hxxps://github[.]com/fabrimagic72/malware-samples/tree/master/Wannacry

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/fabrimagic72/malware-samples/tree/master/Wannacry

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
428	msedge.exe
428	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe
2296	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 4440	428	msedge.exe	87
PID 428 wrote to memory of 4440	428	msedge.exe	87
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 3632	428	msedge.exe	89
PID 428 wrote to memory of 4656	428	msedge.exe	88
PID 428 wrote to memory of 4656	428	msedge.exe	88
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90
PID 428 wrote to memory of 4548	428	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/fabrimagic72/malware-samples/tree/master/Wannacry
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff091346f8,0x7fff09134708,0x7fff09134718
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4415611797395155512,12485788455087655055,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
17c8d44e28193df8fa9858a6ecda29e5

SHA1
994c969d89049da5a9419f89b0200d544d267e0f

SHA256
92fe8084a1c083a108c647d873a2ad6633c3885cbb62731a9f6f8e8913939d1c

SHA512
48ae78a4723f73d2c24e0dc3ab245265aa8860efd6353d26923b82e62fc9ab9a9462e2655d4efc4c4de93748d18497fedf2a6d3414863a2695633c3ff7ec539f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
f4961e4b50f0fdbff27470a1a4a76d0f

SHA1
deb214790108d45ce26bd533e079cf966b4ef1be

SHA256
8835804571ee064f4da644b36b478cdef0e6e62bec9cf82185b08adc5fd7f208

SHA512
a9c0311b01494653dafd4afa3650abc2bb2b41ad5bf48847e27da7ed739be15e03e18393221ee347562f798a807f0959283ff9e2af4af426f8ede418579986ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
84ff2e854562757c6c90d1e69b8c6bf3

SHA1
c6284b69d374925debd039832db21fd1ee60b3bd

SHA256
52b16b44279ab0b976bc7d41176b6dd39ae51560b9c6d3950cc243b7dfb5e2c2

SHA512
a0bd9e1eafd1842d2c9d54b928aeca294662691fbd1a6f8d952b95aafb28149a4a12e88c70a051e3b2e11e8a23f444afd46cb41607eede3316c6ce8ce059b839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d9c00b802daf0505c5f4a032881213b

SHA1
f9da470c1fa95549da49e2ddb116dbfa03d08d4e

SHA256
8df9c0b395bd2680242b55b35814db701e1bc257d8cb3ccaece1b292744fa148

SHA512
711628528e1e501d7aa7d312e436203c70f4f2d76b2e3fa44541e07f8aca4202bff248b32aee14ec6583892edf2c3b63c2bb93e76a13d47bbf1ea9602aa92fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bd6d5c74f48a20c2311959e68560d541

SHA1
32c0f5b258b4945fb387aecdfb33a89843d51bfc

SHA256
18a3488012505a70ac6c183d558a049adc4977186909b76ba592e7a3ca9749dc

SHA512
18b106bd0452831a47f9507da9bce6bc89182168247524decdbcf119fec636449e671d401f743510efb56cbb127505077d7762cf5cb0272723d2145c71525e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
cc01f93e43f2ecb33fb2167e52224ce1

SHA1
505fd42c550c30bc650b882f72b631cf60986b8c

SHA256
10b0e8c5eb85b660aeb4306e8eeeebe0600e21cf106ced3247d9ec309eaab3f5

SHA512
28f5ad8db112dc3457c741c702272ee9f798168d7a357831d6027033bb5ae875d386d83230a06bb8d1340dc325efe6facd45dba6099eb06071d618c4eafc6299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a8e2.TMP

Filesize
539B

MD5
1a76e5b5ada4436a4edc4d4a30a44bf9

SHA1
b42d460556d48401414a89899c258a0908f555fa

SHA256
c1e431355cf34599e02812e2874573af0216149fd4813686d022f1e5fe705376

SHA512
7e8302adc7af5e4d13ea0fad96e6667f557f49aa9e3152e17711fffa73b9cacfc72d13f7187f73e8627b8b3fe11ad027ca58368e8384827e72ce7a0854f5b985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
09b6f235d1f0993d8d96b8240a4d21b9

SHA1
3c12baf3147d95972eca47194d655c855bf0c60e

SHA256
d8a9100950a39d9f39c400751f26dfa3fbf78cd77496551b38fd31d8e7796a93

SHA512
b2ac26a712c0a422e92c3beb7684cb6daa3a0695953fc292809c02b3b90166f978f35036af8c2ffd268881404246726a78ed6e1099b11fa625fad97b296baa6c

Download Submit