hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/WannaCrypt0r[.]zip

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/WannaCrypt0r.zip

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903ec1caafa6d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000774e79b91c988e4c8fb9433f502e34ee00000000020000000000106600000001000020000000a40855619aa9238bce684344ccbff843e5457a152da1f08640b5116f848f5f9e000000000e80000000020000200000003c06ccf4c16c56e9f5b777cae9b820817aeeda5a9e72ffeda722e6fb6608fd63200000008e0297f15aa48196b2004ba99478843a30a957bfd74d1a980124850fb376296e40000000dacbe8e1f9ab844d8e0b632d26b6a274035c8302d7752f3b6333160bc87f952ce2c7675b90d6901590c3bc816481fd64cb8665d4b7571bd9f063781a755a668f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3349160741"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3349160741"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 509bd6caafa6d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000774e79b91c988e4c8fb9433f502e34ee0000000002000000000010660000000100002000000007bba2bd61a11f723b2c6990f1983ff68a8a3b56c2f5a2c1c76dfcb7251794bd000000000e8000000002000020000000e75105dea71d0631f81353dfcca0fdb13613433c895bf4560ccef441ad1a87262000000010d1723c9d8d16a94b74ed18eea3ed9af0d1f8ec3f9e6c5348a0bfd870b82caa40000000c8e9546739ddcad45e3e838acbcd6105b0a503ea375b27c86a2865b18a50409a2ea8a2a999ce2fdc32806a486780e937fc5269c7fd5d33af14fbec88f3980e03	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31041199"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F310F4C4-12A2-11EE-BCBE-CE8372037D5F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31041199"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4704 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4704 iexplore.exe
4704 iexplore.exe
4716 IEXPLORE.EXE
4716 IEXPLORE.EXE

pid	process
4704	iexplore.exe

pid	process
4704	iexplore.exe
4704	iexplore.exe
4716	IEXPLORE.EXE
4716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4704 wrote to memory of 4716	4704	iexplore.exe	IEXPLORE.EXE
PID 4704 wrote to memory of 4716	4704	iexplore.exe	IEXPLORE.EXE
PID 4704 wrote to memory of 4716	4704	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/WannaCrypt0r.zip
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4704 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6nue318\imagestore.dat
Filesize
1KB

MD5
f27ca1be8149806ee19a3df2b810364f

SHA1
13b942eb5f3d1d5d34d7c45c7a18d9ac0ed52557

SHA256
f57c2431d45deadb7d3f2d35f0f4729df6dff8e72df2fa96310b42d8b3cf214f

SHA512
128d49e407d3cbf1ff1ad8dbffb465c6d10017d4aeafae0401cea3f66d9da311c637f7f77cefbcee1e4707faf4ee0d56aeae2ffbef88e22fc0a4cfc2d845a4ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JI3Q48H3\favicon[1].png
Filesize
958B

MD5
346e09471362f2907510a31812129cd2

SHA1
323b99430dd424604ae57a19a91f25376e209759

SHA256
74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08

SHA512
a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

Download Submit

Resubmissions

Analysis

Sharing