win32.Deshacop 20170512
Arcabit Generic.Ransom.HydraCrypt.C8B435F4 20170512
Avast Win32:WanaCry-A [Trj] 20170512
AVG Generic_r.SSZ 20170512
BitDefender Generic.Ransom.HydraCrypt.C8B435F4 20170512
CrowdStrike Falcon (ML) malicious_confidence_60% (D) 20170130
Emsisoft Generic.Ransom.HydraCrypt.C8B435F4 (B) 20170512
ESET-NOD32 Win32/Filecoder.WannaCryptor.D 20170512
F-Secure Generic.Ransom.HydraCrypt.C8B435F4 20170512
Fortinet W32/GenKryptik.1C25!tr 20170512
GData Generic.Ransom.HydraCrypt.C8B435F4 20170512
Ikarus Win32.Outbreak 20170512
K7AntiVirus Trojan ( 0001140e1 ) 20170512
K7GW Trojan ( 0001140e1 ) 20170512
Kaspersky Trojan-Ransom.Win32.Wanna.c 20170512
Malwarebytes Ransom.WanaCrypt0r 20170512
McAfee Artemis!7BF2B57F2A20 20170512
McAfee-GW-Edition BehavesLike.Win32.Dropper.dh 20170512
Microsoft Ransom:Win32/WannaCrypt 20170512
eScan Generic.Ransom.HydraCrypt.C8B435F4 20170512
Palo Alto Networks (Known Signatures) generic.ml 20170512
Panda Trj/RansomCrypt.K 20170512
Qihoo-360 Win32/Trojan.Multi.daf 20170512
Symantec ML.Attribute.HighConfidence 20170511
Tencent Win32.Trojan.Ransomlocker.Mvmh 20170512
TrendMicro RANSOM_WCRY.I 20170512
TrendMicro-HouseCall RANSOM_WCRY.I 20170512
Webroot W32.Ransom.Wannacry 20170512
ZoneAlarm by Check Point Trojan-Ransom.Win32.Wanna.c 20170512
AhnLab-V3 20170512
Alibaba 20170512
Avira (no cloud) 20170512
AVware 20170512
Baidu 20170503
Bkav 20170512
CAT-QuickHeal 20170512
ClamAV 20170512
CMC 20170512
Comodo 20170512
Cyren 20170512
DrWeb 20170512
Endgame 20170503
F-Prot 20170512
Sophos ML 20170413
Jiangmin 20170512
Kingsoft 20170512
NANO-Antivirus 20170512
nProtect 20170512
Rising None
SentinelOne (Static ML) 20170330
Sophos AV 20170512
SUPERAntiSpyware 20170512
Symantec Mobile Insight 20170512
TheHacker 20170508
TotalDefense 20170512
Trustlook 20170512
VBA32 20170512
VIPRE 20170512
ViRobot 20170512
WhiteArmor 20170512
Yandex 20170512
Zillya 20170511
Zoner 20170512
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name LODCTR.EXE
Internal name LODCTR.EXE
File version 6.1.7600.16385 (win7_rtm.090713-1255)
Description Load PerfMon Counters
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-07-13 23:19:35
Entry Point 0x00013102
Number of sections 4
PE sections
PE imports
CryptReleaseContext
RegCloseKey
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
RegCreateKeyW
GetUserNameA
CheckTokenMembership
Ord(8)
_TrackMouseEvent
GetDeviceCaps
GetObjectA
CreateCompatibleDC
CreateRectRgn
GetWindowOrgEx
PatBlt
GetTextExtentPoint32A
RectVisible
TextOutA
CreateFontIndirectA
ExtTextOutA
PtVisible
Escape
BitBlt
GetViewportOrgEx
DeleteObject
CreateCompatibleBitmap
CreateFontA
CreateSolidBrush
CopyFileW
SystemTimeToFileTime
GetUserDefaultLangID
ReadFile
TerminateThread
GetFileAttributesA
GlobalFree
WaitForSingleObject
GetExitCodeProcess
FindNextFileA
EnterCriticalSection
CopyFileA
GetTickCount
SetFileTime
GlobalUnlock
LoadLibraryA
GetFileAttributesW
SystemTimeToTzSpecificLocalTime
DeleteCriticalSection
GetStartupInfoA
GetDriveTypeW
GetLocaleInfoA
GetFileSize
GetDiskFreeSpaceExW
CreateDirectoryA
DeleteFileA
GetCurrentDirectoryA
MultiByteToWideChar
SetFilePointerEx
GetModuleFileNameA
GetProcAddress
GetFileTime
SetFilePointer
GetLogicalDrives
CreateThread
GetModuleHandleA
FindNextFileW
WriteFile
FindFirstFileA
CloseHandle
GetTempFileNameA
GetComputerNameA
FindFirstFileW
WideCharToMultiByte
GlobalLock
TerminateProcess
CreateProcessA
GetTimeZoneInformation
GetExitCodeThread
InitializeCriticalSection
GlobalAlloc
LocalFileTimeToFileTime
FindClose
Sleep
SetEndOfFile
CreateFileA
ExitProcess
SetCurrentDirectoryA
LeaveCriticalSection
Ord(6197)
Ord(2023)
Ord(3998)
Ord(4080)
Ord(537)
Ord(4710)
Ord(2414)
Ord(3597)
Ord(2411)
Ord(939)
Ord(3136)
Ord(341)
Ord(665)
Ord(5678)
Ord(2124)
Ord(5736)
Ord(755)
Ord(3798)
Ord(2621)
Ord(3721)
Ord(5290)
Ord(940)
Ord(2864)
Ord(2446)
Ord(1979)
Ord(6438)
Ord(6215)
Ord(781)
Ord(4441)
Ord(5787)
Ord(5579)
Ord(795)
Ord(616)
Ord(815)
Ord(922)
Ord(641)
Ord(3698)
Ord(654)
Ord(1641)
Ord(5277)
Ord(2514)
Ord(4402)
Ord(3640)
Ord(3089)
Ord(5199)
Ord(3574)
Ord(1134)
Ord(941)
Ord(4465)
Ord(609)
Ord(5300)
Ord(1200)
Ord(2381)
Ord(3797)
Ord(4476)
Ord(5759)
Ord(4425)
Ord(4627)
Ord(1168)
Ord(3738)
Ord(4853)
Ord(2982)
Ord(3402)
Ord(923)
Ord(4234)
Ord(825)
Ord(5781)
Ord(4218)
Ord(5571)
Ord(5710)
Ord(693)
Ord(567)
Ord(4424)
Ord(540)
Ord(6648)
Ord(6136)
Ord(4078)
Ord(2554)
Ord(289)
Ord(6376)
Ord(6194)
Ord(6021)
Ord(1727)
Ord(3370)
Ord(823)
Ord(5785)
Ord(2642)
Ord(283)
Ord(2379)
Ord(2725)
Ord(640)
Ord(3874)
Ord(2578)
Ord(4353)
Ord(6061)
Ord(6189)
Ord(2582)
Ord(3749)
Ord(2512)
Ord(470)
Ord(4274)
Ord(5261)
Ord(6876)
Ord(3259)
Ord(4079)
Ord(1146)
Ord(6663)
Ord(3147)
Ord(2860)
Ord(6375)
Ord(324)
Ord(2370)
Ord(4284)
Ord(4398)
Ord(3301)
Ord(3262)
Ord(2289)
Ord(5241)
Ord(1576)
Ord(2754)
Ord(1775)
Ord(5864)
Ord(6778)
Ord(2575)
Ord(5065)
Ord(4407)
Ord(4275)
Ord(3708)
Ord(3346)
Ord(858)
Ord(2396)
Ord(3831)
Ord(353)
Ord(6374)
Ord(5280)
Ord(6453)
Ord(6192)
Ord(2976)
Ord(4998)
Ord(323)
Ord(3825)
Ord(1089)
Ord(2985)
Ord(6140)
Ord(3663)
Ord(3922)
Ord(6052)
Ord(2818)
Ord(4376)
Ord(2405)
Ord(6734)
Ord(3582)
Ord(800)
Ord(535)
Ord(6172)
Ord(3830)
Ord(5794)
Ord(2385)
Ord(4278)
Ord(3706)
Ord(2971)
Ord(3619)
Ord(3092)
Ord(5875)
Ord(3079)
Ord(4396)
Ord(6334)
Ord(2055)
Ord(3996)
Ord(4837)
Ord(3571)
Ord(4129)
Ord(1776)
Ord(2648)
Ord(5714)
Ord(5289)
Ord(4277)
Ord(4622)
Ord(561)
Ord(6186)
Ord(4330)
Ord(3596)
Ord(1640)
Ord(2302)
Ord(765)
Ord(924)
Ord(3573)
Ord(4486)
Ord(5789)
Ord(3081)
Ord(4698)
Ord(613)
Ord(5756)
Ord(3626)
Ord(5163)
Ord(6055)
Ord(6199)
Ord(5265)
Ord(4673)
Ord(5307)
Ord(5302)
Ord(6170)
Ord(860)
Ord(5731)
Ord(5873)
?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z
?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z
?_Xran@std@@YAXXZ
?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ
?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z
?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB
?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z
?_Xlen@std@@YAXXZ
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB
_purecall
__p__fmode
malloc
srand
??0exception@@QAE@ABV0@@Z
_acmdln
??1type_info@@UAE@XZ
fread
_wcsnicmp
__dllonexit
swprintf
fgets
sscanf
fopen
strncpy
_except_handler3
strtok
fwrite
strncmp
??0exception@@QAE@ABQBD@Z
_mbscmp
_onexit
wcslen
wcscmp
??1exception@@UAE@XZ
exit
_XcptFilter
realloc
wcsrchr
__setusermatherr
rand
__p__commode
sprintf
__CxxFrameHandler
_wcsicmp
fclose
_adjust_fdiv
free
wcscat
_CxxThrowException
_mbsstr
__getmainargs
calloc
__p___argv
_exit
__p___argc
_setmbcp
memmove
_local_unwind2
wcscpy
strrchr
_ftol
wcsstr
time
_strnicmp
_initterm
_controlfp
__set_app_type
VariantTimeToSystemTime
SHGetFolderPathW
ShellExecuteExA
ShellExecuteA
SetFocus
RedrawWindow
GetParent
SystemParametersInfoA
OffsetRect
FindWindowW
KillTimer
ShowWindow
SetWindowPos
GetSystemMetrics
EnableWindow
DrawIcon
GrayStringA
GetSysColor
SetActiveWindow
DrawTextA
SetClipboardData
SendMessageA
CloseClipboard
SetWindowTextW
SystemParametersInfoW
BringWindowToTop
IsIconic
InvalidateRect
TabbedTextOutA
wsprintfA
SetTimer
LoadCursorA
LoadIconA
FillRect
GetClientRect
EmptyClipboard
SetForegroundWindow
OpenClipboard
SetCursor
DeleteUrlCacheEntry
__WSAFDIsSet
socket
setsockopt
bind
inet_addr
send
ioctlsocket
WSAStartup
gethostbyname
WSAGetLastError
connect
shutdown
closesocket
inet_ntoa
htons
recv
select
URLDownloadToFileA
Number of PE resources by type
RT_DIALOG 5
RT_ICON 3
RT_BITMAP 3
RT_GROUP_ICON 2
Struct(240) 1
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 16
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
6.1.7600.16385

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
159744

EntryPoint
0x13102

OriginalFileName
LODCTR.EXE

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)

TimeStamp
2009:07:14 00:19:35+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
LODCTR.EXE

ProductVersion
6.1.7600.16385

FileDescription
Load PerfMon Counters

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
81920

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.1.7600.16385

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
ssdeep
3072:Rmrhd5U1eigWcR+uiUg6p4FLlG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLlG4AimmCo

authentihash ba936082512d7f462df284097992e756bede1cae6146044f72519f8b4b4cff57
imphash dcac8383cc76738eecb5756694c4aeb2
File size 240.0 KB ( 245760 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe via-tor

VirusTotal metadata
First submission 2017-05-12 07:32:47 UTC ( 2 months, 1 week ago )
Last submission 2017-07-22 13:16:54 UTC ( 21 hours, 18 minutes ago )
File names @WanaDecryptor@.exe
LODCTR.EXE
mare.txt
output.111378198.txt
wnry1.exe
WanaDecryptor.ex_
suspicious
@WanaDecryptor@.exe
ToolAntiWannaCRY.exe
localfile~
170513-2.Ransom.WannaCryptor.exe
@WanaDecryptor@.exe
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
dxdiag.exe
@WanaDecrypto r@.exe
b9c5d4339809e0ad_u.wnry
Ransom.HydraCrypt.exe
@WanaDecryptor@.exe
b9c5.bin
@WanaDecryptor@.exe
u.wnry
91A39E919296CB5C6ECCBA710B780519D90035175AA460EC6DBE631324E5E5753BD8D87F395B5481BCD7E1AD623B31A34382D81FAAE06BEF60EC28B49C3122A9.infected
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25.bin.exe
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25.exe
_WanaDecryptor_ .exe.kkkk
Behaviour characterization
Zemana
dll-injection

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Opened mutexes
Runtime DLLs
UDP communications