Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.msi

windows10-ltsc_2021-x64

Ransomware...KB.msi

windows7-x64

Ransomware...KB.msi

windows10-2004-x64

Ransomware...KB.msi

windows10-ltsc_2021-x64

Ransomware...KB.msi

windows11-21h2-x64

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

5

Ransomware...KB.ps1

windows10-ltsc_2021-x64

Ransomware...KB.ps1

windows7-x64

Ransomware...KB.ps1

windows10-2004-x64

Ransomware...KB.ps1

windows10-ltsc_2021-x64

Ransomware...KB.ps1

windows11-21h2-x64

Resubmissions

25/03/2025, 15:11

250325-skmbpsxzaw 10

25/03/2025, 15:06

250325-sg1d6a1px2 10

25/03/2025, 15:01

250325-sd5jpsxyct 10

25/03/2025, 14:56

250325-sbdcfaxxgs 10

25/03/2025, 14:50

250325-r7ve6a1nv3 10

25/03/2025, 14:46

250325-r5ab7sxwhx 10

25/03/2025, 14:40

250325-r2c9paxwe1 10

05/02/2025, 10:25

250205-mgcefaslhw 10

05/02/2025, 10:17

250205-mbs51atmbk 10

05/02/2025, 09:15

250205-k785zs1pfn 10

Analysis

  • max time kernel
    102s
  • max time network
    105s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250313-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250313-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    25/03/2025, 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/RansomEXX_14_12_2020_156KB.exe

  • Size

    156KB

  • MD5

    fcd21c6fca3b9378961aa1865bee7ecb

  • SHA1

    0abaa05da2a05977e0baf68838cff1712f1789e0

  • SHA256

    4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

  • SHA512

    e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a

  • SSDEEP

    1536:7ZLTzASUIG0TOOYTufIaSWvRYkekdvizSBXxNe9VPw6s6aUCT7Q7qn:OBI9HYyfNBdviGBBQsrhPk4

Score
10/10
ransomexx_windefense_evasiondiscoveryevasionransomware

Malware Config

Signatures

  • Deletes NTFS Change Journal 2 TTPs 1 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    ransomware
  • RansomEXX Ransomware

    Targeted ransomware with variants which affect Windows and Linux systems.

    ransomwareransomexx_win
  • Ransomexx_win family
    ransomexx_win
  • Clears Windows event logs 1 TTPs 4 IoCs
    defense_evasionransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (180) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables use of System Restore points 1 TTPs
    defense_evasion
  • Overwrites deleted data with Cipher tool 1 TTPs

    Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe
    C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe bcdedit /set shutdown /r /f /t 2
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\SysWOW64\cipher.exe
      "C:\Windows\System32\cipher.exe" /w:C:
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4108
    • C:\Windows\SysWOW64\cipher.exe
      "C:\Windows\System32\cipher.exe" /w:E:
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      PID:1884
    • C:\Windows\System32\wevtutil.exe
      "C:\Windows\System32\wevtutil.exe" cl System
      2⤵
      • Clears Windows event logs
      • Suspicious use of AdjustPrivilegeToken
      PID:4460
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
      2⤵
        PID:4556
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl Security
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:1756
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl Setup
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:1356
      • C:\Windows\System32\fsutil.exe
        "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
        2⤵
        • Deletes NTFS Change Journal
        PID:2864
      • C:\Windows\SysWOW64\cipher.exe
        "C:\Windows\System32\cipher.exe" /w:F:
        2⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        PID:872
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" sl Security /e:false
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:3824
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl Application
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:2928
      • C:\Windows\System32\wbadmin.exe
        "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
        2⤵
        • Deletes backup catalog
        PID:3028
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:4932
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2152
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:2400

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\!TXDOT_READ_ME!.txt
        Filesize

        1KB

        MD5

        4f8cc0ec3b5be13683db70ad25e526a1

        SHA1

        8b9259e90096d3db005dc62f6dfa98d6f3866b30

        SHA256

        4fadb9b629e3d1c290aef74c69e172abf9184d2bd5568ad4e3612370d6235563

        SHA512

        2fc2421a772597d7f424522f1f9d8a419d5f770915647b72cd974ac0140955bfc2d00da2df82be2ad55fb044873acd950364e6aa232f28794e5bf7d202ced703

        Download Submit