latrodectus | d83d5378f1bb37d1423207ad67f2f984f2d46ba9534194c344a051117c1e541f

Analysis

max time kernel
1207s
max time network
1214s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upd.msi
Size

1.4MB
MD5

a32536810939d2264c9030b8a1b12186
SHA1

25b92fa53392d8541c2213769fac25b7ecbc88f1
SHA256

d83d5378f1bb37d1423207ad67f2f984f2d46ba9534194c344a051117c1e541f
SHA512

681c2c3299252ee34e447733e6fd6a00133ade44acac9a46cd2f188fd9f6ea767a183ffc0855e7effd39e1ac873405f2d22a7c44e3ce8e39441119d71841029e
SSDEEP

24576:1hFxLNvYLSMvZCFlp8zBQSc0ZoCvqKwx0ECIgYmfLVYeBZr7AJ/MqYzXZ:1h1vYpW8zBQSc0ZnSKeZKumZr7Amqg

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

https://titnovacrion.top/live/

https://grunzalom.fun/live/

Signatures

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 2 4 IoCs

loader

resource	yara_rule
behavioral2/memory/2088-53-0x000001DA1E2D0000-0x000001DA1E2E4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/2088-58-0x000001DA1E2D0000-0x000001DA1E2E4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/2952-70-0x000002E651CA0000-0x000002E651CB4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/2952-71-0x000002E651CA0000-0x000002E651CB4000-memory.dmp	family_latrodectus_v2

Blocklisted process makes network request 64 IoCs

flow	pid	Process
134	2952	rundll32.exe
137	2952	rundll32.exe
138	2952	rundll32.exe
139	2952	rundll32.exe
140	2952	rundll32.exe
143	2952	rundll32.exe
145	2952	rundll32.exe
146	2952	rundll32.exe
147	2952	rundll32.exe
148	2952	rundll32.exe
150	2952	rundll32.exe
151	2952	rundll32.exe
152	2952	rundll32.exe
153	2952	rundll32.exe
155	2952	rundll32.exe
156	2952	rundll32.exe
157	2952	rundll32.exe
158	2952	rundll32.exe
160	2952	rundll32.exe
161	2952	rundll32.exe
162	2952	rundll32.exe
163	2952	rundll32.exe
165	2952	rundll32.exe
167	2952	rundll32.exe
168	2952	rundll32.exe
169	2952	rundll32.exe
170	2952	rundll32.exe
174	2952	rundll32.exe
175	2952	rundll32.exe
176	2952	rundll32.exe
177	2952	rundll32.exe
178	2952	rundll32.exe
180	2952	rundll32.exe
181	2952	rundll32.exe
182	2952	rundll32.exe
183	2952	rundll32.exe
185	2952	rundll32.exe
186	2952	rundll32.exe
187	2952	rundll32.exe
188	2952	rundll32.exe
190	2952	rundll32.exe
191	2952	rundll32.exe
192	2952	rundll32.exe
193	2952	rundll32.exe
194	2952	rundll32.exe
196	2952	rundll32.exe
197	2952	rundll32.exe
198	2952	rundll32.exe
199	2952	rundll32.exe
200	2952	rundll32.exe
202	2952	rundll32.exe
203	2952	rundll32.exe
204	2952	rundll32.exe
205	2952	rundll32.exe
207	2952	rundll32.exe
209	2952	rundll32.exe
211	2952	rundll32.exe
212	2952	rundll32.exe
214	2952	rundll32.exe
215	2952	rundll32.exe
216	2952	rundll32.exe
218	2952	rundll32.exe
219	2952	rundll32.exe
220	2952	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF902.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e58f7b9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF826.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EDB05111-9E1F-4247-A9B5-3D72B974D151}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA5B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFABA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58f7b9.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4704	MSIFABA.tmp

Loads dropped DLL 10 IoCs

pid	Process
3656	MsiExec.exe
3656	MsiExec.exe
3656	MsiExec.exe
3656	MsiExec.exe
3656	MsiExec.exe
3656	MsiExec.exe
4428	MsiExec.exe
4428	MsiExec.exe
2088	rundll32.exe
2952	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008fdc540eeb98985f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008fdc540e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008fdc540e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8fdc540e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008fdc540e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4928	msiexec.exe
4928	msiexec.exe
4704	MSIFABA.tmp
4704	MSIFABA.tmp
2088	rundll32.exe
2088	rundll32.exe
2088	rundll32.exe
2088	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3516	msiexec.exe
Token: SeSecurityPrivilege	4928	msiexec.exe
Token: SeCreateTokenPrivilege	3516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3516	msiexec.exe
Token: SeLockMemoryPrivilege	3516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3516	msiexec.exe
Token: SeMachineAccountPrivilege	3516	msiexec.exe
Token: SeTcbPrivilege	3516	msiexec.exe
Token: SeSecurityPrivilege	3516	msiexec.exe
Token: SeTakeOwnershipPrivilege	3516	msiexec.exe
Token: SeLoadDriverPrivilege	3516	msiexec.exe
Token: SeSystemProfilePrivilege	3516	msiexec.exe
Token: SeSystemtimePrivilege	3516	msiexec.exe
Token: SeProfSingleProcessPrivilege	3516	msiexec.exe
Token: SeIncBasePriorityPrivilege	3516	msiexec.exe
Token: SeCreatePagefilePrivilege	3516	msiexec.exe
Token: SeCreatePermanentPrivilege	3516	msiexec.exe
Token: SeBackupPrivilege	3516	msiexec.exe
Token: SeRestorePrivilege	3516	msiexec.exe
Token: SeShutdownPrivilege	3516	msiexec.exe
Token: SeDebugPrivilege	3516	msiexec.exe
Token: SeAuditPrivilege	3516	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3516	msiexec.exe
Token: SeChangeNotifyPrivilege	3516	msiexec.exe
Token: SeRemoteShutdownPrivilege	3516	msiexec.exe
Token: SeUndockPrivilege	3516	msiexec.exe
Token: SeSyncAgentPrivilege	3516	msiexec.exe
Token: SeEnableDelegationPrivilege	3516	msiexec.exe
Token: SeManageVolumePrivilege	3516	msiexec.exe
Token: SeImpersonatePrivilege	3516	msiexec.exe
Token: SeCreateGlobalPrivilege	3516	msiexec.exe
Token: SeCreateTokenPrivilege	3516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3516	msiexec.exe
Token: SeLockMemoryPrivilege	3516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3516	msiexec.exe
Token: SeMachineAccountPrivilege	3516	msiexec.exe
Token: SeTcbPrivilege	3516	msiexec.exe
Token: SeSecurityPrivilege	3516	msiexec.exe
Token: SeTakeOwnershipPrivilege	3516	msiexec.exe
Token: SeLoadDriverPrivilege	3516	msiexec.exe
Token: SeSystemProfilePrivilege	3516	msiexec.exe
Token: SeSystemtimePrivilege	3516	msiexec.exe
Token: SeProfSingleProcessPrivilege	3516	msiexec.exe
Token: SeIncBasePriorityPrivilege	3516	msiexec.exe
Token: SeCreatePagefilePrivilege	3516	msiexec.exe
Token: SeCreatePermanentPrivilege	3516	msiexec.exe
Token: SeBackupPrivilege	3516	msiexec.exe
Token: SeRestorePrivilege	3516	msiexec.exe
Token: SeShutdownPrivilege	3516	msiexec.exe
Token: SeDebugPrivilege	3516	msiexec.exe
Token: SeAuditPrivilege	3516	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3516	msiexec.exe
Token: SeChangeNotifyPrivilege	3516	msiexec.exe
Token: SeRemoteShutdownPrivilege	3516	msiexec.exe
Token: SeUndockPrivilege	3516	msiexec.exe
Token: SeSyncAgentPrivilege	3516	msiexec.exe
Token: SeEnableDelegationPrivilege	3516	msiexec.exe
Token: SeManageVolumePrivilege	3516	msiexec.exe
Token: SeImpersonatePrivilege	3516	msiexec.exe
Token: SeCreateGlobalPrivilege	3516	msiexec.exe
Token: SeCreateTokenPrivilege	3516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3516	msiexec.exe
Token: SeLockMemoryPrivilege	3516	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3516	msiexec.exe
3516	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 3656	4928	msiexec.exe	93
PID 4928 wrote to memory of 3656	4928	msiexec.exe	93
PID 4928 wrote to memory of 3656	4928	msiexec.exe	93
PID 4928 wrote to memory of 1660	4928	msiexec.exe	118
PID 4928 wrote to memory of 1660	4928	msiexec.exe	118
PID 4928 wrote to memory of 4428	4928	msiexec.exe	120
PID 4928 wrote to memory of 4428	4928	msiexec.exe	120
PID 4928 wrote to memory of 4428	4928	msiexec.exe	120
PID 4928 wrote to memory of 4704	4928	msiexec.exe	121
PID 4928 wrote to memory of 4704	4928	msiexec.exe	121
PID 4928 wrote to memory of 4704	4928	msiexec.exe	121
PID 2088 wrote to memory of 2952	2088	rundll32.exe	123
PID 2088 wrote to memory of 2952	2088	rundll32.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\upd.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C2BB3D64AB68733510A95DEED6180E1E C
  2⤵
  - Loads dropped DLL
  PID:3656
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1660
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C754042031FAFC96EC3A95F135249C9D
  2⤵
  - Loads dropped DLL
  PID:4428
- C:\Windows\Installer\MSIFABA.tmp
  "C:\Windows\Installer\MSIFABA.tmp" C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\besr\cr2.dll, vgml
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1200

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\besr\cr2.dll, vgml
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\System32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_660c9e20.dll", vgml
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58f7ba.rbs

Filesize
1KB

MD5
6c0fc379c3d026fea3c5d250fe072947

SHA1
06c10684f2ac530227bdd75af06ebcbe68d6500a

SHA256
63fef93fd02f72f8850d33bc609109942529abc272a89f0093769b612c9c1f98

SHA512
9a7a849d6978aed1ac3d6237286d542dd7f462edc7725932308dd9ef3888d58c43bae711026ad713fda69aa60dcfeb03b460c209ade91bc5ce3e06d383e6ac36

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7DCB.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\besr\cr2.dll

Filesize
277KB

MD5
f9425561701935d358f4f5b7fc2e5502

SHA1
f00b5a6bbd7f500c439bfa4e4dedc79850732597

SHA256
71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9

SHA512
8faa2b11ca95eed4b7d5aa7dcc36669d929e7d2c503714d7d220c660e9dad8aa92697f57080fa7589875fe36e3fa9b507e96970d9647373c82969c7972774bcb

Download Submit
C:\Windows\Installer\MSIFABA.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
3e475c5fc8deebcce3645faf8721cfce

SHA1
e0a8137e60c3a5f373bf684088c95e37fa728923

SHA256
1d404580d37d945878634b586c21a08074f9a573c6fac89dab05ff959ad98eb3

SHA512
0cb2503c20cc3bd9028c04e9e78d14ef325c34cae6110b5b10f54ce4c6c5f220fb4ea744804950d18d6e494d90141593c5e183ee5a06c269b4d8d1b04ce28623

Download Submit
\??\Volume{0e54dc8f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{46981e96-fed8-4da5-a290-e2d0cf820220}_OnDiskSnapshotProp

Filesize
6KB

MD5
d7583262c9ad85ebc59204109822aa11

SHA1
52cf47e73dbdc23de90d148fa32ec4b2ec77160e

SHA256
82c19aed6f52a28f0c0afc618144859593bbe2e9446ffcc623eaee61fe297155

SHA512
49a038dd792ea078d804cb1a2cd5d510c4e45d62fa91e4a4aa16079b8b5a077cdf11a08f2d41c115df7e88e24f0de4f0677ebf5820fdb2ec666e051f3c3d7180

Download Submit
memory/2088-55-0x00007FFF85D90000-0x00007FFF85DDC000-memory.dmp

Filesize
304KB

Download
memory/2088-58-0x000001DA1E2D0000-0x000001DA1E2E4000-memory.dmp

Filesize
80KB

Download
memory/2088-53-0x000001DA1E2D0000-0x000001DA1E2E4000-memory.dmp

Filesize
80KB

Download
memory/2088-52-0x000001DA1E310000-0x000001DA1E342000-memory.dmp

Filesize
200KB

Download
memory/2952-70-0x000002E651CA0000-0x000002E651CB4000-memory.dmp

Filesize
80KB

Download
memory/2952-71-0x000002E651CA0000-0x000002E651CB4000-memory.dmp

Filesize
80KB

Download