Categories: Ransom

Ransom:Win32/CVE-2017-0147.A (file analysis)

The Ransom:Win32/CVE-2017-0147.A is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Ransom:Win32/CVE-2017-0147.A virus can do?

  • Injection with CreateRemoteThread in a remote process
  • Creates RWX memory
  • A process attempted to delay the analysis task.
  • Attempts to connect to a dead IP:Port (460 unique times)
  • Reads data out of its own binary image
  • A process created a hidden window
  • Drops a binary and executes it
  • HTTP traffic contains suspicious features which may be indicative of malware related traffic
  • Performs some HTTP requests
  • Code injection with CreateRemoteThread in a remote process
  • Tries to unhook or modify Windows functions monitored by Cuckoo
  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • Installs itself for autorun at Windows startup
  • Creates a hidden or system file
  • EternalBlue behavior
  • Generates some ICMP traffic
  • Anomalous binary characteristics

Related domains:

ilo.brenz.pl
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
aaiivp.com
ant.trenz.pl
ifvkeg.com
qhengb.com
yahyvd.com
niabeq.com
rjhpvb.com
weinla.com
mosifu.com
ccoddk.com
vblspk.com
luwgov.com
mcpvia.com
ybddpg.com
obyiuo.com
ngsnty.com
axoyyn.com
xirmpg.com
uwwjbo.com
sujemb.com
idtfxt.com
ubzuye.com
hbmgda.com
unfvel.com
wbburg.com
podgkr.com
ceiopg.com
eurjys.com
gbecwr.com
qozojy.com
rwcydn.com
klcupe.com
drausb.com
iigwmr.com
rkundb.com
oesvdm.com
afaohd.com
oawhob.com
qvkfol.com
ejjaxk.com
mbhlgh.com
nhsaqz.com
quawka.com
bjozxi.com
vuoawh.com
rfupll.com
ercfyl.com
fhgeem.com
bunyxu.com
imjldr.com
laygbn.com
pymrln.com
iyvisx.com
fllmml.com
aavxaj.com
ghuuiy.com
vyrofe.com
yfyiza.com
iuctvu.com
uzpacu.com
kkbdxc.com
ptoluy.com
famjff.com
xlauee.com
yxufxj.com
nzgdbw.com
donagt.com
iatblg.com
rncaxk.com
olusij.com
jmeygy.com
cuchqd.com
euuapb.com
obxwfp.com
ngeyvu.com
ztuima.com
ecskha.com
qxxeft.com
sdibiy.com
waapfp.com
siwvse.com
foafah.com
myplvg.com
iokilo.com
bfagyk.com
vuuzau.com
yofjxf.com
oijtda.com
uvzkry.com
badkke.com
qbsoyd.com
tiarzv.com
urxgtq.com
ahzidp.com
ypxdam.com
ixxiau.com
vyklip.com
wazewt.com
opzmgu.com
unxfkf.com
bgnutq.com

How to determine Ransom:Win32/CVE-2017-0147.A?



File Info:

crc32: 7BFB1F22md5: 7758db6230da2f64e8596e848215630fname: tmpy88gevawsha1: 3c709d5d553d2201bc42301c88a672178678dcbasha256: 555d7288b88a3239374ad87f95811322bf470ed8df11b476fc5ab96a9be7b949sha512: 4ca4e86166304d35fa23d978ddd1c8fcba963a53600809799d4275f77eaeb25a5ac765403aace0199b9bf85cda9f4d99e17c2a406ff2c3633951a2c4cb16e99bssdeep: 12288:MlbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+Djr/y:SbLgddQhfdmMSirYbcMNgef0Autype: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Version Info:

0: [No Data]

Ransom:Win32/CVE-2017-0147.A also known as:

Bkav W32.AIDetectVM.malware
MicroWorld-eScan Trojan.GenericKD.40267082
FireEye Generic.mg.7758db6230da2f64
CAT-QuickHeal Ransom.WannaCrypt.S1670344
McAfee GenericRXFL-OG!7758DB6230DA
Cylance Unsafe
Sangfor Malware
K7AntiVirus Trojan ( 00557fc41 )
K7GW Trojan ( 00557fc41 )
CrowdStrike win/malicious_confidence_100% (D)
TrendMicro Ransom_WCRY.SMALYM
Baidu Win32.Worm.Rbot.a
F-Prot W32/S-2b52222d!Eldorado
Symantec Ransom.Wannacry
APEX Malicious
Avast Sf:WNCryLdr-A [Trj]
ClamAV Win.Ransomware.WannaCry-6313787-0
Kaspersky Trojan-Ransom.Win32.Wanna.m
BitDefender Trojan.GenericKD.40267082
NANO-Antivirus Trojan.Win32.Wanna.epxkni
Paloalto generic.ml
Rising Ransom.Wanna!8.E7B2 (TFE:dGZlOgUxA5JDnJz0dA)
Endgame malicious (high confidence)
Emsisoft Trojan.GenericKD.40267082 (B)
Comodo TrojWare.Win32.Ransom.WannaCry.AB@75ge5e
F-Secure Malware.W32/Virut.Gen
DrWeb Trojan.Encoder.11432
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.RansomWannaCry.tz
MaxSecure Trojan-Ransom.Win32.Wanna.m
Trapmine malicious.high.ml.score
CMC Trojan-Ransom.Win32.Wanna!O
Sophos Mal/Wanna-A
SentinelOne DFI – Malicious PE
Cyren W32/WannaCrypt.A.gen!Eldorado
Jiangmin Trojan.Wanna.k
Webroot W32.Trojan.Gen
Avira W32/Virut.Gen
Antiy-AVL Trojan[Ransom]/Win32.Wanna
Microsoft Ransom:Win32/CVE-2017-0147.A
Arcabit Trojan.Generic.D2666D4A
ViRobot Trojan.Win32.WannaCry.5267459
ZoneAlarm Trojan-Ransom.Win32.Wanna.m
GData Trojan.GenericKD.40267082
AhnLab-V3 Trojan/Win32.WannaCryptor.R200894
Acronis suspicious
VBA32 Hoax.Wanna
ALYac Trojan.GenericKD.40267082
MAX malware (ai score=85)
Ad-Aware Trojan.GenericKD.40267082
Malwarebytes Ransom.WannaCrypt
ESET-NOD32 Win32/Exploit.CVE-2017-0147.A
TrendMicro-HouseCall Ransom_WCRY.SMALYM
Tencent Trojan-Ransom.Win32.Wanna.m
Yandex Exploit.CVE-2017-0147!
Ikarus Exploit.CVE-2017-0147
eGambit Trojan.Generic
Fortinet W32/WannaCryptor.H!tr.ransom
BitDefenderTheta Gen:NN.ZedlaF.34090.@x5@aC0WZ7ei
AVG Sf:WNCryLdr-A [Trj]
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM26.1.751B.Malware.Gen

How to remove Ransom:Win32/CVE-2017-0147.A?

  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.
Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment
Share
Published by
Paul Valéry
Tags: aaiivp.comaavxaj.comafaohd.comahzidp.comant.trenz.plaxoyyn.combadkke.combfagyk.combgnutq.combjozxi.combunyxu.comccoddk.comceiopg.comcuchqd.comdonagt.comdrausb.comecskha.comejjaxk.comercfyl.comeurjys.comeuuapb.comfamjff.comfhgeem.comfllmml.comfoafah.comgbecwr.comghuuiy.comhbmgda.comiatblg.comidtfxt.comifvkeg.comiigwmr.comilo.brenz.plimjldr.comiokilo.comiuctvu.comixxiau.comiyvisx.comjmeygy.comkkbdxc.comklcupe.comlaygbn.comluwgov.commbhlgh.commcpvia.commosifu.commyplvg.comngeyvu.comngsnty.comnhsaqz.comniabeq.comnzgdbw.comoawhob.comobxwfp.comobyiuo.comoesvdm.comoijtda.comolusij.comopzmgu.compodgkr.comptoluy.compymrln.comqbsoyd.comqhengb.comqozojy.comquawka.comqvkfol.comqxxeft.comRansom:Win32/CVE-2017-0147.Arfupll.comrjhpvb.comrkundb.comrncaxk.comrwcydn.comsdibiy.comsiwvse.comsujemb.comtiarzv.comubzuye.comunfvel.comunxfkf.comurxgtq.comuvzkry.comuwwjbo.comuzpacu.comvblspk.comvuoawh.comvuuzau.comvyklip.comvyrofe.comwaapfp.comwazewt.comwbburg.comweinla.comwww.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comxirmpg.comxlauee.comyahyvd.comybddpg.comyfyiza.comyofjxf.comypxdam.comyxufxj.comztuima.com
4 years ago

Recent Posts

MSIL/GenKryptik.GXIZ information

The MSIL/GenKryptik.GXIZ is considered dangerous by lots of security experts. When this infection is active,…

2 weeks ago

Malware.AI.2789448175 (file analysis)

The Malware.AI.2789448175 is considered dangerous by lots of security experts. When this infection is active,…

2 weeks ago

Jalapeno.1878 removal instruction

The Jalapeno.1878 is considered dangerous by lots of security experts. When this infection is active,…

2 weeks ago

What is “Trojan.Heur3.LPT.YmKfaKBcBekib”?

The Trojan.Heur3.LPT.YmKfaKBcBekib is considered dangerous by lots of security experts. When this infection is active,…

2 weeks ago

How to remove “Worm.Win32.Vobfus.exmt”?

The Worm.Win32.Vobfus.exmt is considered dangerous by lots of security experts. When this infection is active,…

2 weeks ago

About “TrojanDownloader:Win32/Beebone.JO” infection

The TrojanDownloader:Win32/Beebone.JO is considered dangerous by lots of security experts. When this infection is active,…

2 weeks ago