Overview
overview
10Static
static
10Apache_Ope...es.exe
windows10-ltsc 2021-x64
6$PLUGINSDI...ns.dll
windows10-ltsc 2021-x64
3stat.py
windows10-ltsc 2021-x64
3stats.py
windows10-ltsc 2021-x64
3statvfs.py
windows10-ltsc 2021-x64
3stl_01.ott
windows10-ltsc 2021-x64
3stl_02.ott
windows10-ltsc 2021-x64
3stl_03.ott
windows10-ltsc 2021-x64
3swui.dll
windows10-ltsc 2021-x64
3symbol.py
windows10-ltsc 2021-x64
3symbols.py
windows10-ltsc 2021-x64
3symtable.py
windows10-ltsc 2021-x64
3synchronize.py
windows10-ltsc 2021-x64
3syntax.py
windows10-ltsc 2021-x64
3sysconfig.py
windows10-ltsc 2021-x64
3sysconfig1.py
windows10-ltsc 2021-x64
3sysdtrans.dll
windows10-ltsc 2021-x64
3sysmail.uno.dll
windows10-ltsc 2021-x64
3syssh.uno.dll
windows10-ltsc 2021-x64
3t602filter.dll
windows10-ltsc 2021-x64
3tabbedpages.py
windows10-ltsc 2021-x64
3table.jar
windows10-ltsc 2021-x64
1tabnanny.py
windows10-ltsc 2021-x64
3tarfile.py
windows10-ltsc 2021-x64
3telnetlib.py
windows10-ltsc 2021-x64
3tempfile.py
windows10-ltsc 2021-x64
3textoutstream.uno.dll
windows10-ltsc 2021-x64
3openoffice4115.msi
windows10-ltsc 2021-x64
6readmes/re...s.html
windows10-ltsc 2021-x64
4redist/vcr...64.exe
windows10-ltsc 2021-x64
7redist/vcr...86.exe
windows10-ltsc 2021-x64
7setup.exe
windows10-ltsc 2021-x64
7Analysis
-
max time kernel
423s -
max time network
440s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-es -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows -
submitted
22/01/2025, 15:18 UTC
Behavioral task
behavioral1
Sample
Apache_OpenOffice_4.1.15_Win_x86_install_es.exe
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral2
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral3
Sample
stat.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral4
Sample
stats.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral5
Sample
statvfs.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral6
Sample
stl_01.ott
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral7
Sample
stl_02.ott
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral8
Sample
stl_03.ott
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral9
Sample
swui.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral10
Sample
symbol.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral11
Sample
symbols.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral12
Sample
symtable.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral13
Sample
synchronize.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral14
Sample
syntax.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral15
Sample
sysconfig.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral16
Sample
sysconfig1.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral17
Sample
sysdtrans.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral18
Sample
sysmail.uno.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral19
Sample
syssh.uno.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral20
Sample
t602filter.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral21
Sample
tabbedpages.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral22
Sample
table.jar
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral23
Sample
tabnanny.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral24
Sample
tarfile.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral25
Sample
telnetlib.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral26
Sample
tempfile.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral27
Sample
textoutstream.uno.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral28
Sample
openoffice4115.msi
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral29
Sample
readmes/readme_es.html
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral30
Sample
redist/vcredist_x64.exe
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral31
Sample
redist/vcredist_x86.exe
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral32
Sample
setup.exe
Resource
win10ltsc2021-20250113-es
General
-
Target
textoutstream.uno.dll
-
Size
22KB
-
MD5
c27254aed7ac9cfbc61e6dbd51904968
-
SHA1
6022370f585a9d9ea0618140b100e1eac9e33cce
-
SHA256
2fbe6c29e6de2906e72ec84bbe03f42a055111ba6768512045b2d4745d63d547
-
SHA512
fa3503a3e550f81105fe72ed666c0f3f9b071b0494edaa0a70c24c1c049acd80bb2360b49dd6355d0743521c5256dc2bf3b07823b3f4c500ab676424fd4567b7
-
SSDEEP
384:D9ewMvchS2fZ6a2JdPzf2KrqbJk+E1SeWXOOVlvtnKyiL6:AwB0Pzf3qlkqXOIHKyP
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4416 wrote to memory of 3416 4416 rundll32.exe 81 PID 4416 wrote to memory of 3416 4416 rundll32.exe 81 PID 4416 wrote to memory of 3416 4416 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\textoutstream.uno.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\textoutstream.uno.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:3416
-
Network
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request16.29.65.23.in-addr.arpaIN PTRResponse16.29.65.23.in-addr.arpaIN PTRa23-65-29-16deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestfd.api.iris.microsoft.comIN AResponsefd.api.iris.microsoft.comIN CNAMEfd-api-iris.trafficmanager.netfd-api-iris.trafficmanager.netIN CNAMEiris-de-ppe-azsc-v2-weu.westeurope.cloudapp.azure.comiris-de-ppe-azsc-v2-weu.westeurope.cloudapp.azure.comIN A20.86.201.138
-
GEThttps://fd.api.iris.microsoft.com/v4/api/selection?&asid=7152850246324986986756298D85099A&nct=1&placement=88000677&bcnt=30&country=ES&locale=es-ES&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775537&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABFFFD61D-F3EB-CFA7-EB4B-5071399DAEDC&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204412&lo=13073&tsu=13073Remote address:20.86.201.138:443RequestGET /v4/api/selection?&asid=7152850246324986986756298D85099A&nct=1&placement=88000677&bcnt=30&country=ES&locale=es-ES&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775537&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABFFFD61D-F3EB-CFA7-EB4B-5071399DAEDC&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204412&lo=13073&tsu=13073 HTTP/2.0
host: fd.api.iris.microsoft.com
accept-encoding: gzip, deflate
x-sdk-hw-token: t=EwDoAppeBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AAStVNkeB/eEfGHxnDb2+lM++rsl8p5cHY7rwIPimvYOHbIo7fl8Q0pALXwF268ljxIuJu7eKuCtKLxesBxA56uOopq4zAbJab/L4A8hZMmBVmGh02QbTfafAMksgUqTuqNP0MVGVRLurfahqy1zdgd8IiR8UJT5u0tnRyE7oyPyQO4epm3fGadu1s07MSM6mlEFVXCKzO+xnlLp34n3Uz4Jw6utkS5z9d//vjGRhulHCAL64LhGi1q9sErWmpRd7FTTE4KlidUcEOyK6xyjTAgcXbuI/ZNj0uuGo35dpkPPBR6c41HVNRkpA+vcac6IdiDNgI+f8prPvLYZhI39VLiMQZgAAEHKLLpdCe34wbfJbBJ2Iz/qwAcVC1vCE3pxJ6g66iob3vz7+dMMoz3xEGIdaSHYAPlFJUkRHkekALI330e2XeK1szz9F83qXrsdwO1ZV0aVj9La0/YjtEjq8Zih5PddvW4caiB4aq6Sn1Ck+uprXK/+Btk8a6MGoy1jz386C+IEJ16FqHs7Ku4lLpNiWX7Z65Mu+/GK3QUp1M6J6AI0xsOC8woVkgiyTAZZdSgjBl2h56IHAICcs5T0HmVHrOxXYn3mlf/7gtEFJvSbU+RANAmGJTAQUYYKJ+Ad3f3GSFQlltLHIyzktR0g3UPhYUkfRjKq5QrCI67FFXHWuDxzbm+aFVN8CgIXWSVqTEZLDgx7bpWMF0/Qy1RNcFKt9XU9RkFkelo9+JQcWu1rV5sKl6Ez7+JxkEZzdqAhu0lWPOWpoJQedRBrENqh6AnTUFYXVZBVPbvFkw5nfZ1ka+VDO/Ke0J6LXDrUFeZ5qVmPFEL4KQfA2sZZPlkMWIVXhqIn1ebFYo9z2cgugcIMiI32ybOXCtQxHyAVYwsMmo9DKLzY6ra+UZutlvoZD8MwD9s/g89PfNR3yz07jcvCaytqPOGyAJ9oB&p=
ResponseHTTP/2.0 200
pragma: no-cache
content-length: 131
content-type: application/json; charset=utf-8
expires: Mon, 01 Jan 0001 00:00:00 GMT
server: Microsoft-IIS/10.0
arc-rsp-dbg: [{"DcoPlusDebug":"Status: Ok"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}]
accept-ch: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version
x-aspnet-version: 4.0.30319
x-powered-by: ASP.NET
strict-transport-security: max-age=31536000; includeSubDomains
date: Wed, 22 Jan 2025 15:33:19 GMT
-
Remote address:8.8.8.8:53Request138.201.86.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request18.155.100.95.in-addr.arpaIN PTRResponse18.155.100.95.in-addr.arpaIN PTRa95-100-155-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request105.193.132.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request3.108.50.23.in-addr.arpaIN PTRResponse3.108.50.23.in-addr.arpaIN PTRa23-50-108-3deploystaticakamaitechnologiescom
-
20.86.201.138:443https://fd.api.iris.microsoft.com/v4/api/selection?&asid=7152850246324986986756298D85099A&nct=1&placement=88000677&bcnt=30&country=ES&locale=es-ES&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775537&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABFFFD61D-F3EB-CFA7-EB4B-5071399DAEDC&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204412&lo=13073&tsu=13073tls, http23.1kB 7.4kB 21 12
HTTP Request
GET https://fd.api.iris.microsoft.com/v4/api/selection?&asid=7152850246324986986756298D85099A&nct=1&placement=88000677&bcnt=30&country=ES&locale=es-ES&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775537&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABFFFD61D-F3EB-CFA7-EB4B-5071399DAEDC&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204412&lo=13073&tsu=13073HTTP Response
200
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
16.29.65.23.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
71 B 195 B 1 1
DNS Request
fd.api.iris.microsoft.com
DNS Response
20.86.201.138
-
72 B 158 B 1 1
DNS Request
138.201.86.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
140 B 144 B 2 1
DNS Request
18.31.95.13.in-addr.arpa
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
18.155.100.95.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
105.193.132.51.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
3.108.50.23.in-addr.arpa