Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 19:58 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
OetK6pK9.exe
Resource
win7-20240221-en
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
OetK6pK9.exe
Resource
win10v2004-20240226-en
2 signatures
150 seconds
General
-
Target
OetK6pK9.exe
-
Size
13KB
-
MD5
77a9708c23a8cafb5b6fcc28bc13cdc4
-
SHA1
37f89a24141f0834c9a2e8b284df5ee2ebae3108
-
SHA256
198fd65a08bbc00c1e4c18f0a31814c851a68db68b93c6002f9ffc6fb57688d4
-
SHA512
c06412b953e1083cbcf8657befa78bfb3a9c0bb88cea5b65b40beb76782f9cfd8e8b78feb0d7a87192e59e432a5e1a2473e1503aa9f915d6b1f8f56ae8704949
-
SSDEEP
384:aPo++TQO/PP5D0T6LUZyjdfJptYcFwVc03KP:KwD0T6L8yVjtYcFwVc6KP
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4592 4488 WerFault.exe 87 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4488 OetK6pK9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OetK6pK9.exe"C:\Users\Admin\AppData\Local\Temp\OetK6pK9.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 17242⤵
- Program crash
PID:4592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4488 -ip 44881⤵PID:912
Network
-
Remote address:8.8.8.8:53Request4.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.179.17.96.in-addr.arpaIN PTRResponse29.179.17.96.in-addr.arpaIN PTRa96-17-179-29deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request29.179.17.96.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.154.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestcdn.discordapp.comIN AResponsecdn.discordapp.comIN A162.159.134.233cdn.discordapp.comIN A162.159.129.233cdn.discordapp.comIN A162.159.135.233cdn.discordapp.comIN A162.159.130.233cdn.discordapp.comIN A162.159.133.233
-
GEThttps://cdn.discordapp.com/attachments/1179196067288465470/1210814641190604800/Serials_Checker_-_Copy.bat?ex=65ebee02&is=65d97902&hm=776ce04c8fecbce18fe03531026244deae5e388736074cd6c2f3f92c111cf73c&OetK6pK9.exeRemote address:162.159.134.233:443RequestGET /attachments/1179196067288465470/1210814641190604800/Serials_Checker_-_Copy.bat?ex=65ebee02&is=65d97902&hm=776ce04c8fecbce18fe03531026244deae5e388736074cd6c2f3f92c111cf73c& HTTP/1.1
Host: cdn.discordapp.com
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Content-Type: text/plain;charset=UTF-8
Content-Length: 36
Connection: keep-alive
X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
Set-Cookie: __cf_bm=zXWYPlqtaMDR2Bg48I.2SeHmVSkoru.46xUDs._pNVw-1710359940-1.0.1.1-uUzl_brqf3IKEQwZJWjSc8Atid0wT9424f8qv.t_L2hApCAhZleoeIdGWh2HCzChdH1eshzuIz2x7yU2Vw6Mrw; path=/; expires=Wed, 13-Mar-24 20:29:00 GMT; domain=.discordapp.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=R7C5F7JK3u3P2Vg9tdNyVK6I7132EU46gV8QSl1KcvebRkvJ%2BvtIDbSxAuCDEoZbUWrPGoZ%2FQrEdPcQiB8vmoRCI0lnR4AoQHTfH7fF0xH4VgjKRqT1bABpHLDBm%2BKgj3iIJ5Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Set-Cookie: _cfuvid=y2LPyzDvahctkzerY2lppuq9hC1pt2jj8gWt6q.RGwE-1710359940660-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 863e9a1d090b23be-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request233.134.159.162.in-addr.arpaIN PTRResponse
-
162.159.134.233:443https://cdn.discordapp.com/attachments/1179196067288465470/1210814641190604800/Serials_Checker_-_Copy.bat?ex=65ebee02&is=65d97902&hm=776ce04c8fecbce18fe03531026244deae5e388736074cd6c2f3f92c111cf73c&tls, httpOetK6pK9.exe897 B 4.1kB 8 6
HTTP Request
GET https://cdn.discordapp.com/attachments/1179196067288465470/1210814641190604800/Serials_Checker_-_Copy.bat?ex=65ebee02&is=65d97902&hm=776ce04c8fecbce18fe03531026244deae5e388736074cd6c2f3f92c111cf73c&HTTP Response
404
-
71 B 157 B 1 1
DNS Request
4.159.190.20.in-addr.arpa
-
142 B 135 B 2 1
DNS Request
29.179.17.96.in-addr.arpa
DNS Request
29.179.17.96.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
241.150.49.20.in-addr.arpa
DNS Request
241.150.49.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.154.82.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
64 B 144 B 1 1
DNS Request
cdn.discordapp.com
DNS Response
162.159.134.233162.159.129.233162.159.135.233162.159.130.233162.159.133.233
-
74 B 136 B 1 1
DNS Request
233.134.159.162.in-addr.arpa