latrodectus | de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0.msi
Size

1.8MB
MD5

aadb28cd58585f773265bd1e4fd584a6
SHA1

efa3704afcbd08977b2458e9cf5f05ae6da4fd9a
SHA256

de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0
SHA512

412ece345ab2876ceccebd21a6e8e4a235708707ec236d9716a3cd1691917322bcff9a0bc79a1a21ff63df4e8ea395dbc61dfdfd392633bbb82a76f6b2a8f0ae
SSDEEP

49152:q6LvYpW8zBQSc0ZnSKeZKumZr7A0ybfpVENl14rrX:5YQ0ZncK/A0qfnEZ4P

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

https://titnovacrion.top/live/

https://skinnyjeanso.com/live/

Signatures

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 2 8 IoCs

loader

resource	yara_rule
behavioral2/memory/4948-48-0x00000237DFEC0000-0x00000237DFED4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/4948-50-0x00000237DFEA0000-0x00000237DFEB2000-memory.dmp	family_latrodectus_v2
behavioral2/memory/4948-53-0x00000237E1790000-0x00000237E17A4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/4948-54-0x00000237E1790000-0x00000237E17A4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/4948-59-0x00000237E1790000-0x00000237E17A4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/1444-76-0x000001815CDD0000-0x000001815CDE4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/1444-77-0x000001815CDD0000-0x000001815CDE4000-memory.dmp	family_latrodectus_v2
behavioral2/memory/1444-78-0x000001815CDD0000-0x000001815CDE4000-memory.dmp	family_latrodectus_v2

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2016.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI24DC.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{060B5AA5-F33D-4FA0-967E-616346C49B21}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI247D.tmp	msiexec.exe
File created	C:\Windows\Installer\e581fb8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e581fb8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2956	MSI24DC.tmp

Loads dropped DLL 10 IoCs

pid	Process
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
1808	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
4948	rundll32.exe
1444	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008fdc540eeb98985f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008fdc540e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008fdc540e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8fdc540e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008fdc540e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
652	msiexec.exe
652	msiexec.exe
2956	MSI24DC.tmp
2956	MSI24DC.tmp
4948	rundll32.exe
4948	rundll32.exe
4948	rundll32.exe
4948	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	652	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2372	msiexec.exe
Token: SeLockMemoryPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeMachineAccountPrivilege	2372	msiexec.exe
Token: SeTcbPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeLoadDriverPrivilege	2372	msiexec.exe
Token: SeSystemProfilePrivilege	2372	msiexec.exe
Token: SeSystemtimePrivilege	2372	msiexec.exe
Token: SeProfSingleProcessPrivilege	2372	msiexec.exe
Token: SeIncBasePriorityPrivilege	2372	msiexec.exe
Token: SeCreatePagefilePrivilege	2372	msiexec.exe
Token: SeCreatePermanentPrivilege	2372	msiexec.exe
Token: SeBackupPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeDebugPrivilege	2372	msiexec.exe
Token: SeAuditPrivilege	2372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2372	msiexec.exe
Token: SeChangeNotifyPrivilege	2372	msiexec.exe
Token: SeRemoteShutdownPrivilege	2372	msiexec.exe
Token: SeUndockPrivilege	2372	msiexec.exe
Token: SeSyncAgentPrivilege	2372	msiexec.exe
Token: SeEnableDelegationPrivilege	2372	msiexec.exe
Token: SeManageVolumePrivilege	2372	msiexec.exe
Token: SeImpersonatePrivilege	2372	msiexec.exe
Token: SeCreateGlobalPrivilege	2372	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2372	msiexec.exe
Token: SeLockMemoryPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeMachineAccountPrivilege	2372	msiexec.exe
Token: SeTcbPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeLoadDriverPrivilege	2372	msiexec.exe
Token: SeSystemProfilePrivilege	2372	msiexec.exe
Token: SeSystemtimePrivilege	2372	msiexec.exe
Token: SeProfSingleProcessPrivilege	2372	msiexec.exe
Token: SeIncBasePriorityPrivilege	2372	msiexec.exe
Token: SeCreatePagefilePrivilege	2372	msiexec.exe
Token: SeCreatePermanentPrivilege	2372	msiexec.exe
Token: SeBackupPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeDebugPrivilege	2372	msiexec.exe
Token: SeAuditPrivilege	2372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2372	msiexec.exe
Token: SeChangeNotifyPrivilege	2372	msiexec.exe
Token: SeRemoteShutdownPrivilege	2372	msiexec.exe
Token: SeUndockPrivilege	2372	msiexec.exe
Token: SeSyncAgentPrivilege	2372	msiexec.exe
Token: SeEnableDelegationPrivilege	2372	msiexec.exe
Token: SeManageVolumePrivilege	2372	msiexec.exe
Token: SeImpersonatePrivilege	2372	msiexec.exe
Token: SeCreateGlobalPrivilege	2372	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2372	msiexec.exe
Token: SeLockMemoryPrivilege	2372	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2372	msiexec.exe
2372	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 1808	652	msiexec.exe	88
PID 652 wrote to memory of 1808	652	msiexec.exe	88
PID 652 wrote to memory of 1808	652	msiexec.exe	88
PID 652 wrote to memory of 4560	652	msiexec.exe	101
PID 652 wrote to memory of 4560	652	msiexec.exe	101
PID 652 wrote to memory of 5080	652	msiexec.exe	104
PID 652 wrote to memory of 5080	652	msiexec.exe	104
PID 652 wrote to memory of 5080	652	msiexec.exe	104
PID 652 wrote to memory of 2956	652	msiexec.exe	105
PID 652 wrote to memory of 2956	652	msiexec.exe	105
PID 652 wrote to memory of 2956	652	msiexec.exe	105
PID 4948 wrote to memory of 1444	4948	rundll32.exe	107
PID 4948 wrote to memory of 1444	4948	rundll32.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\de29ff5d531e11ec17eaa1abfb75c3cdf7c2e3e37bfbae61711aee41f20118b0.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 08C057AB7E4E89A5575E46259D014C88 C
  2⤵
  - Loads dropped DLL
  PID:1808
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4560
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 47A9F8604750C8782E9207AA9FC1642B
  2⤵
  - Loads dropped DLL
  PID:5080
- C:\Windows\Installer\MSI24DC.tmp
  "C:\Windows\Installer\MSI24DC.tmp" C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\QUAL\utile.dll, vgml
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3372

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\QUAL\utile.dll, vgml
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\System32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_660c9e20.dll", vgml
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581fb9.rbs

Filesize
1KB

MD5
cc648e1c1e0ab7729fddc3f5d84f8d8d

SHA1
bfbe267cffa5f87a9fc28d4e80fea47301b8ac1e

SHA256
86359a98969052d91e60b5639b8673783bb6f450dc0786b2f456517c4a78670a

SHA512
7051b0fb9f3afc98b08943cf1a97c299113bd4d74c8ba2dd0be03d85eb412fbe9c7e6bde0c181df53641a1d15c2384dc2b71e6df0abeb8ca9468bd9081b21b7b

Download Submit
C:\Users\Admin\AppData\Local\QUAL\utile.dll

Filesize
1.3MB

MD5
fdee9bf7924baa77c55da756b88558e3

SHA1
a751dbcbcda628b68a3592da97d252ee350aa4a6

SHA256
ac851c7c20500893d64adf7522f565d02b443f6ab6173963f1bf18b470355287

SHA512
63ab4da072f1f91d5d1b35a11a9700bb6692dd8f0462e73d8b9d4e1c958eea1f7417ad04dfe7c2032de41afefd48f7f9a9d67b22f393a06355c02df71456995b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI78CA.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI24DC.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
a296da98268a77f4c90962470b783f9d

SHA1
8459c1b048bd3e4d6617223a9adf7ef873ce20a4

SHA256
b920198767e83de043e0ec6cf91b6e61ab87ed2403bc276ee3a05138882cf17a

SHA512
0652d21af4e018bdc511592a2ca5cbb67d22693db58a764250eb2aa6321c8e7105f7edd4d87f914de7bf6a6d0b95211f8b925a6f9bffb64f435182a8a3151f8b

Download Submit
\??\Volume{0e54dc8f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c61db497-6520-498f-ad7f-84a4e1dca375}_OnDiskSnapshotProp

Filesize
6KB

MD5
dee16a018ab5e5c72ca833290ffbe828

SHA1
9bacabf10c21e8a930b33442983d383f2c351efa

SHA256
3c5895f6a2eb7ad5ed86d512adb1f258a466f299fc596a49f87f01747b691f62

SHA512
68b5a4f5774679de00cf3711bb5cf02dc60bc11bc675f7f5783621d5f758b6c539f97f12ca84f53041596ac238eb4f821178c97866d077ff7163c09fd62701ef

Download Submit
memory/1444-78-0x000001815CDD0000-0x000001815CDE4000-memory.dmp

Filesize
80KB

Download
memory/1444-77-0x000001815CDD0000-0x000001815CDE4000-memory.dmp

Filesize
80KB

Download
memory/1444-76-0x000001815CDD0000-0x000001815CDE4000-memory.dmp

Filesize
80KB

Download
memory/4948-48-0x00000237DFEC0000-0x00000237DFED4000-memory.dmp

Filesize
80KB

Download
memory/4948-59-0x00000237E1790000-0x00000237E17A4000-memory.dmp

Filesize
80KB

Download
memory/4948-56-0x0000000180000000-0x0000000180152000-memory.dmp

Filesize
1.3MB

Download
memory/4948-54-0x00000237E1790000-0x00000237E17A4000-memory.dmp

Filesize
80KB

Download
memory/4948-53-0x00000237E1790000-0x00000237E17A4000-memory.dmp

Filesize
80KB

Download
memory/4948-50-0x00000237DFEA0000-0x00000237DFEB2000-memory.dmp

Filesize
72KB

Download
memory/4948-47-0x00000237DFEA0000-0x00000237DFEB2000-memory.dmp

Filesize
72KB

Download