MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


WannaCry


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
SHA3-384 hash: ece7d3aa21641cef2ba34423647f849ba2d3a329aa4c81765c5e405e4bb71645fd80c9b39b6fc976e841079d1db540f9
SHA1 hash: 3b669778698972c402f7c149fc844d0ddb3a00e8
MD5 hash: d724d8cc6420f06e8a48752f0da11c66
humanhash: floor-blue-glucose-november
File name:mssecsvc.exe
Download: download sample
Signature WannaCry
Create hunting rule
File size:3'723'264 bytes
First seen:2020-04-30 07:35:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9ecee117164e0b870a53dd187cdd7174 (82 x WannaCry, 1 x Worm.Virut)
ssdeep 98304:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:Z8qPe1Cxcxk3ZAEUadzR8yc4HI
Threatray 28 similar samples on MalwareBazaar
TLSH 30063394612CB2FCF0440EB44463896AB7B33C69A7BA5E1F9BC086670D53F5BAFD0641
Reporter jarumlus
Tags:WannaCry

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'804
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5425/
Detection(s):
Win.Ransomware.WannaCry-6313787-0
Create hunting rule

Win.Malware.Djwy-6775897-0
Create hunting rule

Win.Ransomware.Wannacry-6803937-0
Create hunting rule

Win.Ransomware.Wannacrypt-6804263-0
Create hunting rule

Win.Malware.Djwy-6923377-0
Create hunting rule

Win.Exploit.Doublepulsar-7427328-0
Create hunting rule

Result
Threat name:
Wannacry
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/283076
Behaviour
Behavior Graph:
n/a
Gathering data
Threat name:
Win32.Trojan.CVE-2017-0147
Create hunting rule
Status:
Malicious
First seen:
2017-05-14 13:47:48 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
44 of 47 (93.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7ceokpcyvylg7nwsuzdeskhjay7lbq5iuyyx5e4z5os6xeouhgq._file
Verdict:
malicious
Similar samples:
04f468bec220fa9dfd4897adf86f28f8ceb04a72806c473cd22e366f716389a3
WannaCry
55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3
WannaCry
7333ddf4a7e53eeda33a8360b307471358597aeff78f4a5a7f4610640f97bdc7
WannaCry
773186144282a63cc3502ad10a3d8fd781a6c83eaabf06de4369b4ef96d93178
WannaCry
970720560dfd7943751a84cc89c6361800abb98cb23e9daa66c459cacebd3e92
WannaCry
a1f761531ff38f91fa87edbb8132c4c3569725b7ed9cf0cba4863e1c68cab675
WannaCry
ab2ec1f3b506f3ddf549431964488bd10158cd35d7715af073b81096d88df0f6
WannaCry
c7387e5e05f3c282a27e268486f4bf7d6cb6c807a59f650c0f5fd798c5b1cdd6
WannaCry
d2963ee859a1ec78e638470ecf2c620832b4b13b5b2e8a2e8c05140ee2858f3a
WannaCry
e2f55047a690ed67d5e3a5f90679576e3cca6ceac36bce39dc60b4748a176a09
WannaCry
+ 18 additional samples on MalwareBazaar
Malware family:
WannaCry
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07c44729e2c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:WannaCry_Ransomware
Create hunting rule
Author:Florian Roth (with the help of binar.ly)
Description:Detects WannaCry Ransomware
Reference:https://goo.gl/HG2j5T
Rule name:WannaCry_Ransomware_Gen
Create hunting rule
Author:Florian Roth (based on rule by US CERT)
Description:Detects WannaCry Ransomware
Reference:https://www.us-cert.gov/ncas/alerts/TA17-132A

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5425/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::MoveFileExA
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextA
ADVAPI32.dll::CryptGenRandom
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfig2A
ADVAPI32.dll::CreateServiceA
ADVAPI32.dll::OpenSCManagerA
ADVAPI32.dll::OpenServiceA
ADVAPI32.dll::RegisterServiceCtrlHandlerA
ADVAPI32.dll::StartServiceA

Comments