Overview

overview

10

Static

static

3

5e7b8f81ce...d8.dll

windows10-2004-x64

10

Resubmissions

10-04-2024 04:28

240410-e3qvysda77 10

19-12-2023 11:50

231219-nztl4sfhe9 3

Analysis

  • max time kernel
    300s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e7b8f81ce66cfe606ea6470b596cb9fdeace6a3469ee06d3dfe049e1e2951d8.dll

  • Size

    1.8MB

  • MD5

    1cf72e954ed000c16e5cc327e91bdde4

  • SHA1

    39acb9bf780d195cb9308f3f7d48d9a2e0ac6979

  • SHA256

    5e7b8f81ce66cfe606ea6470b596cb9fdeace6a3469ee06d3dfe049e1e2951d8

  • SHA512

    e84a447dc86fb67348cba47d48cee59088a6bbcf7086ffa91920727027e40106892769279fba27ea502e29afde48dddf971ef08418cb7a410dbc7eb2e3961fdd

  • SSDEEP

    24576:7znngr4eig/HxkaoDFITvg9iLXYgIcjGNz5139EOapmIpniJ:7z64gxnoRGI9MXFrjGxNEOapmIpn

Score
10/10
latrodectusdiscoveryloader

Malware Config

Extracted

Family

latrodectus

C2

https://arsimonopa.com/live/

https://lemonimonakio.com/live/

Signatures

  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Detect larodectus Loader variant 1 2 IoCs
    loader
  • Blocklisted process makes network request 64 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e7b8f81ce66cfe606ea6470b596cb9fdeace6a3469ee06d3dfe049e1e2951d8.dll, nail
    1⤵
    • Deletes itself
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_765773b8.dll", nail
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:4544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Custom_update\Update_765773b8.dll
    Filesize

    1.8MB

    MD5

    1cf72e954ed000c16e5cc327e91bdde4

    SHA1

    39acb9bf780d195cb9308f3f7d48d9a2e0ac6979

    SHA256

    5e7b8f81ce66cfe606ea6470b596cb9fdeace6a3469ee06d3dfe049e1e2951d8

    SHA512

    e84a447dc86fb67348cba47d48cee59088a6bbcf7086ffa91920727027e40106892769279fba27ea502e29afde48dddf971ef08418cb7a410dbc7eb2e3961fdd

    Download Submit

  • memory/2408-0-0x0000024E25B60000-0x0000024E25B64000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2408-1-0x0000000180000000-0x0000000180013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2408-7-0x0000000010000000-0x00000000101D1000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4544-16-0x0000000180000000-0x0000000180013000-memory.dmp

    Filesize

    76KB

    Download