Analysis
-
max time kernel
102s -
max time network
106s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/05/2025, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe
Resource
win11-20250502-en
General
-
Target
2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe
-
Size
197KB
-
MD5
b35a7c0c23349c34d7eaa11be87681b3
-
SHA1
265a3a1b889a9f3f5bb53f9e5d1cbc7f48d24fe8
-
SHA256
c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c
-
SHA512
67a8c9eb39da8f24a48acee027706052d68b59cbad05e9028bafb70ba77a562c8ae1b72c375bcd03ea1846775c577bff005ed148ba8dd0963673c91144846dd2
-
SSDEEP
3072:zQ7pevne/DLB5w20WLjF72xnEt44etrlV9Yl4cqnj:zQ7peve/DLB56gF72CW4etrlV9m4
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (66) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts discord.exe File opened for modification C:\Windows\System32\drivers\etc\hosts 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe -
Executes dropped EXE 1 IoCs
pid Process 2112 discord.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe" 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe" discord.exe -
Drops desktop.ini file(s) 18 IoCs
description ioc Process File created C:\Users\Admin\Desktop\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Desktop\desktop.ini discord.exe File created C:\Users\Admin\Pictures\desktop.ini discord.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini discord.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Videos\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Music\desktop.ini discord.exe File created C:\Users\Admin\Downloads\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Downloads\desktop.ini discord.exe File created C:\Users\Admin\Documents\desktop.ini discord.exe File created C:\Users\Admin\Pictures\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Videos\desktop.ini discord.exe File created C:\Users\Admin\OneDrive\desktop.ini discord.exe File created C:\Users\Admin\Documents\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Music\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\OneDrive\desktop.ini 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini discord.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ñ:\APEXGO.exe.exe cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\imageUPJZGTwowpsC=msANo=OEVvYUjoFTu.jpg" 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language discord.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000_Classes\Local Settings discord.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\Ñ:\APEXGO.exe.exe cmd.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2068 NOTEPAD.EXE 4596 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2112 discord.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe Token: SeDebugPrivilege 2112 discord.exe Token: SeIncreaseQuotaPrivilege 1956 WMIC.exe Token: SeSecurityPrivilege 1956 WMIC.exe Token: SeTakeOwnershipPrivilege 1956 WMIC.exe Token: SeLoadDriverPrivilege 1956 WMIC.exe Token: SeSystemProfilePrivilege 1956 WMIC.exe Token: SeSystemtimePrivilege 1956 WMIC.exe Token: SeProfSingleProcessPrivilege 1956 WMIC.exe Token: SeIncBasePriorityPrivilege 1956 WMIC.exe Token: SeCreatePagefilePrivilege 1956 WMIC.exe Token: SeBackupPrivilege 1956 WMIC.exe Token: SeRestorePrivilege 1956 WMIC.exe Token: SeShutdownPrivilege 1956 WMIC.exe Token: SeDebugPrivilege 1956 WMIC.exe Token: SeSystemEnvironmentPrivilege 1956 WMIC.exe Token: SeRemoteShutdownPrivilege 1956 WMIC.exe Token: SeUndockPrivilege 1956 WMIC.exe Token: SeManageVolumePrivilege 1956 WMIC.exe Token: 33 1956 WMIC.exe Token: 34 1956 WMIC.exe Token: 35 1956 WMIC.exe Token: 36 1956 WMIC.exe Token: SeIncreaseQuotaPrivilege 5972 WMIC.exe Token: SeSecurityPrivilege 5972 WMIC.exe Token: SeTakeOwnershipPrivilege 5972 WMIC.exe Token: SeLoadDriverPrivilege 5972 WMIC.exe Token: SeSystemProfilePrivilege 5972 WMIC.exe Token: SeSystemtimePrivilege 5972 WMIC.exe Token: SeProfSingleProcessPrivilege 5972 WMIC.exe Token: SeIncBasePriorityPrivilege 5972 WMIC.exe Token: SeCreatePagefilePrivilege 5972 WMIC.exe Token: SeBackupPrivilege 5972 WMIC.exe Token: SeRestorePrivilege 5972 WMIC.exe Token: SeShutdownPrivilege 5972 WMIC.exe Token: SeDebugPrivilege 5972 WMIC.exe Token: SeSystemEnvironmentPrivilege 5972 WMIC.exe Token: SeRemoteShutdownPrivilege 5972 WMIC.exe Token: SeUndockPrivilege 5972 WMIC.exe Token: SeManageVolumePrivilege 5972 WMIC.exe Token: 33 5972 WMIC.exe Token: 34 5972 WMIC.exe Token: 35 5972 WMIC.exe Token: 36 5972 WMIC.exe Token: SeIncreaseQuotaPrivilege 5972 WMIC.exe Token: SeSecurityPrivilege 5972 WMIC.exe Token: SeTakeOwnershipPrivilege 5972 WMIC.exe Token: SeLoadDriverPrivilege 5972 WMIC.exe Token: SeSystemProfilePrivilege 5972 WMIC.exe Token: SeSystemtimePrivilege 5972 WMIC.exe Token: SeProfSingleProcessPrivilege 5972 WMIC.exe Token: SeIncBasePriorityPrivilege 5972 WMIC.exe Token: SeCreatePagefilePrivilege 5972 WMIC.exe Token: SeBackupPrivilege 5972 WMIC.exe Token: SeRestorePrivilege 5972 WMIC.exe Token: SeShutdownPrivilege 5972 WMIC.exe Token: SeDebugPrivilege 5972 WMIC.exe Token: SeSystemEnvironmentPrivilege 5972 WMIC.exe Token: SeRemoteShutdownPrivilege 5972 WMIC.exe Token: SeUndockPrivilege 5972 WMIC.exe Token: SeManageVolumePrivilege 5972 WMIC.exe Token: 33 5972 WMIC.exe Token: 34 5972 WMIC.exe Token: 35 5972 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2112 discord.exe 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2112 discord.exe 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2112 2384 cmd.exe 81 PID 2384 wrote to memory of 2112 2384 cmd.exe 81 PID 2384 wrote to memory of 2112 2384 cmd.exe 81 PID 1692 wrote to memory of 4596 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 84 PID 1692 wrote to memory of 4596 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 84 PID 2112 wrote to memory of 2068 2112 discord.exe 83 PID 1692 wrote to memory of 4596 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 84 PID 2112 wrote to memory of 2068 2112 discord.exe 83 PID 2112 wrote to memory of 2068 2112 discord.exe 83 PID 2112 wrote to memory of 3568 2112 discord.exe 85 PID 2112 wrote to memory of 3568 2112 discord.exe 85 PID 2112 wrote to memory of 3568 2112 discord.exe 85 PID 1692 wrote to memory of 112 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 87 PID 1692 wrote to memory of 112 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 87 PID 1692 wrote to memory of 112 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 87 PID 2112 wrote to memory of 6104 2112 discord.exe 89 PID 2112 wrote to memory of 6104 2112 discord.exe 89 PID 2112 wrote to memory of 6104 2112 discord.exe 89 PID 1692 wrote to memory of 3460 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 90 PID 1692 wrote to memory of 3460 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 90 PID 1692 wrote to memory of 3460 1692 2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe 90 PID 3568 wrote to memory of 1956 3568 cmd.exe 93 PID 3568 wrote to memory of 1956 3568 cmd.exe 93 PID 3568 wrote to memory of 1956 3568 cmd.exe 93 PID 112 wrote to memory of 5972 112 cmd.exe 94 PID 112 wrote to memory of 5972 112 cmd.exe 94 PID 112 wrote to memory of 5972 112 cmd.exe 94 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:4596
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "2⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\discord.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\discord.exeC:\Users\Admin\AppData\Local\discord.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2068
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "3⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6104
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4964
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD5b35a7c0c23349c34d7eaa11be87681b3
SHA1265a3a1b889a9f3f5bb53f9e5d1cbc7f48d24fe8
SHA256c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c
SHA51267a8c9eb39da8f24a48acee027706052d68b59cbad05e9028bafb70ba77a562c8ae1b72c375bcd03ea1846775c577bff005ed148ba8dd0963673c91144846dd2
-
Filesize
40B
MD514e050f2de3af37d89acacd5952e448f
SHA1d49aa9fe1054c9742734431fde1e4246277c4e78
SHA256a80b39dc1f966c74bbaf7aa388b96345914cdfb29a6e8036445a05eb57223989
SHA51266bc6469cb05ee3d1395e82a94f9573574d9646dc1c83a2ca61171cc6f0fcbb8ffc741ac8f7621dfdf63bca91ef7557c124a645e5bb2b3987a08d3888fd5a9e7
-
Filesize
24KB
MD525342190bcc364d32b9e9f9928b5a8a5
SHA13ae3bdabaed70dba1fd96c0be72e17aa91c7802a
SHA256d626e482d44f5fc8eb1c9b2cd08070150ab99afe40cf6dc939015b01b09088f4
SHA512c0f4f1831f289d4d60e9323e36689c2e0aaa9a7de3dbe4e65b2974d26d3f6f480a7160f5eff2ad458f8b0a7f36057bfba9c7a1b62769091b02640176bd2e53c3
-
Filesize
3KB
MD5a3746bab405f8aeb6ab31685c0c22c46
SHA176e958a8452c71ec5e22b333f31716bee424a17d
SHA256df54081b8fc400d35da1e013e99592dbe8d2b3dbee289d0d0b5136e9ef555126
SHA512f541dc434d9d43e3ee2bba29d3c2113a80fbadf734d812b9c0d50ad9b62ca83b3cab8a56db964da9b4a9e031208cd2fd4f86ec8c6a7ff68d6c3e8f26369111c3
-
Filesize
800B
MD5bdba72b1177bdfc5dee1d9941fdcae45
SHA1a7713959c8f0a6d8d7a6169665e87b009ac04b10
SHA256dd1e78ae51782f025cad303019e331c493d20bc0f7f71c0c186a85be24ee13be
SHA5123eca03cd090b483beb4e2009a535905ce6ac8100782f46dd681db1e2e25960cd854d303f2820225581b6e25a89925f0199fa022887a5c3c59f53297eb0884b5a
-
Filesize
3KB
MD5de941294418545204a4ec21837641098
SHA15b6c90046d37841e0096b1f85d021836f2b09639
SHA2561d7320e6895f426fe4f7bf535b0a63e8308202a6d1a7b790498c45ad5fc58cea
SHA512fcecb0fee780eda474576afb6fa799fadb5a82d1eb725f93bdcdc4bd7617361f254d03510cbb7f50b1f056e15dd51f56d4a5027e21b4d6289a5e283e0a6b0daf