hxxps://github[.]com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware[.]WannaCry_Plus/Ransomware[.]WannaCry_Plus[.]zip

Analysis

max time kernel
47s
max time network
44s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry_Plus/Ransomware.WannaCry_Plus.zip

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
69	raw.githubusercontent.com
62	raw.githubusercontent.com
63	raw.githubusercontent.com
64	raw.githubusercontent.com
65	raw.githubusercontent.com
66	raw.githubusercontent.com
67	raw.githubusercontent.com
68	raw.githubusercontent.com

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	firefox.exe
Token: SeDebugPrivilege	2488	firefox.exe
Token: SeDebugPrivilege	2488	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2488	firefox.exe
2488	firefox.exe
2488	firefox.exe
2488	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2488	firefox.exe
2488	firefox.exe
2488	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2488	firefox.exe
2488	firefox.exe
2488	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2312 wrote to memory of 2488	2312	firefox.exe	28
PID 2488 wrote to memory of 2900	2488	firefox.exe	29
PID 2488 wrote to memory of 2900	2488	firefox.exe	29
PID 2488 wrote to memory of 2900	2488	firefox.exe	29
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2776	2488	firefox.exe	30
PID 2488 wrote to memory of 2804	2488	firefox.exe	31
PID 2488 wrote to memory of 2804	2488	firefox.exe	31
PID 2488 wrote to memory of 2804	2488	firefox.exe	31
PID 2488 wrote to memory of 2804	2488	firefox.exe	31
PID 2488 wrote to memory of 2804	2488	firefox.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry_Plus/Ransomware.WannaCry_Plus.zip"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry_Plus/Ransomware.WannaCry_Plus.zip
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2488.0.488758590\607023435" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1144 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a04e6dac-650c-4011-9da0-18b8a881f0db} 2488 "\\.\pipe\gecko-crash-server-pipe.2488" 1284 10ccf758 gpu
    3⤵
    PID:2900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2488.1.605533168\887830739" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {490d1a62-755e-46c0-9e05-2056711f9fad} 2488 "\\.\pipe\gecko-crash-server-pipe.2488" 1484 e6f9258 socket
    3⤵
    - Checks processor information in registry
    PID:2776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2488.2.201510954\1090818714" -childID 1 -isForBrowser -prefsHandle 1796 -prefMapHandle 1708 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c97d209d-977c-4c1b-bc99-f0fc7b208596} 2488 "\\.\pipe\gecko-crash-server-pipe.2488" 1824 10c5a458 tab
    3⤵
    PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2488.3.1487362235\756153251" -childID 2 -isForBrowser -prefsHandle 2652 -prefMapHandle 2624 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e93bddb-5180-4a5c-a468-ba123c625b47} 2488 "\\.\pipe\gecko-crash-server-pipe.2488" 2660 d62858 tab
    3⤵
    PID:2216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2488.4.1347428765\1981372936" -childID 3 -isForBrowser -prefsHandle 3880 -prefMapHandle 3876 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18819b47-cd54-4116-9c33-8130b663cb56} 2488 "\\.\pipe\gecko-crash-server-pipe.2488" 3892 1f668058 tab
    3⤵
    PID:888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2488.5.527353176\546209346" -childID 4 -isForBrowser -prefsHandle 4000 -prefMapHandle 4004 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d077e5d-caf2-48dd-9dfd-fb488a98717e} 2488 "\\.\pipe\gecko-crash-server-pipe.2488" 3988 1f668658 tab
    3⤵
    PID:852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2488.6.1981368801\746630813" -childID 5 -isForBrowser -prefsHandle 4160 -prefMapHandle 4164 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9685b411-be6b-4369-957e-b8bde385fbd1} 2488 "\\.\pipe\gecko-crash-server-pipe.2488" 4148 1f669258 tab
    3⤵
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ty9peokp.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
83bab5aa0c7270ed304abf19b89954e8

SHA1
d7385cac1a74f5a74c9a7727c4419971b7ef2b82

SHA256
49f6bcde29492f09efb49b42cb1aeceff445c0fb7f79fc2fc5c3a015f032c895

SHA512
c9887aee2e1c3f5014730793c58efac40cc004debe07a13d6c5e2203f3c11502a827b45ce515bb519e867cf57c1805106e3ab482c203590872a64bb797d1080b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
5973951b08f3a75e3f9048f3f388188b

SHA1
e21fccc516bbc3c889ab604b87d6622b6c65a39b

SHA256
689fbad8097fb75b4ca320f7261b044d4e0dc21d16f60baed0ce612c9f664398

SHA512
d00df188e938466348985174d7bc0037959daa841f8760a2faf1730c888c26bf79c73b95c3bdcb284f27abaae384a1ac7e2196f56cc77e14e04e076b1bfbae73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\datareporting\glean\pending_pings\9e6b15f1-59bf-47f2-8cd3-2665a167eb79

Filesize
745B

MD5
1ec4a55c3168e41b45623f5fa8a0994c

SHA1
c1d3c44c9615ccb5a17cd00ec6115350a4b2621a

SHA256
f0af72ea14b87f53caf3d13ad842391bbab0326280221776e1007ee4b9e42a00

SHA512
638d5721e514f7929dab1466c82d2eca2e08902b28ffd94ab88ecae717b127d03540514607a75b786d1902c6fc39bb877134f0a649139f71f4952b0edcb0e69e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\datareporting\glean\pending_pings\c1f4e886-1646-4a44-9e58-343048d3149b

Filesize
11KB

MD5
98499e5b07359b92408ed9b47d1c42bb

SHA1
b369177feb8d5bde5a5b363306301af901764c14

SHA256
a62abb7fd5a5a58b58159415548629d5ed8b245dfb7a128dafd9cef843795c17

SHA512
6e3ffd76725975bde851b7b9aa36b6e5d7d9cbc7b2c760970e2e293fceb26641dd1ac413dab2d15d9622c278effb5fe5514b2e4322d3b2a24a5f34c860e38918

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs-1.js

Filesize
6KB

MD5
c975e4e8ad59f541e77f5380d6728486

SHA1
ae4bc93d11df6f2e89c09a817d4a83a9cab396f5

SHA256
c3383c1f3e255ae961269e09f2d8ee2566e81059e1766ebd7ae2a671cf9ce6cb

SHA512
7edf3fa1704e4017469538f24f733b6076b7acd59459a9fcb04343c70c6ea1f16f9609e73adfc3ca684a54a54af07fc75de388371983040e98f760ea38e529f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs-1.js

Filesize
6KB

MD5
c03a0ed8af4802ba4fcc5fb9aba10b28

SHA1
2a1720e8c94326d92e9be66d1b99f849c0e41c36

SHA256
722ae2579cacf6875c926bbd9b9691c50e76c228dae8139a5bf0d5a195d4cdb1

SHA512
347048739e41afaf73758213cf1b0150d6867d6aa2ac035e5af6e6963ae64985ac08d35c2bacdadbbc43bd740c6273494a2d939a0ecc8b6a464a8037d4838e28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs-1.js

Filesize
6KB

MD5
eb9bf85dfa0bda45eeca275af6f52d2c

SHA1
310819abdaae9824ef5c8749ce9ed3aa56847874

SHA256
c88e92531c7cd4732ba9e884abd54105d6901624e475a39bb98cc9d57b4cac79

SHA512
7e27bfe0100cd8c5fb4824f65cd32de877615712297676a518959f9246a17b9fa6fa9833a75240f74c3809fd9a7c84e6c7190661739334da22ebbe32a5a5190b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
98cf552124ba922d4fc75b886dcd700d

SHA1
b7698b77c6595b7bcc4e4a68047eb42894244daa

SHA256
652c9ae0986d4d6f7ce7c984400680fd291f2228f8069251fef5613b4cf9f482

SHA512
8d77ab974a8760b47115eb03c3ab51dee8f0cd461e14b150afe6c12de23f181f0e4a9800b027ed91398d5922e782f17a2ab36fa387ab9474214c47666d5d70bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\sessionstore.jsonlz4

Filesize
2KB

MD5
9b2be9853c5d13dc6f2efa710f39f193

SHA1
054ff51a5f32b9ce720748d3ac0c0eac1b6168c8

SHA256
50eeaee4e5792b67ecb6e9b8361e7c5fabbd444631edd229ed74791132b2e468

SHA512
4f81d7bc6f3086af201a54104b988242322f6e39faf1001bb1a12b095d9d019be95261da8717bb6781cae9921a57a43cb15e7227fe5306067c193e3ebc1f5f13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
cef95f9af3b1bfdafbad7f1f87fe117d

SHA1
9d2ca43b6b91662c53c2ba55c253400de21f6b60

SHA256
d2acd6071e2b030b9f94b4587bf71cb799e31aa927deff238650bed6a84316fa

SHA512
75d7f0e7b49c0d28a7a1a5d094ef1fe6dc375a3ca8ff188edb4f36aedbd5933feefb20b2d2cada230f706a2cc20ee7b12f36b76093400f89274b2c04b572517f

Download Submit
C:\Users\Admin\Downloads\Ransomware.wEpn9Qxc.WannaCry_Plus.zip.part

Filesize
63KB

MD5
7df3b3962f534956eddd6cf1692b7028

SHA1
189ebe65a770d4452062a8b7bbb6a0cddbbf4216

SHA256
6f186c464b47f35fc05ce32be8224eb2797a27ce3f807e4255d563c64dd5600d

SHA512
69a84396251bd40979fcf8606b74f0f5c69f4d83397ecb22d997533f730e64e0a28b27dff59d0e7379b530d7dbd707097c1d19583e08bac1a6f3e018ccd8fd94

Download Submit