Analysis

  • max time kernel
    102s
  • max time network
    106s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/05/2025, 14:51

General

  • Target

    2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe

  • Size

    197KB

  • MD5

    b35a7c0c23349c34d7eaa11be87681b3

  • SHA1

    265a3a1b889a9f3f5bb53f9e5d1cbc7f48d24fe8

  • SHA256

    c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c

  • SHA512

    67a8c9eb39da8f24a48acee027706052d68b59cbad05e9028bafb70ba77a562c8ae1b72c375bcd03ea1846775c577bff005ed148ba8dd0963673c91144846dd2

  • SSDEEP

    3072:zQ7pevne/DLB5w20WLjF72xnEt44etrlV9Yl4cqnj:zQ7peve/DLB56gF72CW4etrlV9m4

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (66) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 18 IoCs
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b35a7c0c23349c34d7eaa11be87681b3_elex_ngrbot_wannacry.exe"
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:4596
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:3460
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\discord.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Local\discord.exe
      C:\Users\Admin\AppData\Local\discord.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\APEXNOTE.txt
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2068
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3568
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1956
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "
        3⤵
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:6104
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:4964

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\discord.exe

            Filesize

            197KB

            MD5

            b35a7c0c23349c34d7eaa11be87681b3

            SHA1

            265a3a1b889a9f3f5bb53f9e5d1cbc7f48d24fe8

            SHA256

            c032b020f742add231aa1b02c90240cc702d81ccd255c015284c1389ef1e7b6c

            SHA512

            67a8c9eb39da8f24a48acee027706052d68b59cbad05e9028bafb70ba77a562c8ae1b72c375bcd03ea1846775c577bff005ed148ba8dd0963673c91144846dd2

          • C:\Users\Admin\AppData\Roaming\ID

            Filesize

            40B

            MD5

            14e050f2de3af37d89acacd5952e448f

            SHA1

            d49aa9fe1054c9742734431fde1e4246277c4e78

            SHA256

            a80b39dc1f966c74bbaf7aa388b96345914cdfb29a6e8036445a05eb57223989

            SHA512

            66bc6469cb05ee3d1395e82a94f9573574d9646dc1c83a2ca61171cc6f0fcbb8ffc741ac8f7621dfdf63bca91ef7557c124a645e5bb2b3987a08d3888fd5a9e7

          • C:\Users\Admin\AppData\Roaming\fondo_antiguo.jpg

            Filesize

            24KB

            MD5

            25342190bcc364d32b9e9f9928b5a8a5

            SHA1

            3ae3bdabaed70dba1fd96c0be72e17aa91c7802a

            SHA256

            d626e482d44f5fc8eb1c9b2cd08070150ab99afe40cf6dc939015b01b09088f4

            SHA512

            c0f4f1831f289d4d60e9323e36689c2e0aaa9a7de3dbe4e65b2974d26d3f6f480a7160f5eff2ad458f8b0a7f36057bfba9c7a1b62769091b02640176bd2e53c3

          • C:\Users\Admin\AppData\Roaming\usb_maker.bat

            Filesize

            3KB

            MD5

            a3746bab405f8aeb6ab31685c0c22c46

            SHA1

            76e958a8452c71ec5e22b333f31716bee424a17d

            SHA256

            df54081b8fc400d35da1e013e99592dbe8d2b3dbee289d0d0b5136e9ef555126

            SHA512

            f541dc434d9d43e3ee2bba29d3c2113a80fbadf734d812b9c0d50ad9b62ca83b3cab8a56db964da9b4a9e031208cd2fd4f86ec8c6a7ff68d6c3e8f26369111c3

          • C:\Users\Admin\Pictures\Camera Roll\APEXNOTE.txt

            Filesize

            800B

            MD5

            bdba72b1177bdfc5dee1d9941fdcae45

            SHA1

            a7713959c8f0a6d8d7a6169665e87b009ac04b10

            SHA256

            dd1e78ae51782f025cad303019e331c493d20bc0f7f71c0c186a85be24ee13be

            SHA512

            3eca03cd090b483beb4e2009a535905ce6ac8100782f46dd681db1e2e25960cd854d303f2820225581b6e25a89925f0199fa022887a5c3c59f53297eb0884b5a

          • C:\Windows\System32\drivers\etc\hosts

            Filesize

            3KB

            MD5

            de941294418545204a4ec21837641098

            SHA1

            5b6c90046d37841e0096b1f85d021836f2b09639

            SHA256

            1d7320e6895f426fe4f7bf535b0a63e8308202a6d1a7b790498c45ad5fc58cea

            SHA512

            fcecb0fee780eda474576afb6fa799fadb5a82d1eb725f93bdcdc4bd7617361f254d03510cbb7f50b1f056e15dd51f56d4a5027e21b4d6289a5e283e0a6b0daf

          • memory/1692-4-0x0000000075060000-0x0000000075811000-memory.dmp

            Filesize

            7.7MB

          • memory/1692-5-0x00000000050F0000-0x00000000050FA000-memory.dmp

            Filesize

            40KB

          • memory/1692-0-0x000000007506E000-0x000000007506F000-memory.dmp

            Filesize

            4KB

          • memory/1692-3-0x0000000004C90000-0x0000000004D22000-memory.dmp

            Filesize

            584KB

          • memory/1692-2-0x0000000005160000-0x0000000005706000-memory.dmp

            Filesize

            5.6MB

          • memory/1692-1-0x00000000001B0000-0x00000000001E8000-memory.dmp

            Filesize

            224KB

          • memory/1692-300-0x0000000075060000-0x0000000075811000-memory.dmp

            Filesize

            7.7MB

          • memory/2112-18-0x0000000075060000-0x0000000075811000-memory.dmp

            Filesize

            7.7MB

          • memory/2112-13-0x0000000075060000-0x0000000075811000-memory.dmp

            Filesize

            7.7MB

          • memory/2112-301-0x0000000075060000-0x0000000075811000-memory.dmp

            Filesize

            7.7MB