Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

10

Ransomware...KB.msi

windows10-ltsc_2021-x64

Ransomware...KB.msi

windows7-x64

Ransomware...KB.msi

windows10-2004-x64

Ransomware...KB.msi

windows10-ltsc_2021-x64

Ransomware...KB.msi

windows11-21h2-x64

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows7-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows11-21h2-x64

5

Ransomware...KB.ps1

windows10-ltsc_2021-x64

Ransomware...KB.ps1

windows7-x64

Ransomware...KB.ps1

windows10-2004-x64

Ransomware...KB.ps1

windows10-ltsc_2021-x64

Ransomware...KB.ps1

windows11-21h2-x64

Resubmissions

25/03/2025, 15:11

250325-skmbpsxzaw 10

25/03/2025, 15:06

250325-sg1d6a1px2 10

25/03/2025, 15:01

250325-sd5jpsxyct 10

25/03/2025, 14:56

250325-sbdcfaxxgs 10

25/03/2025, 14:50

250325-r7ve6a1nv3 10

25/03/2025, 14:46

250325-r5ab7sxwhx 10

25/03/2025, 14:40

250325-r2c9paxwe1 10

05/02/2025, 10:25

250205-mgcefaslhw 10

05/02/2025, 10:17

250205-mbs51atmbk 10

05/02/2025, 09:15

250205-k785zs1pfn 10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/Ranzy_20_11_2020_138KB.exe

  • Size

    138KB

  • MD5

    954479f95ce67fcb855c5b882d68e74b

  • SHA1

    43ccf398999f70b613e1353cfb6845ee09b393ca

  • SHA256

    c4f72b292750e9332b1f1b9761d5aefc07301bc15edf31adeaf2e608000ec1c9

  • SHA512

    515e675401ec67d2d06f06264cb33808ad7d214a0609492ddf73f40a3b829358d75f79fff04b29c6953fc3f450c0d55207d5a6fd3b571f60ae05e25327c41a5f

  • SSDEEP

    3072:WNnBEPCZ788hExMfHg/50iIETyyCDRk8gE9QIluYEh0VZvcWrMFh:WPEa586nHg/50/ET3CoE7uYEau

Score
10/10
defense_evasiondiscoveryexecutionimpactransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\readme.txt

Ransom Note
---=== Ranzy Locker 1.1 ===--- Attention! Your network has been locked. Your computers and server are locked now. All encrypted files have extension: .ranzy ---- How to restore my files? ---- All files on each host in your network encrypted with strongest encryption algorithms Backups are deleted or formatted, do not worry, we can help you restore your files Files can be decrypted only with private key - this key stored on our servers You have only one way for return your files back - contact us and receive universal decryption program Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee ---- Contact us ---- You have two way to contact us: 1. Open our recovery-website (can be open in any browser): https://ranzylock.hk/N6CFBPYX 2. In case of link doesnt work open our mirror recovery-website via TOR Browser: Download TOR Browser here: https://www.torproject.org/download/ Open TOR mirror website: http://a6a5b4ppnkrio3nikyutfexbc6y5dc6kfhj3jr32kdwbryr2lempkuyd.onion/N6CFBPYX ---- Data Leak Attention ---- !!! All your sensitive data was downloaded to our servers !!! We are ready to publish this data in our blog with your Company Name, if you will not contact with us by email !!! Only we can delete your files from our servers !!! Only we can restore all your files without any LOSS ---- Recovery information ---- key: eyJleHQiOiIucmFuenkiLCJuZXR3b3JrIjoidHJ1ZSIsInN1YmlkIjoiMTQzNzUiLCJsYW5nIjoiZW4tVVMAIn0= personal id: 10EKVPIH
URLs

https://ranzylock.hk/N6CFBPYX

http://a6a5b4ppnkrio3nikyutfexbc6y5dc6kfhj3jr32kdwbryr2lempkuyd.onion/N6CFBPYX

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (289) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Ranzy_20_11_2020_138KB.exe
    C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Ranzy_20_11_2020_138KB.exe bcdedit /set shutdown /r /f /t 2
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2088
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2956
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3012
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2732
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2844
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2544
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2668
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2932
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\readme.txt
    Filesize

    1KB

    MD5

    c7fc80698e21bc8b4e9c8032747f1726

    SHA1

    881abef3e60039be98b54ad0a22df910d42a085d

    SHA256

    35794acc1c48f49508d07ea68fc4d500d95905a73ba20c74e24e7fa654179dc3

    SHA512

    805ea229aaebe646ad02f44d42dd816d6d01cf76b34f118762e29b2970e7d1dfa4138d475abfcf15593d864eb59f882a0dd4c077d86b26cf403598e0a06d1350

    Download Submit