| 17.2.mssecsvc.exe.24f28c8.8.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 17.2.mssecsvc.exe.1fc7084.4.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 12.2.mssecsvc.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 12.2.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 12.2.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 12.2.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 12.0.mssecsvc.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 12.0.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 12.0.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 12.0.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 17.0.mssecsvc.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.0.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.0.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.0.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 17.2.mssecsvc.exe.7100a4.1.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 6.0.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 6.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 6.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 6.0.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.1ff9128.3.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.1ff9128.3.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.1ff9128.3.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.1ff9128.3.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 17.0.mssecsvc.exe.7100a4.1.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.0.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.0.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.0.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 17.2.mssecsvc.exe.252496c.9.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.252496c.9.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.252496c.9.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.252496c.9.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 6.0.mssecsvc.exe.7100a4.1.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 6.0.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 6.0.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 6.0.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 17.0.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 17.0.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.2501948.7.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.2501948.7.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x32520:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x222ec:$x3: tasksche.exe
- 0x324fc:$x3: tasksche.exe
- 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x32550:$x5: WNcry@2ol7
- 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x82d0:$x7: mssecsvc.exe
- 0x222c4:$x8: C:\%s\qeriuwjhrf
- 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x82b8:$s1: C:\%s\%s
- 0x222d8:$s1: C:\%s\%s
- 0x32450:$s3: cmd.exe /c "%s"
- 0x649a4:$s4: msg/m_portuguese.wnry
- 0x1f60c:$s5: \\192.168.56.20\IPC$
- 0xca01:$s6: \\172.16.99.5\IPC$
- 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.2501948.7.raw.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0xca4c:$s1: __TREEID__PLACEHOLDER__
- 0xcae8:$s1: __TREEID__PLACEHOLDER__
- 0xd354:$s1: __TREEID__PLACEHOLDER__
- 0xe3b9:$s1: __TREEID__PLACEHOLDER__
- 0xf420:$s1: __TREEID__PLACEHOLDER__
- 0x10488:$s1: __TREEID__PLACEHOLDER__
- 0x114f0:$s1: __TREEID__PLACEHOLDER__
- 0x12558:$s1: __TREEID__PLACEHOLDER__
- 0x135c0:$s1: __TREEID__PLACEHOLDER__
- 0x14628:$s1: __TREEID__PLACEHOLDER__
- 0x15690:$s1: __TREEID__PLACEHOLDER__
- 0x166f8:$s1: __TREEID__PLACEHOLDER__
- 0x17760:$s1: __TREEID__PLACEHOLDER__
- 0x187c8:$s1: __TREEID__PLACEHOLDER__
- 0x19830:$s1: __TREEID__PLACEHOLDER__
- 0x1a898:$s1: __TREEID__PLACEHOLDER__
- 0x1b900:$s1: __TREEID__PLACEHOLDER__
- 0x1bb14:$s1: __TREEID__PLACEHOLDER__
- 0x1bb74:$s1: __TREEID__PLACEHOLDER__
- 0x1f244:$s1: __TREEID__PLACEHOLDER__
- 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
|
| 17.2.mssecsvc.exe.2501948.7.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 12.0.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 12.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 12.0.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 12.0.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 12.2.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 12.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 12.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 12.2.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.400000.0.unpack | JoeSecurity_Virut | Yara detected Virut | Joe Security | |
| 17.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 17.2.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.1fd6104.5.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.1fd6104.5.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x32520:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x222ec:$x3: tasksche.exe
- 0x324fc:$x3: tasksche.exe
- 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x32550:$x5: WNcry@2ol7
- 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x82d0:$x7: mssecsvc.exe
- 0x222c4:$x8: C:\%s\qeriuwjhrf
- 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x82b8:$s1: C:\%s\%s
- 0x222d8:$s1: C:\%s\%s
- 0x32450:$s3: cmd.exe /c "%s"
- 0x649a4:$s4: msg/m_portuguese.wnry
- 0x1f60c:$s5: \\192.168.56.20\IPC$
- 0xca01:$s6: \\172.16.99.5\IPC$
- 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.1fd6104.5.raw.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0xca4c:$s1: __TREEID__PLACEHOLDER__
- 0xcae8:$s1: __TREEID__PLACEHOLDER__
- 0xd354:$s1: __TREEID__PLACEHOLDER__
- 0xe3b9:$s1: __TREEID__PLACEHOLDER__
- 0xf420:$s1: __TREEID__PLACEHOLDER__
- 0x10488:$s1: __TREEID__PLACEHOLDER__
- 0x114f0:$s1: __TREEID__PLACEHOLDER__
- 0x12558:$s1: __TREEID__PLACEHOLDER__
- 0x135c0:$s1: __TREEID__PLACEHOLDER__
- 0x14628:$s1: __TREEID__PLACEHOLDER__
- 0x15690:$s1: __TREEID__PLACEHOLDER__
- 0x166f8:$s1: __TREEID__PLACEHOLDER__
- 0x17760:$s1: __TREEID__PLACEHOLDER__
- 0x187c8:$s1: __TREEID__PLACEHOLDER__
- 0x19830:$s1: __TREEID__PLACEHOLDER__
- 0x1a898:$s1: __TREEID__PLACEHOLDER__
- 0x1b900:$s1: __TREEID__PLACEHOLDER__
- 0x1bb14:$s1: __TREEID__PLACEHOLDER__
- 0x1bb74:$s1: __TREEID__PLACEHOLDER__
- 0x1f244:$s1: __TREEID__PLACEHOLDER__
- 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
|
| 17.2.mssecsvc.exe.1fd6104.5.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.2501948.7.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.2501948.7.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x1daec:$x3: tasksche.exe
- 0x2dcfc:$x3: tasksche.exe
- 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x2dd50:$x5: WNcry@2ol7
- 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x76d0:$x7: mssecsvc.exe
- 0x1dac4:$x8: C:\%s\qeriuwjhrf
- 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x76b8:$s1: C:\%s\%s
- 0x1dad8:$s1: C:\%s\%s
- 0x2dc50:$s3: cmd.exe /c "%s"
- 0x601a4:$s4: msg/m_portuguese.wnry
- 0x1ae0c:$s5: \\192.168.56.20\IPC$
- 0xb601:$s6: \\172.16.99.5\IPC$
- 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.2501948.7.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.1fd20a4.2.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.1fd20a4.2.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x36580:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x2634c:$x3: tasksche.exe
- 0x3655c:$x3: tasksche.exe
- 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x365b0:$x5: WNcry@2ol7
- 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0xc330:$x7: mssecsvc.exe
- 0x26324:$x8: C:\%s\qeriuwjhrf
- 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xc318:$s1: C:\%s\%s
- 0x26338:$s1: C:\%s\%s
- 0x364b0:$s3: cmd.exe /c "%s"
- 0x68a04:$s4: msg/m_portuguese.wnry
- 0x2366c:$s5: \\192.168.56.20\IPC$
- 0x10a61:$s6: \\172.16.99.5\IPC$
- 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.1fd20a4.2.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 6.2.mssecsvc.exe.400000.0.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 6.2.mssecsvc.exe.400000.0.unpack | JoeSecurity_Virut | Yara detected Virut | Joe Security | |
| 6.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x4157c:$x3: tasksche.exe
- 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x415d0:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x414d0:$s3: cmd.exe /c "%s"
- 0x73a24:$s4: msg/m_portuguese.wnry
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
- 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 6.2.mssecsvc.exe.400000.0.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 6.2.mssecsvc.exe.400000.0.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.1ff9128.3.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.1ff9128.3.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.1ff9128.3.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.1ff9128.3.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 17.2.mssecsvc.exe.1fc7084.4.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.1fc7084.4.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x28ede4:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x3136c:$x3: tasksche.exe
- 0x27ebb0:$x3: tasksche.exe
- 0x28edc0:$x3: tasksche.exe
- 0x28ed9c:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x28ee14:$x5: WNcry@2ol7
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x27ec1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x24926c:$x7: mssecsvc.exe
- 0x264b94:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x27eb88:$x8: C:\%s\qeriuwjhrf
- 0x28ede4:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x249254:$s1: C:\%s\%s
- 0x264b7c:$s1: C:\%s\%s
- 0x27eb9c:$s1: C:\%s\%s
- 0x28ed14:$s3: cmd.exe /c "%s"
- 0x2c1268:$s4: msg/m_portuguese.wnry
|
| 17.2.mssecsvc.exe.1fc7084.4.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 17.2.mssecsvc.exe.1fc7084.4.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x28edc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x28ede8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.252496c.9.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.252496c.9.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.252496c.9.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.252496c.9.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 6.2.mssecsvc.exe.7100a4.1.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 6.2.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 6.2.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 6.2.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 6.2.mssecsvc.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 6.2.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 6.2.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 6.2.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 6.0.mssecsvc.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 6.0.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 6.0.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 6.0.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 12.2.mssecsvc.exe.7100a4.1.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 12.2.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 12.2.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 12.2.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 17.2.mssecsvc.exe.7100a4.1.raw.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.7100a4.1.raw.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.7100a4.1.raw.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.7100a4.1.raw.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 12.0.mssecsvc.exe.7100a4.1.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 12.0.mssecsvc.exe.7100a4.1.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
- 0xf4d8:$x3: tasksche.exe
- 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
- 0xf52c:$x5: WNcry@2ol7
- 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xf42c:$s3: cmd.exe /c "%s"
- 0x41980:$s4: msg/m_portuguese.wnry
- 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 12.0.mssecsvc.exe.7100a4.1.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 12.0.mssecsvc.exe.7100a4.1.unpack | Win32_Ransomware_WannaCry | unknown | ReversingLabs | - 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
- 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
|
| 17.2.mssecsvc.exe.24f28c8.8.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.24f28c8.8.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x3136c:$x3: tasksche.exe
- 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x17350:$x7: mssecsvc.exe
- 0x31344:$x8: C:\%s\qeriuwjhrf
- 0x17338:$s1: C:\%s\%s
- 0x31358:$s1: C:\%s\%s
- 0x2e68c:$s5: \\192.168.56.20\IPC$
- 0x1ba81:$s6: \\172.16.99.5\IPC$
- 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
- 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
- 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
|
| 17.2.mssecsvc.exe.24f28c8.8.unpack | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) | - 0x1bacc:$s1: __TREEID__PLACEHOLDER__
- 0x1bb68:$s1: __TREEID__PLACEHOLDER__
- 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
- 0x1d439:$s1: __TREEID__PLACEHOLDER__
- 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
- 0x1f508:$s1: __TREEID__PLACEHOLDER__
- 0x20570:$s1: __TREEID__PLACEHOLDER__
- 0x215d8:$s1: __TREEID__PLACEHOLDER__
- 0x22640:$s1: __TREEID__PLACEHOLDER__
- 0x236a8:$s1: __TREEID__PLACEHOLDER__
- 0x24710:$s1: __TREEID__PLACEHOLDER__
- 0x25778:$s1: __TREEID__PLACEHOLDER__
- 0x267e0:$s1: __TREEID__PLACEHOLDER__
- 0x27848:$s1: __TREEID__PLACEHOLDER__
- 0x288b0:$s1: __TREEID__PLACEHOLDER__
- 0x29918:$s1: __TREEID__PLACEHOLDER__
- 0x2a980:$s1: __TREEID__PLACEHOLDER__
- 0x2ab94:$s1: __TREEID__PLACEHOLDER__
- 0x2abf4:$s1: __TREEID__PLACEHOLDER__
- 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
- 0x2e340:$s1: __TREEID__PLACEHOLDER__
|
| 17.2.mssecsvc.exe.1fd6104.5.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.1fd6104.5.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x1daec:$x3: tasksche.exe
- 0x2dcfc:$x3: tasksche.exe
- 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x2dd50:$x5: WNcry@2ol7
- 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0x76d0:$x7: mssecsvc.exe
- 0x1dac4:$x8: C:\%s\qeriuwjhrf
- 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q
- 0x76b8:$s1: C:\%s\%s
- 0x1dad8:$s1: C:\%s\%s
- 0x2dc50:$s3: cmd.exe /c "%s"
- 0x601a4:$s4: msg/m_portuguese.wnry
- 0x1ae0c:$s5: \\192.168.56.20\IPC$
- 0xb601:$s6: \\172.16.99.5\IPC$
- 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.1fd6104.5.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| 17.2.mssecsvc.exe.24fd8e8.6.unpack | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
| 17.2.mssecsvc.exe.24fd8e8.6.unpack | WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) | - 0x36580:$x1: icacls . /grant Everyone:F /T /C /Q
- 0x2634c:$x3: tasksche.exe
- 0x3655c:$x3: tasksche.exe
- 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA
- 0x365b0:$x5: WNcry@2ol7
- 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- 0xc330:$x7: mssecsvc.exe
- 0x26324:$x8: C:\%s\qeriuwjhrf
- 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q
- 0xc318:$s1: C:\%s\%s
- 0x26338:$s1: C:\%s\%s
- 0x364b0:$s3: cmd.exe /c "%s"
- 0x68a04:$s4: msg/m_portuguese.wnry
- 0x2366c:$s5: \\192.168.56.20\IPC$
- 0x10a61:$s6: \\172.16.99.5\IPC$
- 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
- 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
- 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
|
| 17.2.mssecsvc.exe.24fd8e8.6.unpack | wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team | - 0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
- 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
|
| Click to see the 114 entries |
Edit tour
loaddll32.exe (PID: 6288 cmdline: 
conhost.exe (PID: 6296 cmdline: 
rundll32.exe (PID: 5692 cmdline: 
winlogon.exe (PID: 556 cmdline: 
