Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Order Details89654.doc

  • Size

    256KB

  • Sample

    230130-p4mj2aca91

  • MD5

    fddce2b3c97faecb1feb8fea47edf53e

  • SHA1

    c5fdcd9c686970724faee24edab87663a16e92eb

  • SHA256

    39e6d2cfe42c41a7d571ed30431236b6383b064e1ff0b72757457e9cc4ae46c1

  • SHA512

    d0dec423bd97ba1e435961e9bb3c8382481b7174e0272785e1b2e04e969d8ba6cacd1a93be2a72d57c325ce2b28c19725ebb86c1b1779ea544eb50ec38acbf27

  • SSDEEP

    1536:iXRiI4pd4t55vRvHv6ImzHNIS5rFwOH3GTlXa3wVbUxZVzFz76mAg5eeVhMDw5ww:i4U5UOzypVzFtr5RDAw5wfY

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://rgkkzna.com/okc.exe

Targets

    • Target

      Order Details89654.doc

    • Size

      256KB

    • MD5

      fddce2b3c97faecb1feb8fea47edf53e

    • SHA1

      c5fdcd9c686970724faee24edab87663a16e92eb

    • SHA256

      39e6d2cfe42c41a7d571ed30431236b6383b064e1ff0b72757457e9cc4ae46c1

    • SHA512

      d0dec423bd97ba1e435961e9bb3c8382481b7174e0272785e1b2e04e969d8ba6cacd1a93be2a72d57c325ce2b28c19725ebb86c1b1779ea544eb50ec38acbf27

    • SSDEEP

      1536:iXRiI4pd4t55vRvHv6ImzHNIS5rFwOH3GTlXa3wVbUxZVzFz76mAg5eeVhMDw5ww:i4U5UOzypVzFtr5RDAw5wfY

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks