latrodectus | d83d5378f1bb37d1423207ad67f2f984f2d46ba9534194c344a051117c1e541f

Analysis

max time kernel
1199s
max time network
1200s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
26/03/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upd.msi
Size

1.4MB
MD5

a32536810939d2264c9030b8a1b12186
SHA1

25b92fa53392d8541c2213769fac25b7ecbc88f1
SHA256

d83d5378f1bb37d1423207ad67f2f984f2d46ba9534194c344a051117c1e541f
SHA512

681c2c3299252ee34e447733e6fd6a00133ade44acac9a46cd2f188fd9f6ea767a183ffc0855e7effd39e1ac873405f2d22a7c44e3ce8e39441119d71841029e
SSDEEP

24576:1hFxLNvYLSMvZCFlp8zBQSc0ZoCvqKwx0ECIgYmfLVYeBZr7AJ/MqYzXZ:1h1vYpW8zBQSc0ZnSKeZKumZr7Amqg

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

https://titnovacrion.top/live/

https://grunzalom.fun/live/

Signatures

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 2 4 IoCs

loader

resource	yara_rule
behavioral2/memory/4384-56-0x0000020AC7C70000-0x0000020AC7C84000-memory.dmp	family_latrodectus_v2
behavioral2/memory/4384-61-0x0000020AC7C70000-0x0000020AC7C84000-memory.dmp	family_latrodectus_v2
behavioral2/memory/204-73-0x000001B0AFEE0000-0x000001B0AFEF4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/204-74-0x000001B0AFEE0000-0x000001B0AFEF4000-memory.dmp	family_latrodectus_v2

Blocklisted process makes network request 64 IoCs

flow	pid	Process
17	204	rundll32.exe
19	204	rundll32.exe
21	204	rundll32.exe
22	204	rundll32.exe
23	204	rundll32.exe
25	204	rundll32.exe
26	204	rundll32.exe
27	204	rundll32.exe
29	204	rundll32.exe
30	204	rundll32.exe
31	204	rundll32.exe
32	204	rundll32.exe
34	204	rundll32.exe
35	204	rundll32.exe
37	204	rundll32.exe
39	204	rundll32.exe
40	204	rundll32.exe
42	204	rundll32.exe
43	204	rundll32.exe
44	204	rundll32.exe
45	204	rundll32.exe
47	204	rundll32.exe
48	204	rundll32.exe
49	204	rundll32.exe
50	204	rundll32.exe
52	204	rundll32.exe
53	204	rundll32.exe
54	204	rundll32.exe
55	204	rundll32.exe
57	204	rundll32.exe
58	204	rundll32.exe
59	204	rundll32.exe
61	204	rundll32.exe
63	204	rundll32.exe
64	204	rundll32.exe
66	204	rundll32.exe
67	204	rundll32.exe
68	204	rundll32.exe
69	204	rundll32.exe
71	204	rundll32.exe
72	204	rundll32.exe
73	204	rundll32.exe
74	204	rundll32.exe
76	204	rundll32.exe
77	204	rundll32.exe
78	204	rundll32.exe
80	204	rundll32.exe
82	204	rundll32.exe
83	204	rundll32.exe
84	204	rundll32.exe
86	204	rundll32.exe
87	204	rundll32.exe
89	204	rundll32.exe
90	204	rundll32.exe
92	204	rundll32.exe
93	204	rundll32.exe
94	204	rundll32.exe
95	204	rundll32.exe
97	204	rundll32.exe
99	204	rundll32.exe
100	204	rundll32.exe
101	204	rundll32.exe
102	204	rundll32.exe
104	204	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIB23A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB335.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB47F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b15e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB19D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EDB05111-9E1F-4247-A9B5-3D72B974D151}	msiexec.exe
File created	C:\Windows\Installer\e57b15e.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4852	MSIB47F.tmp

Loads dropped DLL 10 IoCs

pid	Process
4108	MsiExec.exe
4108	MsiExec.exe
4108	MsiExec.exe
4108	MsiExec.exe
4108	MsiExec.exe
4108	MsiExec.exe
2796	MsiExec.exe
2796	MsiExec.exe
4384	rundll32.exe
204	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3788	msiexec.exe
3788	msiexec.exe
4852	MSIB47F.tmp
4852	MSIB47F.tmp
4384	rundll32.exe
4384	rundll32.exe
4384	rundll32.exe
4384	rundll32.exe
204	rundll32.exe
204	rundll32.exe
204	rundll32.exe
204	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4832	msiexec.exe
Token: SeSecurityPrivilege	3788	msiexec.exe
Token: SeCreateTokenPrivilege	4832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4832	msiexec.exe
Token: SeLockMemoryPrivilege	4832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4832	msiexec.exe
Token: SeMachineAccountPrivilege	4832	msiexec.exe
Token: SeTcbPrivilege	4832	msiexec.exe
Token: SeSecurityPrivilege	4832	msiexec.exe
Token: SeTakeOwnershipPrivilege	4832	msiexec.exe
Token: SeLoadDriverPrivilege	4832	msiexec.exe
Token: SeSystemProfilePrivilege	4832	msiexec.exe
Token: SeSystemtimePrivilege	4832	msiexec.exe
Token: SeProfSingleProcessPrivilege	4832	msiexec.exe
Token: SeIncBasePriorityPrivilege	4832	msiexec.exe
Token: SeCreatePagefilePrivilege	4832	msiexec.exe
Token: SeCreatePermanentPrivilege	4832	msiexec.exe
Token: SeBackupPrivilege	4832	msiexec.exe
Token: SeRestorePrivilege	4832	msiexec.exe
Token: SeShutdownPrivilege	4832	msiexec.exe
Token: SeDebugPrivilege	4832	msiexec.exe
Token: SeAuditPrivilege	4832	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4832	msiexec.exe
Token: SeChangeNotifyPrivilege	4832	msiexec.exe
Token: SeRemoteShutdownPrivilege	4832	msiexec.exe
Token: SeUndockPrivilege	4832	msiexec.exe
Token: SeSyncAgentPrivilege	4832	msiexec.exe
Token: SeEnableDelegationPrivilege	4832	msiexec.exe
Token: SeManageVolumePrivilege	4832	msiexec.exe
Token: SeImpersonatePrivilege	4832	msiexec.exe
Token: SeCreateGlobalPrivilege	4832	msiexec.exe
Token: SeCreateTokenPrivilege	4832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4832	msiexec.exe
Token: SeLockMemoryPrivilege	4832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4832	msiexec.exe
Token: SeMachineAccountPrivilege	4832	msiexec.exe
Token: SeTcbPrivilege	4832	msiexec.exe
Token: SeSecurityPrivilege	4832	msiexec.exe
Token: SeTakeOwnershipPrivilege	4832	msiexec.exe
Token: SeLoadDriverPrivilege	4832	msiexec.exe
Token: SeSystemProfilePrivilege	4832	msiexec.exe
Token: SeSystemtimePrivilege	4832	msiexec.exe
Token: SeProfSingleProcessPrivilege	4832	msiexec.exe
Token: SeIncBasePriorityPrivilege	4832	msiexec.exe
Token: SeCreatePagefilePrivilege	4832	msiexec.exe
Token: SeCreatePermanentPrivilege	4832	msiexec.exe
Token: SeBackupPrivilege	4832	msiexec.exe
Token: SeRestorePrivilege	4832	msiexec.exe
Token: SeShutdownPrivilege	4832	msiexec.exe
Token: SeDebugPrivilege	4832	msiexec.exe
Token: SeAuditPrivilege	4832	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4832	msiexec.exe
Token: SeChangeNotifyPrivilege	4832	msiexec.exe
Token: SeRemoteShutdownPrivilege	4832	msiexec.exe
Token: SeUndockPrivilege	4832	msiexec.exe
Token: SeSyncAgentPrivilege	4832	msiexec.exe
Token: SeEnableDelegationPrivilege	4832	msiexec.exe
Token: SeManageVolumePrivilege	4832	msiexec.exe
Token: SeImpersonatePrivilege	4832	msiexec.exe
Token: SeCreateGlobalPrivilege	4832	msiexec.exe
Token: SeCreateTokenPrivilege	4832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4832	msiexec.exe
Token: SeLockMemoryPrivilege	4832	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4832	msiexec.exe
4832	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4108	3788	msiexec.exe	77
PID 3788 wrote to memory of 4108	3788	msiexec.exe	77
PID 3788 wrote to memory of 4108	3788	msiexec.exe	77
PID 3788 wrote to memory of 2432	3788	msiexec.exe	80
PID 3788 wrote to memory of 2432	3788	msiexec.exe	80
PID 3788 wrote to memory of 2796	3788	msiexec.exe	82
PID 3788 wrote to memory of 2796	3788	msiexec.exe	82
PID 3788 wrote to memory of 2796	3788	msiexec.exe	82
PID 3788 wrote to memory of 4852	3788	msiexec.exe	83
PID 3788 wrote to memory of 4852	3788	msiexec.exe	83
PID 3788 wrote to memory of 4852	3788	msiexec.exe	83
PID 4384 wrote to memory of 204	4384	rundll32.exe	85
PID 4384 wrote to memory of 204	4384	rundll32.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\upd.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4832

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D4AD8C7488D948C466825E01D137649F C
  2⤵
  - Loads dropped DLL
  PID:4108
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2432
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D252A09B8507D8465F7AA11A4B4F3DFE
  2⤵
  - Loads dropped DLL
  PID:2796
- C:\Windows\Installer\MSIB47F.tmp
  "C:\Windows\Installer\MSIB47F.tmp" C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\besr\cr2.dll, vgml
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4568

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\besr\cr2.dll, vgml
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\System32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_b7493a32.dll", vgml
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b15f.rbs

Filesize
1KB

MD5
470e1eae80edc5737089c815d41d70f4

SHA1
763ee693cfdf25b99d7c30d5ed7d4a483d3b94ed

SHA256
d7709706ffff16d5cad0ea0819ccb2b64fa081d39ccd050d2989db91f3ebe97a

SHA512
a406c1e4d5a420038106f8d67c48085d69e75efbb693d00fa65b6ccca4570c01a2e1ea833eba3b583d41b1185ab44f2c9d86b603a3c8fbb3927b2014e915f23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7B0C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7D22.tmp

Filesize
64KB

MD5
689eeeb4882c9abef6130c7e01fefa55

SHA1
45c1b62ee8cf62ae4ffaaa33aea5b47b373372ac

SHA256
cb72f1067fbf62ed57ad7a33854f5cfb2f4cff21060e97abb7bba0436d9fd7ca

SHA512
70924ac8e561481acf54624902dda727d2c586317f1e7d0dc367af23a0b28380cfe791aeb21cf729a3ac5577dccdf8e1724fa38ab6d37811835b0139eb525830

Download Submit
C:\Users\Admin\AppData\Local\besr\cr2.dll

Filesize
277KB

MD5
f9425561701935d358f4f5b7fc2e5502

SHA1
f00b5a6bbd7f500c439bfa4e4dedc79850732597

SHA256
71fb25cc4c05ce9dd94614ed781d85a50dccf69042521abc6782d48df85e6de9

SHA512
8faa2b11ca95eed4b7d5aa7dcc36669d929e7d2c503714d7d220c660e9dad8aa92697f57080fa7589875fe36e3fa9b507e96970d9647373c82969c7972774bcb

Download Submit
C:\Windows\Installer\MSIB47F.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
211KB

MD5
46d3c86295efe627f28de4764e7e2ec7

SHA1
38ee0b54334211b317d41274421ee9968e85e89c

SHA256
528cac5590ba1250088062ea8b64c055b216ddbd28969a6ca55b11cc8baaac24

SHA512
88e15d2f1192f1b71bd8a04b45aaf069954bbbbbf447c715813c3ea7af49bc32237534732e90244bf732d6c2f55de741bccc24ddb890db2b0863bc0fd4a695f9

Download Submit
\??\Volume{ac3a6335-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{64ca487e-9275-4218-9a82-22ed3007077f}_OnDiskSnapshotProp

Filesize
5KB

MD5
3f660eeec99c5938cf188224ea4a9225

SHA1
c6bb60943ae587c58955fa768a099b1f834b2bc9

SHA256
2d2dedbcef1604c95e7f5e6a27ca50497087577cef54de98828b034d7686967c

SHA512
dec2be2c7373d1c631cf3f866438260509d9eb0621340b7d7d006f0eaf32e5f69ac6fa1a9b541cc08e872d038ec3778037c30ef869efaccc167a568719704992

Download Submit
\Users\Admin\AppData\Local\Temp\MSI7D22.tmp

Filesize
428KB

MD5
a78e416841192a64144c0558732740a1

SHA1
273b40361496e76b5fb3e78c329b461e5c4ee260

SHA256
f7639d2e7a46a4c6bd58b938389b4a72403b2ca7e094c2a44b21afaf566ab1fd

SHA512
13ff1999d1b897e93e4b55184b73d9ff50bcd77d6fc4082327fbb41a07e3ec01d26680a2bc7816af06bebee45b494109fef8b3f20e444ce66b87261f7c3036dc

Download Submit
memory/204-73-0x000001B0AFEE0000-0x000001B0AFEF4000-memory.dmp

Filesize
80KB

Download
memory/204-74-0x000001B0AFEE0000-0x000001B0AFEF4000-memory.dmp

Filesize
80KB

Download
memory/4384-55-0x0000020AC7C30000-0x0000020AC7C62000-memory.dmp

Filesize
200KB

Download
memory/4384-56-0x0000020AC7C70000-0x0000020AC7C84000-memory.dmp

Filesize
80KB

Download
memory/4384-58-0x00007FFEA6140000-0x00007FFEA618C000-memory.dmp

Filesize
304KB

Download
memory/4384-61-0x0000020AC7C70000-0x0000020AC7C84000-memory.dmp

Filesize
80KB

Download