File name:	2025-05-16_50bc82c8a4636acf5c8be0db5f5637c7_elex_wormlocker
Full analysis:	https://app.any.run/tasks/31921610-11d1-4302-9475-287ce7502c51
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	May 16, 2025, 01:19:36
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	wormlocker ransomware ransomware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	50BC82C8A4636ACF5C8BE0DB5F5637C7
SHA1:	7F275487361FED11C44DC8D5B7A32862DD4EA2AC
SHA256:	AE0D040F2A267FC8854229491E3F1719A19632B8F71C3A082AC843DFF7CDB475
SSDEEP:	6144:Hz6/yYJuqUvWDIpZvkd/VgCsx1AyL1P/cJE0NcT5q1bDCjzDGVBAq:HrYU/WMQn61AucxcTQE3DcB9

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2102:02:10 12:34:09+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	182784
InitializedDataSize:	139776
UninitializedDataSize:	-
EntryPoint:	0x2e94e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	SysWOW64
FileVersion:	1.0.0.0
InternalName:	Automatic_converter_rff_to_mp4.exe
LegalCopyright:	Copyright © 2020
LegalTrademarks:	-
OriginalFileName:	Automatic_converter_rff_to_mp4.exe
ProductName:	SysWOW64
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(7448) 2025-05-16_50bc82c8a4636acf5c8be0db5f5637c7_elex_wormlocker.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	DisableTaskMgr
Value: 1
(PID) Process:	(7664) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
Operation:	write	Name:	EnableBDEWithNoTPM
Value: 1
(PID) Process:	(7748) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
Operation:	write	Name:	UseAdvancedStartup
Value: 1
(PID) Process:	(1760) ReAgentc.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(1760) ReAgentc.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:	(1760) ReAgentc.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(1760) ReAgentc.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	write	Name:	Element
Value: \EFI\Microsoft\Boot\bootmgfw.efi
(PID) Process:	(1760) ReAgentc.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(1760) ReAgentc.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:	(1760) ReAgentc.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
1760	ReAgentc.exe	C:\Windows\System32\Recovery\Winre.wim		—
		MD5:—	SHA256:—
1760	ReAgentc.exe	C:\Windows\System32\Recovery\ReAgent.xml		xml
		MD5:44B2DA39CEB2C183D5DCD43AA128C2DD	SHA256:894EE2B19608D10DF4BF8B8F5BBCF40CE38C09C1F4C5543B6164F40C04BB270D
7448	2025-05-16_50bc82c8a4636acf5c8be0db5f5637c7_elex_wormlocker.exe	C:\Windows\System32\ransom_voice.vbs		text
		MD5:C1F9613622F740C2F00C2FA8881BA7BA	SHA256:D200A1E942B8CFDCD8190D1AD59F92E27E39B919BA230F2DD88D70C3DF428C7B
1760	ReAgentc.exe	\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Recovery\BCD		binary
		MD5:BEEA6D963D20E5A5B8BDCDCE8B98BC78	SHA256:C288F8D4846C1666D4E2F5DF35DEB2CF382A7852D6ACE7083A8E0F06A9EC6F19
1760	ReAgentc.exe	C:\Windows\Logs\ReAgent\ReAgent.log		text
		MD5:1E65E072B8F046AB152B453E79E0B14D	SHA256:0BCAEA8485998B2BE306A10F3BC144DE53ABC0EC6081F85D3F3B6D798E5BCB97
1760	ReAgentc.exe	C:\Windows\Panther\UnattendGC\diagwrn.xml		text
		MD5:E7D61F31E13255B53337512E2D6EDF08	SHA256:F5FD217C66A78E469FC33EE079506702CA14280B58FEFABFDEEE310F25E314FE
7448	2025-05-16_50bc82c8a4636acf5c8be0db5f5637c7_elex_wormlocker.exe	C:\Windows\System32\LogonUIinf.exe		executable
		MD5:85B6BF08B5DD9FAF150F5EDE3EEF2583	SHA256:438C8B162A21E48CB3477FB06654270FEA878B1435B095FCED47FD5139096729
7448	2025-05-16_50bc82c8a4636acf5c8be0db5f5637c7_elex_wormlocker.exe	C:\Users\admin\Desktop\subjectsquick.jpg.encrypted		binary
		MD5:BDB08FD494820ACD4D423376CCD84744	SHA256:0AB67552184921126360B42998453B1EEDCAE22DCF192402F959F49830AF16E5
7448	2025-05-16_50bc82c8a4636acf5c8be0db5f5637c7_elex_wormlocker.exe	C:\Users\admin\Desktop\devicegame.rtf.encrypted		text
		MD5:28F3C9D06EFA5140E387685AAE149BAB	SHA256:DFF97C3B23755FAF90957716802BEADB1ECBEA81FD020B1644A293654A706492
7448	2025-05-16_50bc82c8a4636acf5c8be0db5f5637c7_elex_wormlocker.exe	C:\Users\admin\Desktop\individualscum.jpg.encrypted		binary
		MD5:76450E6A0F3E675042F0B4F765C22CC0	SHA256:0EB14BD820F944658FD4F3E01A0BF83086F58CAFDE0392B75E11279894269A6C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6404	RUXIMICS.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6404	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6404	RUXIMICS.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7212	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

2025-05-16_50bc82c8a4636acf5c8be0db5f5637c7_elex_wormlocker

50BC82C8A4636ACF5C8BE0DB5F5637C7

7F275487361FED11C44DC8D5B7A32862DD4EA2AC

AE0D040F2A267FC8854229491E3F1719A19632B8F71C3A082AC843DFF7CDB475

6144:Hz6/yYJuqUvWDIpZvkd/VgCsx1AyL1P/cJE0NcT5q1bDCjzDGVBAq:HrYU/WMQn61AucxcTQE3DcB9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Disables task manager

WORMLOCKER has been detected (YARA)

Starts REAGENTC.EXE to disable the Windows Recovery Environment

Deletes shadow copies

Renames files like ransomware

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Takes ownership (TAKEOWN.EXE)

Uses ICACLS.EXE to modify access control lists

Uses REG/REGEDIT.EXE to modify registry

Creates file in the systems drive root

The process checks if it is being run in the virtual environment

Executable content was dropped or overwritten

Executes as Windows Service

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Process checks computer location settings

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings