Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6.xlsx

  • Size

    1.1MB

  • Sample

    241107-dt5gbatkhz

  • MD5

    9b8d94907c2db1b8ae9ebf84b2099c16

  • SHA1

    d543e02897263288f2b2a65d7070757d99fed8ff

  • SHA256

    d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6

  • SHA512

    cc8d24cee7a41c7cc2ddab9cd5d7ae6b245dcd90fee8b5de1d4001dae83e7c43d3cbd474bc1c4f89fa9ec903d26de680630d8b064328f07b3a04cf827182a972

  • SSDEEP

    24576:1yaZxvseowaDI9eqvBw2LyifZSScF1LelExbgwCcH0p1O4uGqdzkxTm:1T0DIRvBwCv0xF1L3MwCA4uIx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Targets

    • Target

      d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6.xlsx

    • Size

      1.1MB

    • MD5

      9b8d94907c2db1b8ae9ebf84b2099c16

    • SHA1

      d543e02897263288f2b2a65d7070757d99fed8ff

    • SHA256

      d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6

    • SHA512

      cc8d24cee7a41c7cc2ddab9cd5d7ae6b245dcd90fee8b5de1d4001dae83e7c43d3cbd474bc1c4f89fa9ec903d26de680630d8b064328f07b3a04cf827182a972

    • SSDEEP

      24576:1yaZxvseowaDI9eqvBw2LyifZSScF1LelExbgwCcH0p1O4uGqdzkxTm:1T0DIRvBwCv0xF1L3MwCA4uIx

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Evasion via Device Credential Deployment

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks