hxxps://github[.]com/chronosmiki/RANSOMWARE-WANNACRY-2[.]0/blob/master/Ransomware[.]WannaCry[.]zip

Resubmissions

23-08-2024 14:42

240823-r3cpjsseqq 3

21-08-2024 17:31

240821-v3xw9svdpl 10

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
2344	msedge.exe
2344	msedge.exe
3120	identity_helper.exe
3120	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe
2344	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 4456	2344	msedge.exe	85
PID 2344 wrote to memory of 4456	2344	msedge.exe	85
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 2232	2344	msedge.exe	86
PID 2344 wrote to memory of 1032	2344	msedge.exe	87
PID 2344 wrote to memory of 1032	2344	msedge.exe	87
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88
PID 2344 wrote to memory of 2792	2344	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a02a46f8,0x7ff9a02a4708,0x7ff9a02a4718
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3100001200315161544,6815469819739679949,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3100001200315161544,6815469819739679949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3100001200315161544,6815469819739679949,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3100001200315161544,6815469819739679949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3100001200315161544,6815469819739679949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3100001200315161544,6815469819739679949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,3100001200315161544,6815469819739679949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
23d6fea775cfb224648779cb75ff5a02

SHA1
6649bed644d38cf5c6a7c084c33637058e7ea0a7

SHA256
f5c976f9f4f7b9bf2f5189fb695313733f782e1f25a6247d159de79cf7ad6181

SHA512
0b0de12056bf73c37e4ac4e229086a75249e9aa07d08a4c0402bc50473f32b2b900af77d4bbd9faa224842d1e9e8f8f068207b22581774da8d48f88432629df5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
d22266ba3d8db30279b96944f0cec985

SHA1
44e288cdfe75a5e8299ce32e75dd9e0705cdbac9

SHA256
77873629fa695e434160c86ae9116906ff65a97666d7d35a3ed63221b627c0bf

SHA512
d463aecbdac835dace5544b4267c86c2ed7d3165ba95095db6dfc3a25655f2391fa202a81d37b4a76a36f04456ed86df137302ad0e456fd59ecdfee3c69c6c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dc39067e054da94968c97ba7ac6579d1

SHA1
32c35d0f87ce29d11bebd513cdaff0d857df37e4

SHA256
ee6b80c3d89a01bcd5f87ca9cb88c5459c3e632e360b88abfaa98d65f605e047

SHA512
b8045a4d6acb5e8573bbb028ce2e2a66397e231c37e5e9985064d75a251063c90934ae41d686c88bc76499647f972157f36d3c203c8d2f97ff0b46a6bd22b367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b94a13888fc7faf5cf8a27c366ddcff

SHA1
24186b536d0c55a2ce6d07026b9ba9a4fd38fff1

SHA256
bb84f7cdf0a2d31ed233b503d4a30d8208bea91b09f7d09ec6cadae3de663204

SHA512
746208c8ae3643e8b5a34deef4436ffee8e185f217bb9676d46bfa947721543a8fa3c9135ba9b1944c1f60bad412d13dc0a0cf51d84f6bb391c0687a6494fff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fe8145a87ead1d7835e510ba7d0536bc

SHA1
7b0dcfa78ac7668b5df3075ee86b8cbc38a24a29

SHA256
b379dcbdc3d349235f316e0ed9df19f59717141512900e930384ccfaedd8fa85

SHA512
d9f41c596542dccf4435beaa107b8d5d12853029e50b4a91f6af7da84ecb48a446d0802179310abb99a806302642d9af7457ff3c47ae78a7a666c1c0d70a2f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
a4f52a83f6f97c031919cf9e58486708

SHA1
6862287dd1141c4c94c643f84f33175ca8a6d5b7

SHA256
0cd19bb50c15fe8f9ac1b68ed4a1cfb0a3f2cb0c197a0202b73b9a55305a4403

SHA512
cb964d08f7abe58b412becca403ba2bc192b8f75cc251df2b0e379fde1e954dfa6a512e5a8da9603f27f382df3e76393bf6dbe66d4c2c4cb8257c5fb3677cd32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c870.TMP

Filesize
874B

MD5
52477ff390e1605aa1c8511f6db1e698

SHA1
a4050dd77bffa61144820ec88c356980b8cf9330

SHA256
d5bfdaee3ae41954b421ab1cb9fa5ef00d55fe083846334d3db8b8c59b0f496e

SHA512
c1276c2867e5aec96c479c27670062ea5d52300b0cbcfe388e24ea35d5ad68e9200e1d5fba0f50d7e47ed3c8c007e59fd722b87dd08f2c93a2d1afc8261860ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
810658be0f9141d48b089e46e84ae814

SHA1
3e21eda3b8920b3d00740be04c89f255ca865f30

SHA256
c535a5021114bb49d9e9730da9180d27384851a87fc584ba64775e42e9e1217e

SHA512
7e9f1e30c53ce76e02c00ef38827a5e5a42ee6af507a5b3437e4b652d84fcb05f1ab7c0ae6c9fe5869d94f6963d01f460db7c1da68c3f3febe7a0433de4d9f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\fb266b5c-82a1-4852-b9e4-d10f6f98c98a.tmp

Filesize
11KB

MD5
b076c644a6e0a9b00d7a5224b1a5841d

SHA1
b094156626757fdcb5c4d2dedc7a55cfb3271ea6

SHA256
deb6773a0fadad587920fd9ef802fc6ef883536725764b2da4550f2d71c2bd80

SHA512
7bb3a90207562bdcd37456571751235198997e70272787d4516be0e152b44b6b0697fc228ff05aa216f6a70798099027b8539e559207b3b1a9cbee075f786920

Download Submit