Analysis

  • max time kernel
    423s
  • max time network
    440s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-es
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows
  • submitted
    22/01/2025, 15:18 UTC

General

  • Target

    textoutstream.uno.dll

  • Size

    22KB

  • MD5

    c27254aed7ac9cfbc61e6dbd51904968

  • SHA1

    6022370f585a9d9ea0618140b100e1eac9e33cce

  • SHA256

    2fbe6c29e6de2906e72ec84bbe03f42a055111ba6768512045b2d4745d63d547

  • SHA512

    fa3503a3e550f81105fe72ed666c0f3f9b071b0494edaa0a70c24c1c049acd80bb2360b49dd6355d0743521c5256dc2bf3b07823b3f4c500ab676424fd4567b7

  • SSDEEP

    384:D9ewMvchS2fZ6a2JdPzf2KrqbJk+E1SeWXOOVlvtnKyiL6:AwB0Pzf3qlkqXOIHKyP

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\textoutstream.uno.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\textoutstream.uno.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3416

Network

  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    16.29.65.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    16.29.65.23.in-addr.arpa
    IN PTR
    Response
    16.29.65.23.in-addr.arpa
    IN PTR
    a23-65-29-16deploystaticakamaitechnologiescom
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    fd.api.iris.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    fd.api.iris.microsoft.com
    IN A
    Response
    fd.api.iris.microsoft.com
    IN CNAME
    fd-api-iris.trafficmanager.net
    fd-api-iris.trafficmanager.net
    IN CNAME
    iris-de-ppe-azsc-v2-weu.westeurope.cloudapp.azure.com
    iris-de-ppe-azsc-v2-weu.westeurope.cloudapp.azure.com
    IN A
    20.86.201.138
  • flag-nl
    GET
    https://fd.api.iris.microsoft.com/v4/api/selection?&asid=7152850246324986986756298D85099A&nct=1&placement=88000677&bcnt=30&country=ES&locale=es-ES&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775537&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABFFFD61D-F3EB-CFA7-EB4B-5071399DAEDC&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204412&lo=13073&tsu=13073
    Remote address:
    20.86.201.138:443
    Request
    GET /v4/api/selection?&asid=7152850246324986986756298D85099A&nct=1&placement=88000677&bcnt=30&country=ES&locale=es-ES&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775537&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABFFFD61D-F3EB-CFA7-EB4B-5071399DAEDC&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204412&lo=13073&tsu=13073 HTTP/2.0
    host: fd.api.iris.microsoft.com
    accept-encoding: gzip, deflate
    x-sdk-hw-token: t=EwDoAppeBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AAStVNkeB/eEfGHxnDb2+lM++rsl8p5cHY7rwIPimvYOHbIo7fl8Q0pALXwF268ljxIuJu7eKuCtKLxesBxA56uOopq4zAbJab/L4A8hZMmBVmGh02QbTfafAMksgUqTuqNP0MVGVRLurfahqy1zdgd8IiR8UJT5u0tnRyE7oyPyQO4epm3fGadu1s07MSM6mlEFVXCKzO+xnlLp34n3Uz4Jw6utkS5z9d//vjGRhulHCAL64LhGi1q9sErWmpRd7FTTE4KlidUcEOyK6xyjTAgcXbuI/ZNj0uuGo35dpkPPBR6c41HVNRkpA+vcac6IdiDNgI+f8prPvLYZhI39VLiMQZgAAEHKLLpdCe34wbfJbBJ2Iz/qwAcVC1vCE3pxJ6g66iob3vz7+dMMoz3xEGIdaSHYAPlFJUkRHkekALI330e2XeK1szz9F83qXrsdwO1ZV0aVj9La0/YjtEjq8Zih5PddvW4caiB4aq6Sn1Ck+uprXK/+Btk8a6MGoy1jz386C+IEJ16FqHs7Ku4lLpNiWX7Z65Mu+/GK3QUp1M6J6AI0xsOC8woVkgiyTAZZdSgjBl2h56IHAICcs5T0HmVHrOxXYn3mlf/7gtEFJvSbU+RANAmGJTAQUYYKJ+Ad3f3GSFQlltLHIyzktR0g3UPhYUkfRjKq5QrCI67FFXHWuDxzbm+aFVN8CgIXWSVqTEZLDgx7bpWMF0/Qy1RNcFKt9XU9RkFkelo9+JQcWu1rV5sKl6Ez7+JxkEZzdqAhu0lWPOWpoJQedRBrENqh6AnTUFYXVZBVPbvFkw5nfZ1ka+VDO/Ke0J6LXDrUFeZ5qVmPFEL4KQfA2sZZPlkMWIVXhqIn1ebFYo9z2cgugcIMiI32ybOXCtQxHyAVYwsMmo9DKLzY6ra+UZutlvoZD8MwD9s/g89PfNR3yz07jcvCaytqPOGyAJ9oB&p=
    Response
    HTTP/2.0 200
    cache-control: no-store, no-cache
    pragma: no-cache
    content-length: 131
    content-type: application/json; charset=utf-8
    expires: Mon, 01 Jan 0001 00:00:00 GMT
    server: Microsoft-IIS/10.0
    arc-rsp-dbg: [{"DcoPlusDebug":"Status: Ok"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}]
    accept-ch: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version
    x-aspnet-version: 4.0.30319
    x-powered-by: ASP.NET
    strict-transport-security: max-age=31536000; includeSubDomains
    date: Wed, 22 Jan 2025 15:33:19 GMT
  • flag-us
    DNS
    138.201.86.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.201.86.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    18.155.100.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.155.100.95.in-addr.arpa
    IN PTR
    Response
    18.155.100.95.in-addr.arpa
    IN PTR
    a95-100-155-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    105.193.132.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.193.132.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    3.108.50.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    3.108.50.23.in-addr.arpa
    IN PTR
    Response
    3.108.50.23.in-addr.arpa
    IN PTR
    a23-50-108-3deploystaticakamaitechnologiescom
  • 20.86.201.138:443
    https://fd.api.iris.microsoft.com/v4/api/selection?&asid=7152850246324986986756298D85099A&nct=1&placement=88000677&bcnt=30&country=ES&locale=es-ES&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775537&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABFFFD61D-F3EB-CFA7-EB4B-5071399DAEDC&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204412&lo=13073&tsu=13073
    tls, http2
    3.1kB
    7.4kB
    21
    12

    HTTP Request

    GET https://fd.api.iris.microsoft.com/v4/api/selection?&asid=7152850246324986986756298D85099A&nct=1&placement=88000677&bcnt=30&country=ES&locale=es-ES&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775537&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3ABFFFD61D-F3EB-CFA7-EB4B-5071399DAEDC&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=204412&lo=13073&tsu=13073

    HTTP Response

    200
  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    16.29.65.23.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    16.29.65.23.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    fd.api.iris.microsoft.com
    dns
    71 B
    195 B
    1
    1

    DNS Request

    fd.api.iris.microsoft.com

    DNS Response

    20.86.201.138

  • 8.8.8.8:53
    138.201.86.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.201.86.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    140 B
    144 B
    2
    1

    DNS Request

    18.31.95.13.in-addr.arpa

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    18.155.100.95.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    18.155.100.95.in-addr.arpa

  • 8.8.8.8:53
    105.193.132.51.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    105.193.132.51.in-addr.arpa

  • 8.8.8.8:53
    3.108.50.23.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    3.108.50.23.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.