latrodectus | b4d74473cb5f2aeed8ba8f2e54419370d6c6e5dd0cf3afa12259a000fed96101

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2024, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JDHSY373DE34DE.lnk
Size

838B
MD5

e329a92bc95c5a54492a483f8cf61ac1
SHA1

aca998cbead3c29b346a1e8d14d82a0281f65bfc
SHA256

49fb8c49c01a5f822417f1b9610bb8b9b808d0a0a3d09247b0a64961ede2e8b9
SHA512

bb426820583165354001bd6ae01b1ba1356f34d4c16cb32add1a5d1fdef0846033ca7cbee3bc4ac86e32bac226b54152dc160328b5381661be557c2d9b9ed714

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

https://peermangoz.me/live/

https://aprettopizza.world/live/

Signatures

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 1 3 IoCs

loader

resource	yara_rule
behavioral2/memory/3628-2-0x000002D2EC3F0000-0x000002D2EC403000-memory.dmp	family_latrodectus_v1
behavioral2/memory/4368-13-0x0000020CE1EA0000-0x0000020CE1EB3000-memory.dmp	family_latrodectus_v1
behavioral2/memory/4368-18-0x0000020CE1EA0000-0x0000020CE1EB3000-memory.dmp	family_latrodectus_v1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
4368	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3628	rundll32.exe
3628	rundll32.exe
3628	rundll32.exe
3628	rundll32.exe
4368	rundll32.exe
4368	rundll32.exe
4368	rundll32.exe
4368	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3628	4052	cmd.exe	87
PID 4052 wrote to memory of 3628	4052	cmd.exe	87
PID 3628 wrote to memory of 4368	3628	rundll32.exe	90
PID 3628 wrote to memory of 4368	3628	rundll32.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\JDHSY373DE34DE.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" version1.dll, nail
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_7a5b9eab.dll", nail
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_7a5b9eab.dll

Filesize
1.5MB

MD5
b940f9dc5e1f90b9366af62399d9b147

SHA1
ed6367f231ae4c810342e3f31ff7f57738049469

SHA256
221e906b73db3dd177f65eba9310efeb2921f512d1eb67d516d8036b4193344e

SHA512
cc9d754e15259456ad4d0d3f459dfa2065bcc5ea266d4327f9050c27a33c4b4406ed862e2fcb1d4b7a1d37b2ac27d9e705ff7a0a3d7fb711f55dd7c955fa6843

Download Submit
memory/3628-0-0x0000000180000000-0x0000000180188000-memory.dmp

Filesize
1.5MB

Download
memory/3628-1-0x000002D2EC3E0000-0x000002D2EC3E4000-memory.dmp

Filesize
16KB

Download
memory/3628-2-0x000002D2EC3F0000-0x000002D2EC403000-memory.dmp

Filesize
76KB

Download
memory/4368-11-0x0000000180000000-0x0000000180188000-memory.dmp

Filesize
1.5MB

Download
memory/4368-13-0x0000020CE1EA0000-0x0000020CE1EB3000-memory.dmp

Filesize
76KB

Download
memory/4368-18-0x0000020CE1EA0000-0x0000020CE1EB3000-memory.dmp

Filesize
76KB

Download