| 5.0.mssecsvr.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 5.0.mssecsvr.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.2.mssecsvr.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 5.2.mssecsvr.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.1fe5128.4.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 8.2.mssecsvr.exe.1fe5128.4.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.1fb3084.2.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 8.2.mssecsvr.exe.24d78c8.6.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 8.2.mssecsvr.exe.250996c.9.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 8.2.mssecsvr.exe.250996c.9.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.7100a4.7.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 7.0.mssecsvr.exe.7100a4.7.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 8.2.mssecsvr.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.7100a4.5.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 5.0.mssecsvr.exe.7100a4.5.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.0.mssecsvr.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 8.0.mssecsvr.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.7100a4.5.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 5.0.mssecsvr.exe.7100a4.5.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 5.0.mssecsvr.exe.7100a4.5.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.7100a4.5.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 7.0.mssecsvr.exe.7100a4.5.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvr.exe.7100a4.5.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 7.0.mssecsvr.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvr.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.7100a4.3.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 7.0.mssecsvr.exe.7100a4.3.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 8.2.mssecsvr.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.7100a4.7.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 5.0.mssecsvr.exe.7100a4.7.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 5.0.mssecsvr.exe.7100a4.7.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.400000.4.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 7.0.mssecsvr.exe.400000.4.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 7.0.mssecsvr.exe.400000.4.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvr.exe.400000.4.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.7100a4.3.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 5.0.mssecsvr.exe.7100a4.3.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 5.0.mssecsvr.exe.7100a4.3.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.400000.6.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 7.0.mssecsvr.exe.400000.6.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 7.0.mssecsvr.exe.400000.6.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvr.exe.400000.6.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.2.mssecsvr.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 7.2.mssecsvr.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.2.mssecsvr.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.250996c.9.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 8.2.mssecsvr.exe.250996c.9.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.250996c.9.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.7100a4.7.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 5.0.mssecsvr.exe.7100a4.7.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 5.0.mssecsvr.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 5.0.mssecsvr.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.7100a4.5.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 7.0.mssecsvr.exe.7100a4.5.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 8.2.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 8.2.mssecsvr.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.24e6948.8.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x32520:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x222ec:$x3: tasksche.exe
- 0x324fc:$x3: tasksche.exe
- 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x32550:$x5: WNcry@2ol7
- 0x222c4:$x8: C:\%s\qeriuwjhrf
- 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x82b8:$s1: C:\%s\%s
- 0x222d8:$s1: C:\%s\%s
- 0x32450:$s3: cmd.exe /c "%s"
- 0x649a4:$s4: msg/m_portuguese.wnry
- 0x1f60c:$s5: \\192.168.56.20\IPC$
- 0xca01:$s6: \\172.16.99.5\IPC$
|
| 8.2.mssecsvr.exe.24e6948.8.raw.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0xca4c:$s1: __TREEID__PLACEHOLDER__
- 0xcae8:$s1: __TREEID__PLACEHOLDER__
- 0xd354:$s1: __TREEID__PLACEHOLDER__
- 0xe3b9:$s1: __TREEID__PLACEHOLDER__
- 0xf420:$s1: __TREEID__PLACEHOLDER__
- 0x10488:$s1: __TREEID__PLACEHOLDER__
- 0x114f0:$s1: __TREEID__PLACEHOLDER__
- 0x12558:$s1: __TREEID__PLACEHOLDER__
- 0x135c0:$s1: __TREEID__PLACEHOLDER__
- 0x14628:$s1: __TREEID__PLACEHOLDER__
- 0x15690:$s1: __TREEID__PLACEHOLDER__
- 0x166f8:$s1: __TREEID__PLACEHOLDER__
- 0x17760:$s1: __TREEID__PLACEHOLDER__
- 0x187c8:$s1: __TREEID__PLACEHOLDER__
- 0x19830:$s1: __TREEID__PLACEHOLDER__
- 0x1a898:$s1: __TREEID__PLACEHOLDER__
- 0x1b900:$s1: __TREEID__PLACEHOLDER__
- 0x1bb14:$s1: __TREEID__PLACEHOLDER__
- 0x1bb74:$s1: __TREEID__PLACEHOLDER__
- 0x1f244:$s1: __TREEID__PLACEHOLDER__
- 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
|
| 8.2.mssecsvr.exe.24e6948.8.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.24e6948.8.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.7100a4.3.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 5.0.mssecsvr.exe.7100a4.3.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 7.0.mssecsvr.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.0.mssecsvr.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 8.0.mssecsvr.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.0.mssecsvr.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.2.mssecsvr.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xe8d8:$x3: tasksche.exe
- 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xe92c:$x5: WNcry@2ol7
- 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xe82c:$s3: cmd.exe /c "%s"
|
| 7.2.mssecsvr.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.2.mssecsvr.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 5.2.mssecsvr.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 5.2.mssecsvr.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.1fe5128.4.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 8.2.mssecsvr.exe.1fe5128.4.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.1fe5128.4.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 7.0.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 7.0.mssecsvr.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvr.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.0.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 8.0.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 8.0.mssecsvr.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.0.mssecsvr.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.400000.2.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 5.0.mssecsvr.exe.400000.2.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 5.0.mssecsvr.exe.400000.2.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 5.0.mssecsvr.exe.400000.2.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 5.0.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 5.0.mssecsvr.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 5.0.mssecsvr.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.24d78c8.6.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x3136c:$x3: tasksche.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 8.2.mssecsvr.exe.24d78c8.6.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 8.2.mssecsvr.exe.24d78c8.6.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.1fc2104.5.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x32520:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x222ec:$x3: tasksche.exe
- 0x324fc:$x3: tasksche.exe
- 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x32550:$x5: WNcry@2ol7
- 0x222c4:$x8: C:\%s\qeriuwjhrf
- 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x82b8:$s1: C:\%s\%s
- 0x222d8:$s1: C:\%s\%s
- 0x32450:$s3: cmd.exe /c "%s"
- 0x649a4:$s4: msg/m_portuguese.wnry
- 0x1f60c:$s5: \\192.168.56.20\IPC$
- 0xca01:$s6: \\172.16.99.5\IPC$
|
| 8.2.mssecsvr.exe.1fc2104.5.raw.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0xca4c:$s1: __TREEID__PLACEHOLDER__
- 0xcae8:$s1: __TREEID__PLACEHOLDER__
- 0xd354:$s1: __TREEID__PLACEHOLDER__
- 0xe3b9:$s1: __TREEID__PLACEHOLDER__
- 0xf420:$s1: __TREEID__PLACEHOLDER__
- 0x10488:$s1: __TREEID__PLACEHOLDER__
- 0x114f0:$s1: __TREEID__PLACEHOLDER__
- 0x12558:$s1: __TREEID__PLACEHOLDER__
- 0x135c0:$s1: __TREEID__PLACEHOLDER__
- 0x14628:$s1: __TREEID__PLACEHOLDER__
- 0x15690:$s1: __TREEID__PLACEHOLDER__
- 0x166f8:$s1: __TREEID__PLACEHOLDER__
- 0x17760:$s1: __TREEID__PLACEHOLDER__
- 0x187c8:$s1: __TREEID__PLACEHOLDER__
- 0x19830:$s1: __TREEID__PLACEHOLDER__
- 0x1a898:$s1: __TREEID__PLACEHOLDER__
- 0x1b900:$s1: __TREEID__PLACEHOLDER__
- 0x1bb14:$s1: __TREEID__PLACEHOLDER__
- 0x1bb74:$s1: __TREEID__PLACEHOLDER__
- 0x1f244:$s1: __TREEID__PLACEHOLDER__
- 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
|
| 8.2.mssecsvr.exe.1fc2104.5.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.1fc2104.5.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.1fc2104.5.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x1daec:$x3: tasksche.exe
- 0x2dcfc:$x3: tasksche.exe
- 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x2dd50:$x5: WNcry@2ol7
- 0x1dac4:$x8: C:\%s\qeriuwjhrf
- 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x76b8:$s1: C:\%s\%s
- 0x1dad8:$s1: C:\%s\%s
- 0x50c9d4:$s1: C:\%s\%s
- 0x2dc50:$s3: cmd.exe /c "%s"
- 0x601a4:$s4: msg/m_portuguese.wnry
- 0x1ae0c:$s5: \\192.168.56.20\IPC$
- 0xb601:$s6: \\172.16.99.5\IPC$
|
| 8.2.mssecsvr.exe.1fc2104.5.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.1fc2104.5.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.24e28e8.7.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x36580:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x2634c:$x3: tasksche.exe
- 0x3655c:$x3: tasksche.exe
- 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x365b0:$x5: WNcry@2ol7
- 0x26324:$x8: C:\%s\qeriuwjhrf
- 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xc318:$s1: C:\%s\%s
- 0x26338:$s1: C:\%s\%s
- 0x364b0:$s3: cmd.exe /c "%s"
- 0x68a04:$s4: msg/m_portuguese.wnry
- 0x2366c:$s5: \\192.168.56.20\IPC$
- 0x10a61:$s6: \\172.16.99.5\IPC$
|
| 8.2.mssecsvr.exe.24e28e8.7.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.24e28e8.7.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.400000.4.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 5.0.mssecsvr.exe.400000.4.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 5.0.mssecsvr.exe.400000.4.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 5.0.mssecsvr.exe.400000.4.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.7100a4.3.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 7.0.mssecsvr.exe.7100a4.3.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvr.exe.7100a4.3.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.0.mssecsvr.exe.7100a4.7.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
|
| 7.0.mssecsvr.exe.7100a4.7.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvr.exe.7100a4.7.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.0.mssecsvr.exe.400000.6.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 5.0.mssecsvr.exe.400000.6.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 5.0.mssecsvr.exe.400000.6.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 5.0.mssecsvr.exe.400000.6.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.1fb3084.2.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x3136c:$x3: tasksche.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 8.2.mssecsvr.exe.1fb3084.2.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 8.2.mssecsvr.exe.1fb3084.2.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvr.exe.400000.2.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 7.0.mssecsvr.exe.400000.2.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 7.0.mssecsvr.exe.400000.2.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.0.mssecsvr.exe.400000.2.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 5.2.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 5.2.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 5.2.mssecsvr.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 5.2.mssecsvr.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 7.2.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 7.2.mssecsvr.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 7.2.mssecsvr.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 7.2.mssecsvr.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.24e6948.8.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x1daec:$x3: tasksche.exe
- 0x2dcfc:$x3: tasksche.exe
- 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x2dd50:$x5: WNcry@2ol7
- 0x1dac4:$x8: C:\%s\qeriuwjhrf
- 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x76b8:$s1: C:\%s\%s
- 0x1dad8:$s1: C:\%s\%s
- 0x2dc50:$s3: cmd.exe /c "%s"
- 0x601a4:$s4: msg/m_portuguese.wnry
- 0x1ae0c:$s5: \\192.168.56.20\IPC$
- 0xb601:$s6: \\172.16.99.5\IPC$
|
| 8.2.mssecsvr.exe.24e6948.8.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.24e6948.8.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 8.2.mssecsvr.exe.1fbe0a4.3.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x36580:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x2634c:$x3: tasksche.exe
- 0x3655c:$x3: tasksche.exe
- 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x365b0:$x5: WNcry@2ol7
- 0x26324:$x8: C:\%s\qeriuwjhrf
- 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xc318:$s1: C:\%s\%s
- 0x26338:$s1: C:\%s\%s
- 0x364b0:$s3: cmd.exe /c "%s"
- 0x68a04:$s4: msg/m_portuguese.wnry
- 0x2366c:$s5: \\192.168.56.20\IPC$
- 0x10a61:$s6: \\172.16.99.5\IPC$
|
| 8.2.mssecsvr.exe.1fbe0a4.3.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 8.2.mssecsvr.exe.1fbe0a4.3.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| Click to see the 141 entries |
Edit tour
loaddll32.exe (PID: 5228 cmdline: 
conhost.exe (PID: 4848 cmdline: 
rundll32.exe (PID: 6056 cmdline: 
MpCmdRun.exe (PID: 4952 cmdline: 
