Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
THN6clTA6P.exe

Overview

General Information

Sample Name:THN6clTA6P.exe
Analysis ID:694554
MD5:3983f0ebeec88b8005724a203ae27180
SHA1:9f34d48eae30b6da0a5c5297a873f989a49e10e8
SHA256:ed492db95034ca288dd52df88e3ce3ec7b146ffd854a394ac187f0553ef966d9
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Tries to download HTTP data from a sinkholed server
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Machine Learning detection for sample
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
Contains functionality to query network adapater information

Classification

  • System is w10x64
  • THN6clTA6P.exe (PID: 2996 cmdline: "C:\Users\user\Desktop\THN6clTA6P.exe" MD5: 3983F0EBEEC88B8005724A203AE27180)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
THN6clTA6P.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
  • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
  • 0x374de5:$x2: taskdl.exe
  • 0x38b6d1:$x2: taskdl.exe
  • 0x3136c:$x3: tasksche.exe
  • 0x4157c:$x3: tasksche.exe
  • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
  • 0x415d0:$x5: WNcry@2ol7
  • 0xe048:$x7: mssecsvc.exe
  • 0x17350:$x7: mssecsvc.exe
  • 0x31344:$x8: C:\%s\qeriuwjhrf
  • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
  • 0xe034:$s1: C:\%s\%s
  • 0x17338:$s1: C:\%s\%s
  • 0x31358:$s1: C:\%s\%s
  • 0x38be35:$s2: Windows 10 -->
  • 0x414d0:$s3: cmd.exe /c "%s"
  • 0x73a24:$s4: msg/m_portuguese.wnry
  • 0x38b2a3:$s4: msg/m_portuguese.wnry
  • 0x2e68c:$s5: \\192.168.56.20\IPC$
  • 0x1ba81:$s6: \\172.16.99.5\IPC$
  • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
THN6clTA6P.exeWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
  • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
  • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
  • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
  • 0x1d439:$s1: __TREEID__PLACEHOLDER__
  • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
  • 0x1f508:$s1: __TREEID__PLACEHOLDER__
  • 0x20570:$s1: __TREEID__PLACEHOLDER__
  • 0x215d8:$s1: __TREEID__PLACEHOLDER__
  • 0x22640:$s1: __TREEID__PLACEHOLDER__
  • 0x236a8:$s1: __TREEID__PLACEHOLDER__
  • 0x24710:$s1: __TREEID__PLACEHOLDER__
  • 0x25778:$s1: __TREEID__PLACEHOLDER__
  • 0x267e0:$s1: __TREEID__PLACEHOLDER__
  • 0x27848:$s1: __TREEID__PLACEHOLDER__
  • 0x288b0:$s1: __TREEID__PLACEHOLDER__
  • 0x29918:$s1: __TREEID__PLACEHOLDER__
  • 0x2a980:$s1: __TREEID__PLACEHOLDER__
  • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
  • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
  • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
  • 0x2e340:$s1: __TREEID__PLACEHOLDER__
THN6clTA6P.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    THN6clTA6P.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
    THN6clTA6P.exeWin32_Ransomware_WannaCryunknownReversingLabs
    • 0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
    • 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ...
    • 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ...
    • 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
    • 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
    SourceRuleDescriptionAuthorStrings
    00000001.00000002.265600976.000000000040F000.00000008.00000001.01000000.00000005.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      00000001.00000000.262463921.000000000040F000.00000008.00000001.01000000.00000005.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        00000001.00000000.262558061.0000000000710000.00000002.00000001.01000000.00000005.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
        • 0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
        • 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
        00000001.00000002.265724046.0000000000710000.00000002.00000001.01000000.00000005.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
        • 0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
        • 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
        Process Memory Space: THN6clTA6P.exe PID: 2996JoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          SourceRuleDescriptionAuthorStrings
          1.2.THN6clTA6P.exe.7100a4.1.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
          • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
          • 0x342d41:$x2: taskdl.exe
          • 0x35962d:$x2: taskdl.exe
          • 0xf4d8:$x3: tasksche.exe
          • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
          • 0xf52c:$x5: WNcry@2ol7
          • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
          • 0x359d91:$s2: Windows 10 -->
          • 0xf42c:$s3: cmd.exe /c "%s"
          • 0x41980:$s4: msg/m_portuguese.wnry
          • 0x3591ff:$s4: msg/m_portuguese.wnry
          • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
          • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
          • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
          1.2.THN6clTA6P.exe.7100a4.1.raw.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
          • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
          • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
          1.2.THN6clTA6P.exe.7100a4.1.raw.unpackWin32_Ransomware_WannaCryunknownReversingLabs
          • 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
          • 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
          1.0.THN6clTA6P.exe.400000.0.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
          • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
          • 0x374de5:$x2: taskdl.exe
          • 0x38b6d1:$x2: taskdl.exe
          • 0x3136c:$x3: tasksche.exe
          • 0x4157c:$x3: tasksche.exe
          • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
          • 0x415d0:$x5: WNcry@2ol7
          • 0x17350:$x7: mssecsvc.exe
          • 0x31344:$x8: C:\%s\qeriuwjhrf
          • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
          • 0x17338:$s1: C:\%s\%s
          • 0x31358:$s1: C:\%s\%s
          • 0x38be35:$s2: Windows 10 -->
          • 0x414d0:$s3: cmd.exe /c "%s"
          • 0x73a24:$s4: msg/m_portuguese.wnry
          • 0x38b2a3:$s4: msg/m_portuguese.wnry
          • 0x2e68c:$s5: \\192.168.56.20\IPC$
          • 0x1ba81:$s6: \\172.16.99.5\IPC$
          • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
          • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
          • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
          1.0.THN6clTA6P.exe.400000.0.unpackWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
          • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
          • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
          • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
          • 0x1d439:$s1: __TREEID__PLACEHOLDER__
          • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
          • 0x1f508:$s1: __TREEID__PLACEHOLDER__
          • 0x20570:$s1: __TREEID__PLACEHOLDER__
          • 0x215d8:$s1: __TREEID__PLACEHOLDER__
          • 0x22640:$s1: __TREEID__PLACEHOLDER__
          • 0x236a8:$s1: __TREEID__PLACEHOLDER__
          • 0x24710:$s1: __TREEID__PLACEHOLDER__
          • 0x25778:$s1: __TREEID__PLACEHOLDER__
          • 0x267e0:$s1: __TREEID__PLACEHOLDER__
          • 0x27848:$s1: __TREEID__PLACEHOLDER__
          • 0x288b0:$s1: __TREEID__PLACEHOLDER__
          • 0x29918:$s1: __TREEID__PLACEHOLDER__
          • 0x2a980:$s1: __TREEID__PLACEHOLDER__
          • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
          • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
          • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
          • 0x2e340:$s1: __TREEID__PLACEHOLDER__
          Click to see the 17 entries
          No Sigma rule has matched
          Timestamp:192.168.2.38.8.8.860625532024293 08/31/22-23:46:48.979040
          SID:2024293
          Source Port:60625
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected
          Timestamp:104.21.68.165192.168.2.380497462016803 08/31/22-23:46:49.148342
          SID:2016803
          Source Port:80
          Destination Port:49746
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: THN6clTA6P.exeAvira: detected
          Source: THN6clTA6P.exeVirustotal: Detection: 88%Perma Link
          Source: THN6clTA6P.exeMetadefender: Detection: 89%Perma Link
          Source: THN6clTA6P.exeReversingLabs: Detection: 100%
          Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/Avira URL Cloud: Label: malware
          Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comAvira URL Cloud: Label: malware
          Source: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comVirustotal: Detection: 5%Perma Link
          Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com/Virustotal: Detection: 5%Perma Link
          Source: http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.comVirustotal: Detection: 5%Perma Link
          Source: THN6clTA6P.exeJoe Sandbox ML: detected
          Source: 1.2.THN6clTA6P.exe.7100a4.1.unpackAvira: Label: TR/Ransom.JB
          Source: 1.2.THN6clTA6P.exe.400000.0.unpackAvira: Label: TR/Ransom.JB
          Source: 1.0.THN6clTA6P.exe.7100a4.1.unpackAvira: Label: TR/Ransom.JB
          Source: 1.0.THN6clTA6P.exe.400000.0.unpackAvira: Label: TR/Ransom.JB
          Source: C:\Users\user\Desktop\THN6clTA6P.exeCode function: 1_2_00407660 rand,EnterCriticalSection,CryptGenRandom,LeaveCriticalSection,
          Source: C:\Users\user\Desktop\THN6clTA6P.exe