Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    30s
  • max time network
    44s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2024, 19:58 UTC

General

  • Target

    OetK6pK9.exe

  • Size

    13KB

  • MD5

    77a9708c23a8cafb5b6fcc28bc13cdc4

  • SHA1

    37f89a24141f0834c9a2e8b284df5ee2ebae3108

  • SHA256

    198fd65a08bbc00c1e4c18f0a31814c851a68db68b93c6002f9ffc6fb57688d4

  • SHA512

    c06412b953e1083cbcf8657befa78bfb3a9c0bb88cea5b65b40beb76782f9cfd8e8b78feb0d7a87192e59e432a5e1a2473e1503aa9f915d6b1f8f56ae8704949

  • SSDEEP

    384:aPo++TQO/PP5D0T6LUZyjdfJptYcFwVc03KP:KwD0T6L8yVjtYcFwVc6KP

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OetK6pK9.exe
    "C:\Users\Admin\AppData\Local\Temp\OetK6pK9.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4488
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1724
      2⤵
      • Program crash
      PID:4592
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4488 -ip 4488
    1⤵
      PID:912

    Network

    • flag-us
      DNS
      4.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      4.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      29.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.179.17.96.in-addr.arpa
      IN PTR
      Response
      29.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-29deploystaticakamaitechnologiescom
    • flag-us
      DNS
      29.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.179.17.96.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
      Response
      41.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      cdn.discordapp.com
      OetK6pK9.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.134.233
      cdn.discordapp.com
      IN A
      162.159.129.233
      cdn.discordapp.com
      IN A
      162.159.135.233
      cdn.discordapp.com
      IN A
      162.159.130.233
      cdn.discordapp.com
      IN A
      162.159.133.233
    • flag-us
      GET
      https://cdn.discordapp.com/attachments/1179196067288465470/1210814641190604800/Serials_Checker_-_Copy.bat?ex=65ebee02&is=65d97902&hm=776ce04c8fecbce18fe03531026244deae5e388736074cd6c2f3f92c111cf73c&
      OetK6pK9.exe
      Remote address:
      162.159.134.233:443
      Request
      GET /attachments/1179196067288465470/1210814641190604800/Serials_Checker_-_Copy.bat?ex=65ebee02&is=65d97902&hm=776ce04c8fecbce18fe03531026244deae5e388736074cd6c2f3f92c111cf73c& HTTP/1.1
      Host: cdn.discordapp.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Date: Wed, 13 Mar 2024 19:59:00 GMT
      Content-Type: text/plain;charset=UTF-8
      Content-Length: 36
      Connection: keep-alive
      X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
      Set-Cookie: __cf_bm=zXWYPlqtaMDR2Bg48I.2SeHmVSkoru.46xUDs._pNVw-1710359940-1.0.1.1-uUzl_brqf3IKEQwZJWjSc8Atid0wT9424f8qv.t_L2hApCAhZleoeIdGWh2HCzChdH1eshzuIz2x7yU2Vw6Mrw; path=/; expires=Wed, 13-Mar-24 20:29:00 GMT; domain=.discordapp.com; HttpOnly; Secure
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=R7C5F7JK3u3P2Vg9tdNyVK6I7132EU46gV8QSl1KcvebRkvJ%2BvtIDbSxAuCDEoZbUWrPGoZ%2FQrEdPcQiB8vmoRCI0lnR4AoQHTfH7fF0xH4VgjKRqT1bABpHLDBm%2BKgj3iIJ5Q%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Set-Cookie: _cfuvid=y2LPyzDvahctkzerY2lppuq9hC1pt2jj8gWt6q.RGwE-1710359940660-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
      Server: cloudflare
      CF-RAY: 863e9a1d090b23be-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      233.134.159.162.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      233.134.159.162.in-addr.arpa
      IN PTR
      Response
    • 162.159.134.233:443
      https://cdn.discordapp.com/attachments/1179196067288465470/1210814641190604800/Serials_Checker_-_Copy.bat?ex=65ebee02&is=65d97902&hm=776ce04c8fecbce18fe03531026244deae5e388736074cd6c2f3f92c111cf73c&
      tls, http
      OetK6pK9.exe
      897 B
      4.1kB
      8
      6

      HTTP Request

      GET https://cdn.discordapp.com/attachments/1179196067288465470/1210814641190604800/Serials_Checker_-_Copy.bat?ex=65ebee02&is=65d97902&hm=776ce04c8fecbce18fe03531026244deae5e388736074cd6c2f3f92c111cf73c&

      HTTP Response

      404
    • 8.8.8.8:53
      4.159.190.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      4.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      29.179.17.96.in-addr.arpa
      dns
      142 B
      135 B
      2
      1

      DNS Request

      29.179.17.96.in-addr.arpa

      DNS Request

      29.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      144 B
      158 B
      2
      1

      DNS Request

      241.150.49.20.in-addr.arpa

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.154.82.20.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
      146 B
      1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      41.110.16.96.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      41.110.16.96.in-addr.arpa

    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      cdn.discordapp.com
      dns
      OetK6pK9.exe
      64 B
      144 B
      1
      1

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.134.233
      162.159.129.233
      162.159.135.233
      162.159.130.233
      162.159.133.233

    • 8.8.8.8:53
      233.134.159.162.in-addr.arpa
      dns
      74 B
      136 B
      1
      1

      DNS Request

      233.134.159.162.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4488-0-0x00000000749F0000-0x00000000751A0000-memory.dmp

      Filesize

      7.7MB

    • memory/4488-1-0x00000000008B0000-0x00000000008B8000-memory.dmp

      Filesize

      32KB

    • memory/4488-2-0x0000000005310000-0x0000000005320000-memory.dmp

      Filesize

      64KB

    • memory/4488-3-0x00000000749F0000-0x00000000751A0000-memory.dmp

      Filesize

      7.7MB

    • memory/4488-4-0x0000000005310000-0x0000000005320000-memory.dmp

      Filesize

      64KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.