Windows Analysis Report
THN6clTA6P.exe

Overview

General Information

Sample Name: THN6clTA6P.exe
Analysis ID: 694554
MD5: 3983f0ebeec88b8005724a203ae27180
SHA1: 9f34d48eae30b6da0a5c5297a873f989a49e10e8
SHA256: ed492db95034ca288dd52df88e3ce3ec7b146ffd854a394ac187f0553ef966d9
Infos:

Detection

Wannacry
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Tries to download HTTP data from a sinkholed server
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Machine Learning detection for sample
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
Contains functionality to query network adapater information

Classification

AV Detection

barindex
Source: THN6clTA6P.exe Avira: detected
Source: THN6clTA6P.exe Virustotal: Detection: 88% Perma Link
Source: THN6clTA6P.exe Metadefender: Detection: 89% Perma Link
Source: THN6clTA6P.exe ReversingLabs: Detection: 100%
Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ Avira URL Cloud: Label: malware
Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com Avira URL Cloud: Label: malware
Source: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com Virustotal: Detection: 5% Perma Link
Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ Virustotal: Detection: 5% Perma Link
Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com Virustotal: Detection: 5% Perma Link
Source: THN6clTA6P.exe Joe Sandbox ML: detected
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack Avira: Label: TR/Ransom.JB
Source: 1.2.THN6clTA6P.exe.400000.0.unpack Avira: Label: TR/Ransom.JB
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack Avira: Label: TR/Ransom.JB
Source: 1.0.THN6clTA6P.exe.400000.0.unpack Avira: Label: TR/Ransom.JB
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00407660 rand,EnterCriticalSection,CryptGenRandom,LeaveCriticalSection, 1_2_00407660
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00407620 CryptAcquireContextA,CryptAcquireContextA,InitializeCriticalSection, 1_2_00407620
Source: THN6clTA6P.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

barindex
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 31 Aug 2022 21:46:49 GMTContent-Type: text/html;charset=UTF-8Content-Length: 113Connection: keep-alivex-sinkhole: sinkhole@blacklistthisdomain.comReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BwAJjUBV7QoBfDcQC5xHuwWf6HaSer5urPutgRH%2BIhWdxjAnZxQhv3Lj7wdnu2PPlKacdGr9jV%2FTSwi3vI%2BYOhYgTU0rv1q0jFccnc7tRao14EgvdRHCOJyooOZRF5g5vft43xf7R9Y9%2BZ3RRpCsAmuUjh5Fhtj03GcJjYsFDcilY2Vk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7438f608df147765-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 42 6c 61 63 6b 4c 69 73 74 54 68 69 73 44 6f 6d 61 69 6e 20 2d 20 53 69 6e 6b 68 6f 6c 65 3c 2f 68 31 3e 0a 20 20 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e Data Ascii: <!DOCTYPE html><body> <h1>BlackListThisDomain - Sinkhole</h1> <p>This domain has been sinkholed.</p></body>
Source: Traffic Snort IDS: 2024293 ET TROJAN Possible WannaCry DNS Lookup 2 192.168.2.3:60625 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 104.21.68.165:80 -> 192.168.2.3:49746
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: THN6clTA6P.exe String found in binary or memory: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: unknown DNS traffic detected: queries for: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00406F50 GlobalAlloc,send,recv,htons,send,recv,GlobalFree, 1_2_00406F50
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: Yara match File source: THN6clTA6P.exe, type: SAMPLE
Source: Yara match File source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.262463921.000000000040F000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: THN6clTA6P.exe PID: 2996, type: MEMORYSTR

System Summary

barindex
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 00000001.00000000.262558061.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: THN6clTA6P.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: THN6clTA6P.exe, type: SAMPLE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.THN6clTA6P.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.0.THN6clTA6P.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 1.2.THN6clTA6P.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000001.00000000.262558061.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: THN6clTA6P.exe Binary or memory string: OriginalFilenamediskpart.exej% vs THN6clTA6P.exe
Source: THN6clTA6P.exe Binary or memory string: OriginalFilenamelhdfrgui.exej% vs THN6clTA6P.exe
Source: THN6clTA6P.exe Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: THN6clTA6P.exe Virustotal: Detection: 88%
Source: THN6clTA6P.exe Metadefender: Detection: 89%
Source: THN6clTA6P.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA, 1_2_00408090
Source: THN6clTA6P.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\THN6clTA6P.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 1_2_00407C40
Source: C:\Users\user\Desktop\THN6clTA6P.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA, 1_2_00407CE0
Source: THN6clTA6P.exe Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: classification engine Classification label: mal100.rans.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 1_2_00407C40
Source: C:\Users\user\Desktop\THN6clTA6P.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\THN6clTA6P.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: THN6clTA6P.exe Static file information: File size 3723293 > 1048576
Source: THN6clTA6P.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x35b000
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00409860 push eax; ret 1_2_0040988E
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: 1_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 1_2_00407C40
Source: C:\Users\user\Desktop\THN6clTA6P.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\THN6clTA6P.exe API coverage: 9.3 %
Source: C:\Users\user\Desktop\THN6clTA6P.exe Code function: GetAdaptersInfo,LocalAlloc,GetAdaptersInfo,LocalFree,inet_addr,inet_addr,inet_addr,htonl,htonl,htonl,htonl,GetPerAdapterInfo,LocalAlloc,GetPerAdapterInfo,inet_addr,htonl,htonl,htonl,htonl,LocalFree,LocalFree, 1_2_00409160
Source: C:\Users\user\Desktop\THN6clTA6P.exe API call chain: ExitProcess graph end node
Source: THN6clTA6P.exe, 00000001.00000002.266409095.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, THN6clTA6P.exe, 00000001.00000002.266400087.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW