Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.msi

windows10-ltsc_2021-x64

Ransomware...KB.msi

windows7-x64

Ransomware...KB.msi

windows10-2004-x64

Ransomware...KB.msi

windows10-ltsc_2021-x64

Ransomware...KB.msi

windows11-21h2-x64

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

5

Ransomware...KB.ps1

windows10-ltsc_2021-x64

Ransomware...KB.ps1

windows7-x64

Ransomware...KB.ps1

windows10-2004-x64

Ransomware...KB.ps1

windows10-ltsc_2021-x64

Ransomware...KB.ps1

windows11-21h2-x64

Resubmissions

25/03/2025, 15:11

250325-skmbpsxzaw 10

25/03/2025, 15:06

250325-sg1d6a1px2 10

25/03/2025, 15:01

250325-sd5jpsxyct 10

25/03/2025, 14:56

250325-sbdcfaxxgs 10

25/03/2025, 14:50

250325-r7ve6a1nv3 10

25/03/2025, 14:46

250325-r5ab7sxwhx 10

25/03/2025, 14:40

250325-r2c9paxwe1 10

05/02/2025, 10:25

250205-mgcefaslhw 10

05/02/2025, 10:17

250205-mbs51atmbk 10

05/02/2025, 09:15

250205-k785zs1pfn 10

Analysis

  • max time kernel
    117s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/RansomEXX_14_12_2020_156KB.exe

  • Size

    156KB

  • MD5

    fcd21c6fca3b9378961aa1865bee7ecb

  • SHA1

    0abaa05da2a05977e0baf68838cff1712f1789e0

  • SHA256

    4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

  • SHA512

    e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a

  • SSDEEP

    1536:7ZLTzASUIG0TOOYTufIaSWvRYkekdvizSBXxNe9VPw6s6aUCT7Q7qn:OBI9HYyfNBdviGBBQsrhPk4

Score
10/10
ransomexx_windefense_evasiondiscoveryevasionransomware

Malware Config

Signatures

  • Deletes NTFS Change Journal 2 TTPs 1 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    ransomware
  • RansomEXX Ransomware

    Targeted ransomware with variants which affect Windows and Linux systems.

    ransomwareransomexx_win
  • Ransomexx_win family
    ransomexx_win
  • Clears Windows event logs 1 TTPs 4 IoCs
    defense_evasionransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (278) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables use of System Restore points 1 TTPs
    defense_evasion
  • Overwrites deleted data with Cipher tool 1 TTPs

    Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

    ransomware
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe
    C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe bcdedit /set shutdown /r /f /t 2
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\SysWOW64\cipher.exe
      "C:\Windows\System32\cipher.exe" /w:D:
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      PID:1184
    • C:\Windows\System32\wbadmin.exe
      "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
      2⤵
      • Deletes backup catalog
      PID:1996
    • C:\Windows\System32\bcdedit.exe
      "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:2632
    • C:\Windows\System32\bcdedit.exe
      "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1956
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
      2⤵
        PID:2388
      • C:\Windows\SysWOW64\cipher.exe
        "C:\Windows\System32\cipher.exe" /w:F:
        2⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        PID:1972
      • C:\Windows\SysWOW64\cipher.exe
        "C:\Windows\System32\cipher.exe" /w:C:
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2296
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl Application
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:1560
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl System
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:684
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" sl Security /e:false
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2312
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl Security
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl Setup
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Windows\System32\fsutil.exe
        "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
        2⤵
        • Deletes NTFS Change Journal
        PID:3052
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2804
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1224
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1952

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt
          Filesize

          1KB

          MD5

          4f8cc0ec3b5be13683db70ad25e526a1

          SHA1

          8b9259e90096d3db005dc62f6dfa98d6f3866b30

          SHA256

          4fadb9b629e3d1c290aef74c69e172abf9184d2bd5568ad4e3612370d6235563

          SHA512

          2fc2421a772597d7f424522f1f9d8a419d5f770915647b72cd974ac0140955bfc2d00da2df82be2ad55fb044873acd950364e6aa232f28794e5bf7d202ced703

          Download Submit

        • C:\Users\Admin\Desktop\ShowUnblock.xlsx
          Filesize

          14KB

          MD5

          d5107cdda58fb9af648d176be350cdb0

          SHA1

          a984c028bb6ffb159f292d91ab7c304354c3225f

          SHA256

          15ca3016b16d03b2dba0f4be6e2a9e534a194fedc41b02ada3d1ad746345bc49

          SHA512

          facb9ad4b9e5690098822d1742ddcb00fd3e57b0772889b1ada5e788bd1c305bf447607d0140f2261443f2bef3de56f5158dca8500fe595b80ccd38dabdf4c30

          Download Submit