| 4.0.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 10.2.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 10.2.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 10.2.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.2.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.2.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.2.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.0.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 10.2.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 10.2.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 10.2.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 7.0.mssecsvc.exe.400000.6.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.400000.6.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 7.0.mssecsvc.exe.400000.6.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvc.exe.400000.6.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 29.2.tasksche.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 29.2.tasksche.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 29.2.tasksche.exe.400000.0.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 7.0.mssecsvc.exe.7100a4.7.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.7100a4.7.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.7.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 7.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 7.2.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.2.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 29.0.tasksche.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 29.0.tasksche.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 29.0.tasksche.exe.400000.0.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 7.0.mssecsvc.exe.7100a4.7.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.7100a4.7.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.7.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.0.mssecsvc.exe.400000.6.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.400000.6.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 4.0.mssecsvc.exe.400000.6.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 4.0.mssecsvc.exe.400000.6.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.5.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.7100a4.5.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.5.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.0.mssecsvc.exe.7100a4.5.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.7100a4.5.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.5.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 7.0.mssecsvc.exe.7100a4.5.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.7100a4.5.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.5.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 4.2.mssecsvc.exe.400000.0.unpack | JoeSecurity_Virut | Yara detected Virut | Joe Security | |
| 4.2.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 4.2.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.3.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.7100a4.3.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.3.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 7.2.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.2.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.2.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 4.0.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 4.0.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.2.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.2.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.2.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 7.0.mssecsvc.exe.400000.2.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.400000.2.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 7.0.mssecsvc.exe.400000.2.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvc.exe.400000.2.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.5.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.7100a4.5.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.5.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 7.0.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 10.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 10.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 10.0.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 10.0.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.0.mssecsvc.exe.400000.4.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.400000.4.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 10.0.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.400000.4.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 4.0.mssecsvc.exe.7100a4.7.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 10.0.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.7.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.7.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 10.0.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.0.mssecsvc.exe.400000.4.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 7.0.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 10.0.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 10.0.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 10.0.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.0.mssecsvc.exe.400000.2.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.400000.2.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 4.0.mssecsvc.exe.400000.2.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 4.0.mssecsvc.exe.400000.2.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.400000.4.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.400000.4.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 7.0.mssecsvc.exe.400000.4.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvc.exe.400000.4.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.7.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.7100a4.7.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.7.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.0.mssecsvc.exe.7100a4.3.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.7100a4.3.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.3.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 4.0.mssecsvc.exe.7100a4.3.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 4.0.mssecsvc.exe.7100a4.3.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 4.0.mssecsvc.exe.7100a4.3.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 10.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 10.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 10.2.mssecsvc.exe.400000.0.unpack | JoeSecurity_Virut | Yara detected Virut | Joe Security | |
| 10.2.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 10.2.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.2.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.2.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.2.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 7.0.mssecsvc.exe.7100a4.3.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 7.0.mssecsvc.exe.7100a4.3.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvc.exe.7100a4.3.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| Click to see the 123 entries |
Edit tour
loaddll32.exe (PID: 6280 cmdline: 
cmd.exe (PID: 6288 cmdline: 
rundll32.exe (PID: 6312 cmdline: 
