latrodectus | de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0

Analysis

max time kernel
101s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

font.msi
Size

1.8MB
MD5

aadb28cd58585f773265bd1e4fd584a6
SHA1

efa3704afcbd08977b2458e9cf5f05ae6da4fd9a
SHA256

de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0
SHA512

412ece345ab2876ceccebd21a6e8e4a235708707ec236d9716a3cd1691917322bcff9a0bc79a1a21ff63df4e8ea395dbc61dfdfd392633bbb82a76f6b2a8f0ae
SSDEEP

49152:q6LvYpW8zBQSc0ZnSKeZKumZr7A0ybfpVENl14rrX:5YQ0ZncK/A0qfnEZ4P

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

https://titnovacrion.top/live/

https://skinnyjeanso.com/live/

Signatures

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 2 8 IoCs

loader

resource	yara_rule
behavioral2/memory/3568-48-0x000001360BBE0000-0x000001360BBF4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/3568-51-0x000001360BBC0000-0x000001360BBD2000-memory.dmp	family_latrodectus_v2
behavioral2/memory/3568-53-0x000001360BC00000-0x000001360BC14000-memory.dmp	family_latrodectus_v2
behavioral2/memory/3568-54-0x000001360BC00000-0x000001360BC14000-memory.dmp	family_latrodectus_v2
behavioral2/memory/3568-59-0x000001360BC00000-0x000001360BC14000-memory.dmp	family_latrodectus_v2
behavioral2/memory/1616-74-0x000002218F760000-0x000002218F774000-memory.dmp	family_latrodectus_v2
behavioral2/memory/1616-77-0x000002218F760000-0x000002218F774000-memory.dmp	family_latrodectus_v2
behavioral2/memory/1616-78-0x000002218F760000-0x000002218F774000-memory.dmp	family_latrodectus_v2

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e577fbf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{060B5AA5-F33D-4FA0-967E-616346C49B21}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8109.tmp	msiexec.exe
File created	C:\Windows\Installer\e577fbf.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI805C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8158.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3740	MSI8158.tmp

Loads dropped DLL 10 IoCs

pid	Process
4520	MsiExec.exe
4520	MsiExec.exe
4520	MsiExec.exe
4520	MsiExec.exe
4520	MsiExec.exe
4520	MsiExec.exe
1572	MsiExec.exe
1572	MsiExec.exe
3568	rundll32.exe
1616	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3688	msiexec.exe
3688	msiexec.exe
3740	MSI8158.tmp
3740	MSI8158.tmp
3568	rundll32.exe
3568	rundll32.exe
3568	rundll32.exe
3568	rundll32.exe
1616	rundll32.exe
1616	rundll32.exe
1616	rundll32.exe
1616	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	3688	msiexec.exe
Token: SeCreateTokenPrivilege	1696	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1696	msiexec.exe
Token: SeLockMemoryPrivilege	1696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1696	msiexec.exe
Token: SeMachineAccountPrivilege	1696	msiexec.exe
Token: SeTcbPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeLoadDriverPrivilege	1696	msiexec.exe
Token: SeSystemProfilePrivilege	1696	msiexec.exe
Token: SeSystemtimePrivilege	1696	msiexec.exe
Token: SeProfSingleProcessPrivilege	1696	msiexec.exe
Token: SeIncBasePriorityPrivilege	1696	msiexec.exe
Token: SeCreatePagefilePrivilege	1696	msiexec.exe
Token: SeCreatePermanentPrivilege	1696	msiexec.exe
Token: SeBackupPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeShutdownPrivilege	1696	msiexec.exe
Token: SeDebugPrivilege	1696	msiexec.exe
Token: SeAuditPrivilege	1696	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1696	msiexec.exe
Token: SeChangeNotifyPrivilege	1696	msiexec.exe
Token: SeRemoteShutdownPrivilege	1696	msiexec.exe
Token: SeUndockPrivilege	1696	msiexec.exe
Token: SeSyncAgentPrivilege	1696	msiexec.exe
Token: SeEnableDelegationPrivilege	1696	msiexec.exe
Token: SeManageVolumePrivilege	1696	msiexec.exe
Token: SeImpersonatePrivilege	1696	msiexec.exe
Token: SeCreateGlobalPrivilege	1696	msiexec.exe
Token: SeCreateTokenPrivilege	1696	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1696	msiexec.exe
Token: SeLockMemoryPrivilege	1696	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1696	msiexec.exe
Token: SeMachineAccountPrivilege	1696	msiexec.exe
Token: SeTcbPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeLoadDriverPrivilege	1696	msiexec.exe
Token: SeSystemProfilePrivilege	1696	msiexec.exe
Token: SeSystemtimePrivilege	1696	msiexec.exe
Token: SeProfSingleProcessPrivilege	1696	msiexec.exe
Token: SeIncBasePriorityPrivilege	1696	msiexec.exe
Token: SeCreatePagefilePrivilege	1696	msiexec.exe
Token: SeCreatePermanentPrivilege	1696	msiexec.exe
Token: SeBackupPrivilege	1696	msiexec.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeShutdownPrivilege	1696	msiexec.exe
Token: SeDebugPrivilege	1696	msiexec.exe
Token: SeAuditPrivilege	1696	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1696	msiexec.exe
Token: SeChangeNotifyPrivilege	1696	msiexec.exe
Token: SeRemoteShutdownPrivilege	1696	msiexec.exe
Token: SeUndockPrivilege	1696	msiexec.exe
Token: SeSyncAgentPrivilege	1696	msiexec.exe
Token: SeEnableDelegationPrivilege	1696	msiexec.exe
Token: SeManageVolumePrivilege	1696	msiexec.exe
Token: SeImpersonatePrivilege	1696	msiexec.exe
Token: SeCreateGlobalPrivilege	1696	msiexec.exe
Token: SeCreateTokenPrivilege	1696	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1696	msiexec.exe
Token: SeLockMemoryPrivilege	1696	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1696	msiexec.exe
1696	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4520	3688	msiexec.exe	87
PID 3688 wrote to memory of 4520	3688	msiexec.exe	87
PID 3688 wrote to memory of 4520	3688	msiexec.exe	87
PID 3688 wrote to memory of 1152	3688	msiexec.exe	90
PID 3688 wrote to memory of 1152	3688	msiexec.exe	90
PID 3688 wrote to memory of 1572	3688	msiexec.exe	92
PID 3688 wrote to memory of 1572	3688	msiexec.exe	92
PID 3688 wrote to memory of 1572	3688	msiexec.exe	92
PID 3688 wrote to memory of 3740	3688	msiexec.exe	93
PID 3688 wrote to memory of 3740	3688	msiexec.exe	93
PID 3688 wrote to memory of 3740	3688	msiexec.exe	93
PID 3568 wrote to memory of 1616	3568	rundll32.exe	95
PID 3568 wrote to memory of 1616	3568	rundll32.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\font.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1696

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 422FCA90E5599A9235097CAE7B9FA8CD C
  2⤵
  - Loads dropped DLL
  PID:4520
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1152
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9A7C79E98CEE266708AC8F786C7F0612
  2⤵
  - Loads dropped DLL
  PID:1572
- C:\Windows\Installer\MSI8158.tmp
  "C:\Windows\Installer\MSI8158.tmp" C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\QUAL\utile.dll, vgml
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2988

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\QUAL\utile.dll, vgml
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\System32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_765773b8.dll", vgml
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577fc0.rbs

Filesize
1KB

MD5
5fcb752382c0aad4ce7f8997cb0579a3

SHA1
0000077a29089e45445d0ba10e863fe6d5815045

SHA256
04dbaaf763145e368215fa3409aa0903f9c417ce29639ce321fb4b05fcbfdfcd

SHA512
836b4ab9c0a3bd2eae76b5b4c1f9ae32c63af56949212d9738a0c044e2c74e9d26a99a03bd39d68fd0dc1f20e9a70811a44a5743b41d64fcb31a9fecb7112523

Download Submit
C:\Users\Admin\AppData\Local\QUAL\utile.dll

Filesize
512KB

MD5
8423009ab0fabf8dc095c2d0e9cfcf1f

SHA1
c13a40741b5b6d9e24befb372dce9b919f20381e

SHA256
0f5e2e6596c140576ae1fa3afcf89fad4508f9752617e5c59c135a0b2958ccfb

SHA512
039a66466a4f667a793276405a8258a6921cb67445f623bcff1b6447b2662f59dae34759bcaadb7335c3b664e99d2d7fa8c83d63999ada163d05b9bb8a701c3b

Download Submit
C:\Users\Admin\AppData\Local\QUAL\utile.dll

Filesize
357KB

MD5
37ca1642b954c032f7aa991cecae8fa3

SHA1
cbd665825edcf530b0ab1e2cf81c8c228c20006e

SHA256
e91d536e7bc0d1c43f7a219cb8032c7cb9b8e6ae9b72883f4988c96d0036114f

SHA512
621c7bc060408321668a012b4ac20d8f1c25c7785a4afea20542972c6b412704606cbe7451d7d003de6b96db173aa03091e22406fecffe859358dda407cb6acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4E2F.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Roaming\Custom_update\Update_765773b8.dll

Filesize
1.3MB

MD5
fdee9bf7924baa77c55da756b88558e3

SHA1
a751dbcbcda628b68a3592da97d252ee350aa4a6

SHA256
ac851c7c20500893d64adf7522f565d02b443f6ab6173963f1bf18b470355287

SHA512
63ab4da072f1f91d5d1b35a11a9700bb6692dd8f0462e73d8b9d4e1c958eea1f7417ad04dfe7c2032de41afefd48f7f9a9d67b22f393a06355c02df71456995b

Download Submit
C:\Windows\Installer\MSI8158.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
4.3MB

MD5
4b01cfb717e2295d820b9b0fc0d7625f

SHA1
ab8cee654dd4b778210ddbe17274696f3798639e

SHA256
e83672495e591fc6c113488ed6e00bffa1dfccc0cecc27f8c6283c6b3eb274f9

SHA512
82d3a8dcd820d5f77d4f3e91521769cb87172bb507c11f81cc7cd7149ad3cfdc0639128afedc4266ca665603443d34651930f505f53803cbe967e431e7e34542

Download Submit
\??\Volume{14f6f45c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8498034b-d849-4c53-a85b-f661cc305026}_OnDiskSnapshotProp

Filesize
6KB

MD5
05c3c705126c6d6a5c92e3a41d5cc8a5

SHA1
1ae52fb8feb211ea3dd7d60c1e1424d5dace87de

SHA256
73460fd4a2b05814bcc967860cc46428b47fd37bdc8d9c534405114490ca3673

SHA512
319f4971de0dc24f99d2456c78b9bc7ec5e8ec7f568ca2eca1210de6f95fadcd4d5ade83861345f6e0a20b8a5c8c5bb70a7a3dd4838fd5be63710c158a624ee9

Download Submit
memory/1616-78-0x000002218F760000-0x000002218F774000-memory.dmp

Filesize
80KB

Download
memory/1616-77-0x000002218F760000-0x000002218F774000-memory.dmp

Filesize
80KB

Download
memory/1616-74-0x000002218F760000-0x000002218F774000-memory.dmp

Filesize
80KB

Download
memory/3568-47-0x000001360BBC0000-0x000001360BBD2000-memory.dmp

Filesize
72KB

Download
memory/3568-56-0x0000000180000000-0x0000000180152000-memory.dmp

Filesize
1.3MB

Download
memory/3568-59-0x000001360BC00000-0x000001360BC14000-memory.dmp

Filesize
80KB

Download
memory/3568-54-0x000001360BC00000-0x000001360BC14000-memory.dmp

Filesize
80KB

Download
memory/3568-53-0x000001360BC00000-0x000001360BC14000-memory.dmp

Filesize
80KB

Download
memory/3568-51-0x000001360BBC0000-0x000001360BBD2000-memory.dmp

Filesize
72KB

Download
memory/3568-48-0x000001360BBE0000-0x000001360BBF4000-memory.dmp

Filesize
80KB

Download