Ransom:Win32/WannaCrypt!pz

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Ransom:Win32/WannaCrypt!pz

Ransom:Win32/WannaCrypt!pz - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Ransom:Win32/WannaCrypt!pz

Classification:

Type:Ransom

Platform:Win32

Family:WannaCrypt

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!pz

Packed or compressed to evade detection

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Ransomware - Encrypts files and demands payment for 32-bit Windows platform, family WannaCrypt

Summary:

Ransom:Win32/WannaCrypt!pz is a critical ransomware threat that rapidly spreads across networks using the EternalBlue SMB exploit. It encrypts a wide range of file types, renames them, disables system recovery features, and demands a Bitcoin ransom for decryption, leveraging various system tools for persistence and propagation.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - launcher.dll (PEHSTR)
 - mssecsvc.exe (PEHSTR)
 - f.wnry (PEHSTR_EXT)
 - %.1f BTC (PEHSTR_EXT)
 - @WanaDecryptor@.exe (PEHSTR_EXT)
 - %08X.eky (PEHSTR_EXT)
 - %08X.pky (PEHSTR_EXT)
 - %08X.res (PEHSTR_EXT)
 - tasksche.exed (PEHSTR_EXT)
 - tasksche.exe (PEHSTR_EXT)
 - t.wnry (PEHSTR_EXT)
 - icacls . /grant Everyone:F / (PEHSTR_EXT)
 - msg/m_korean.wnry (PEHSTR_EXT)
 - pmsg/m_latvian.wnry (PEHSTR_EXT)
 - taskdl.exe (PEHSTR_EXT)
 - cmd. (PEHSTR_EXT)
 - u.wnry (PEHSTR_EXT)
 - cmd.exe /c reg add  (PEHSTR_EXT)
 - \s.wnry (FILEPATH)
 - \u.wnry (FILEPATH)
 - %d.%d.%d.%d2 (PEHSTR)
 - \\%s\ipc$ (PEHSTR)
 - taskhcst.exe (PEHSTR)
 - lsasvs.exe (PEHSTR)
 - icacls . /grant Everyone (PEHSTR_EXT)
 - cmd.exe /c (PEHSTR_EXT)
 - .lay6 (PEHSTR_EXT)
 - .sqlite3 (PEHSTR_EXT)
 - .sqlitedb (PEHSTR_EXT)
 - .accdb (PEHSTR_EXT)
 - .java (PEHSTR_EXT)
 - .class (PEHSTR_EXT)
 - .mpeg (PEHSTR_EXT)
 - .djvu (PEHSTR_EXT)
 - .tiff (PEHSTR_EXT)
 - .jpeg (PEHSTR_EXT)
 - .backup (PEHSTR_EXT)
 - .vmdk (PEHSTR_EXT)
 - .sldm (PEHSTR_EXT)
 - .sldx (PEHSTR_EXT)
 - delete shadows /all /quiet (PEHSTR_EXT)
 - .onetoc2 (PEHSTR_EXT)
 - .vsdx (PEHSTR_EXT)
 - .potm (PEHSTR_EXT)
 - .potx (PEHSTR_EXT)
 - .ppam (PEHSTR_EXT)
 - !WannaDecryptor!.exe (PEHSTR)
 - u.wry (PEHSTR)
 - %.1f BTC (PEHSTR)
 - ,WScript.CreateObject("WScript.Shell")> c.vbs (PEHSTR)
 - Global\MsWinZonesCacheCounterMutexAd (PEHSTR_EXT)
 - t.wnryd (PEHSTR_EXT)
 - m_%s.wnry (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - launcher.dll (PEHSTR_EXT)
 - msg/m_danish.wnry (PEHSTR_EXT)
 - msg/m_dutch.wnry (PEHSTR_EXT)
 - msg/m_filipino.wnry (PEHSTR_EXT)
 - msg/m_french.wnry (PEHSTR_EXT)
 - msg/m_german.wnry (PEHSTR_EXT)
 - Cry.img (PEHSTR_EXT)
 - @toututa.com (PEHSTR_EXT)
 - WannaCryptor (PEHSTR_EXT)
 - Wrong.Hahaha (PEHSTR_EXT)
 - \AllTheThings.dll (PEHSTR_EXT)
 - \WannaCry.pdb (PEHSTR_EXT)
 - \Wana Decrypt Or 2.0.pdb (PEHSTR_EXT)
 - PLEASE CONTACT https://message.bilibili.com/#whisper/mid490825280 TO FIX YOUR PC!!! (PEHSTR_EXT)
 - YOU MUST COMPLETE THIS IN ONE HOUR!!!OR YOU MUST SAY BYE BYE TO YOUR PC!!! (PEHSTR_EXT)
 - mHtyDZcsrtT4/t3O+3smlSCOHOGPecD9WyHiK92g6U5yU (PEHSTR_EXT)
 - vgLv/4CGSWX5CdAY5bVOmiK3URqJGG6MCpTC5MB (PEHSTR_EXT)
 - Rp/ovZWeh65j6G5mVS3o3Ux5cH2pfT/VZ (PEHSTR_EXT)
 - eee.exe (PEHSTR_EXT)
 - .wnry (PEHSTR_EXT)
 - limiteci/WannaCry/raw/main/WannaCry.EXE (PEHSTR_EXT)
 - cmd /c image.png (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: 0ce805fdbf012822bf83a6c61989651cde1d70cb6be8a2991f4e68abfc25839c

0ce805fdbf012822bf83a6c61989651cde1d70cb6be8a2991f4e68abfc25839c

16/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the infected system from the network. Perform a full scan with updated antivirus software and restore encrypted files from clean, offline backups. Ensure all systems are patched against the MS17-010 (EternalBlue) vulnerability and implement network segmentation to prevent further lateral movement.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 16/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Ransom:Win32/WannaCrypt!pz - Windows Defender Threat Analysis