Overview
overview
10Static
static
10Apache_Ope...es.exe
windows10-ltsc 2021-x64
6$PLUGINSDI...ns.dll
windows10-ltsc 2021-x64
3stat.py
windows10-ltsc 2021-x64
3stats.py
windows10-ltsc 2021-x64
3statvfs.py
windows10-ltsc 2021-x64
3stl_01.ott
windows10-ltsc 2021-x64
3stl_02.ott
windows10-ltsc 2021-x64
3stl_03.ott
windows10-ltsc 2021-x64
3swui.dll
windows10-ltsc 2021-x64
3symbol.py
windows10-ltsc 2021-x64
3symbols.py
windows10-ltsc 2021-x64
3symtable.py
windows10-ltsc 2021-x64
3synchronize.py
windows10-ltsc 2021-x64
3syntax.py
windows10-ltsc 2021-x64
3sysconfig.py
windows10-ltsc 2021-x64
3sysconfig1.py
windows10-ltsc 2021-x64
3sysdtrans.dll
windows10-ltsc 2021-x64
3sysmail.uno.dll
windows10-ltsc 2021-x64
3syssh.uno.dll
windows10-ltsc 2021-x64
3t602filter.dll
windows10-ltsc 2021-x64
3tabbedpages.py
windows10-ltsc 2021-x64
3table.jar
windows10-ltsc 2021-x64
1tabnanny.py
windows10-ltsc 2021-x64
3tarfile.py
windows10-ltsc 2021-x64
3telnetlib.py
windows10-ltsc 2021-x64
3tempfile.py
windows10-ltsc 2021-x64
3textoutstream.uno.dll
windows10-ltsc 2021-x64
3openoffice4115.msi
windows10-ltsc 2021-x64
6readmes/re...s.html
windows10-ltsc 2021-x64
4redist/vcr...64.exe
windows10-ltsc 2021-x64
7redist/vcr...86.exe
windows10-ltsc 2021-x64
7setup.exe
windows10-ltsc 2021-x64
7Analysis
-
max time kernel
422s -
max time network
447s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-es -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows -
submitted
22/01/2025, 15:18
Behavioral task
behavioral1
Sample
Apache_OpenOffice_4.1.15_Win_x86_install_es.exe
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral2
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral3
Sample
stat.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral4
Sample
stats.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral5
Sample
statvfs.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral6
Sample
stl_01.ott
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral7
Sample
stl_02.ott
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral8
Sample
stl_03.ott
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral9
Sample
swui.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral10
Sample
symbol.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral11
Sample
symbols.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral12
Sample
symtable.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral13
Sample
synchronize.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral14
Sample
syntax.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral15
Sample
sysconfig.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral16
Sample
sysconfig1.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral17
Sample
sysdtrans.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral18
Sample
sysmail.uno.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral19
Sample
syssh.uno.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral20
Sample
t602filter.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral21
Sample
tabbedpages.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral22
Sample
table.jar
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral23
Sample
tabnanny.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral24
Sample
tarfile.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral25
Sample
telnetlib.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral26
Sample
tempfile.py
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral27
Sample
textoutstream.uno.dll
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral28
Sample
openoffice4115.msi
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral29
Sample
readmes/readme_es.html
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral30
Sample
redist/vcredist_x64.exe
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral31
Sample
redist/vcredist_x86.exe
Resource
win10ltsc2021-20250113-es
Behavioral task
behavioral32
Sample
setup.exe
Resource
win10ltsc2021-20250113-es
General
-
Target
setup.exe
-
Size
468KB
-
MD5
5b8919735858ed14281644d2c240100e
-
SHA1
7f6375515e18679cf457f2bad67892db5a217555
-
SHA256
b78712b6fbe78bbdb57b25f985262e38e061811e244aa39297fd5a0c91d80ffa
-
SHA512
34d8faa0a71f02afff0699be326962938c36c55ba175a35f6a214bc1038f0bd1731f9a2566651a4dc932fc7814aa11bfec4533e5fe499dba3dfef910547c8ad4
-
SSDEEP
6144:w1p3HAzqXU1jsNVRbIf7m6A5f4LT9XTj8Tu6eezwJ:w1p3H6mUlKVRcf7lUsXcTus
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 1040 MsiExec.exe 1040 MsiExec.exe 1040 MsiExec.exe 1040 MsiExec.exe 1040 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1656 msiexec.exe Token: SeIncreaseQuotaPrivilege 1656 msiexec.exe Token: SeSecurityPrivilege 4556 msiexec.exe Token: SeCreateTokenPrivilege 1656 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1656 msiexec.exe Token: SeLockMemoryPrivilege 1656 msiexec.exe Token: SeIncreaseQuotaPrivilege 1656 msiexec.exe Token: SeMachineAccountPrivilege 1656 msiexec.exe Token: SeTcbPrivilege 1656 msiexec.exe Token: SeSecurityPrivilege 1656 msiexec.exe Token: SeTakeOwnershipPrivilege 1656 msiexec.exe Token: SeLoadDriverPrivilege 1656 msiexec.exe Token: SeSystemProfilePrivilege 1656 msiexec.exe Token: SeSystemtimePrivilege 1656 msiexec.exe Token: SeProfSingleProcessPrivilege 1656 msiexec.exe Token: SeIncBasePriorityPrivilege 1656 msiexec.exe Token: SeCreatePagefilePrivilege 1656 msiexec.exe Token: SeCreatePermanentPrivilege 1656 msiexec.exe Token: SeBackupPrivilege 1656 msiexec.exe Token: SeRestorePrivilege 1656 msiexec.exe Token: SeShutdownPrivilege 1656 msiexec.exe Token: SeDebugPrivilege 1656 msiexec.exe Token: SeAuditPrivilege 1656 msiexec.exe Token: SeSystemEnvironmentPrivilege 1656 msiexec.exe Token: SeChangeNotifyPrivilege 1656 msiexec.exe Token: SeRemoteShutdownPrivilege 1656 msiexec.exe Token: SeUndockPrivilege 1656 msiexec.exe Token: SeSyncAgentPrivilege 1656 msiexec.exe Token: SeEnableDelegationPrivilege 1656 msiexec.exe Token: SeManageVolumePrivilege 1656 msiexec.exe Token: SeImpersonatePrivilege 1656 msiexec.exe Token: SeCreateGlobalPrivilege 1656 msiexec.exe Token: SeCreateTokenPrivilege 1656 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1656 msiexec.exe Token: SeLockMemoryPrivilege 1656 msiexec.exe Token: SeIncreaseQuotaPrivilege 1656 msiexec.exe Token: SeMachineAccountPrivilege 1656 msiexec.exe Token: SeTcbPrivilege 1656 msiexec.exe Token: SeSecurityPrivilege 1656 msiexec.exe Token: SeTakeOwnershipPrivilege 1656 msiexec.exe Token: SeLoadDriverPrivilege 1656 msiexec.exe Token: SeSystemProfilePrivilege 1656 msiexec.exe Token: SeSystemtimePrivilege 1656 msiexec.exe Token: SeProfSingleProcessPrivilege 1656 msiexec.exe Token: SeIncBasePriorityPrivilege 1656 msiexec.exe Token: SeCreatePagefilePrivilege 1656 msiexec.exe Token: SeCreatePermanentPrivilege 1656 msiexec.exe Token: SeBackupPrivilege 1656 msiexec.exe Token: SeRestorePrivilege 1656 msiexec.exe Token: SeShutdownPrivilege 1656 msiexec.exe Token: SeDebugPrivilege 1656 msiexec.exe Token: SeAuditPrivilege 1656 msiexec.exe Token: SeSystemEnvironmentPrivilege 1656 msiexec.exe Token: SeChangeNotifyPrivilege 1656 msiexec.exe Token: SeRemoteShutdownPrivilege 1656 msiexec.exe Token: SeUndockPrivilege 1656 msiexec.exe Token: SeSyncAgentPrivilege 1656 msiexec.exe Token: SeEnableDelegationPrivilege 1656 msiexec.exe Token: SeManageVolumePrivilege 1656 msiexec.exe Token: SeImpersonatePrivilege 1656 msiexec.exe Token: SeCreateGlobalPrivilege 1656 msiexec.exe Token: SeCreateTokenPrivilege 1656 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1656 msiexec.exe Token: SeLockMemoryPrivilege 1656 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1656 msiexec.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1468 wrote to memory of 1656 1468 setup.exe 82 PID 1468 wrote to memory of 1656 1468 setup.exe 82 PID 1468 wrote to memory of 1656 1468 setup.exe 82 PID 4556 wrote to memory of 1040 4556 msiexec.exe 85 PID 4556 wrote to memory of 1040 4556 msiexec.exe 85 PID 4556 wrote to memory of 1040 4556 msiexec.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\\msiexec.exe SETUP_USED=1 /I "C:\Users\Admin\AppData\Local\Temp\openoffice4115.msi"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1656
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 21537FFEEE8D36F77B3EB4BE5BBDD195 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
MD534480728b3a659a7bc4bea865c25668d
SHA14ca4a1a5df7cb116ffa35e106705f2a2c20b0738
SHA256a5b9ccf58eab9e907a151860f5630da52ae939625fd7065a05947c5e4376a09a
SHA5126c6bf290e20d57477b9ee366e44d6c2559f27364063b03c23cf1687e41d5b9b44547f53751ea6b920bcb6471431443deafe4b0a638cd0ec4d7de903260cd978e
-
Filesize
88KB
MD555b453d7a244d96e10754ab033c45728
SHA17f927a511987022bb009f48ee152a4e91aa877f0
SHA256f8da2aac476ad890fd32a25e7e3ebd85a352b92f8134092d8df0b6a7702b1c32
SHA51221df0e08f5f3c05e6caf8085dab94dd9eb1248141cda974e7af9ec47d0249909c55bc599a88930f7421576cb834b44b84f8d858cbea770c3f11a5d397e30b731