Overview

overview

10

Static

static

3

UPDATE-HSY...ml.lnk

windows7-x64

10

UPDATE-HSY...ml.lnk

windows10-2004-x64

10

version1.dll

windows7-x64

1

version1.dll

windows10-2004-x64

1

Resubmissions

08-04-2024 21:40

240408-1h8qxsfh61 10

08-04-2024 20:47

240408-zkt5wabe38 10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UPDATE-HSYEYDBB.html.lnk

  • Size

    1KB

  • MD5

    564896c159f0d7c086d0d5bc966959d3

  • SHA1

    b63dadc4d961995a77a9c183c809321e5564da60

  • SHA256

    db03a34684feab7475862080f59d4d99b32c74d3a152a53b257fd1a443e8ee77

  • SHA512

    fb9ca2821f15f9946770fb29dfcd3724a868af27b998cd0191135ef11e38b7d5a1c8214fb37e178b1ed68fe6d3ae828acf43d9f5243d753ba58f5361f6c8398f

Score
10/10
latrodectusloader

Malware Config

Extracted

Family

latrodectus

C2

https://mazdakrichest.com/live/

https://riverhasus.com/live/

Signatures

  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Detect larodectus Loader variant 1 3 IoCs
    loader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\UPDATE-HSYEYDBB.html.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" version1.dll, scab
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_33b0dade.dll", scab
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:3892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Custom_update\Update_33b0dade.dll
    Filesize

    1.4MB

    MD5

    f834dfc1861cd6361f34496c3bbafe66

    SHA1

    a983e82d009901310c8a3255c4b4e3a02d556fa7

    SHA256

    e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7

    SHA512

    088a6170c948ddb2c2b0cf2431ae61688201ef5bc3f1af217a58bf18b26dd9e0ab7ee082f822e736d0467f62e33bf71b806127eb998bed8e739c1e441ac05e00

    Download Submit

  • memory/3472-0-0x000001B98EFC0000-0x000001B98EFC4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3472-1-0x000001B9908B0000-0x000001B9908C3000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3472-7-0x0000000180000000-0x000000018016F000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3892-11-0x0000027E5F120000-0x0000027E5F133000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3892-16-0x0000027E5F120000-0x0000027E5F133000-memory.dmp

    Filesize

    76KB

    Download