latrodectus | 1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11

Resubmissions

16-05-2024 01:39

240516-b2zvpaeg85 10

Analysis

max time kernel
1592s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74143402c40ac2e61e9f040a2d7e2d00_NeikiAnalytics.dll
Size

885KB
MD5

74143402c40ac2e61e9f040a2d7e2d00
SHA1

4053dc85bb86c47c63f96681d6a62c21cd6342a3
SHA256

1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11
SHA512

4aa55b859f15be8b14c4a0ff6f3971f49b47c1c8c8427f179eb4ab0c76e321441adfd173469facb12aae1e81e25f1328fd621214b42e66f690ba4e9ee1e54cf9
SSDEEP

12288:gfPSAAUHV4fZUv/TrguVTax7hNRu18VA8JFoxMk/wYeDKDMyAmp:qPSAAUHV4fZUvfgmaxpu1F8J6xMYHMBS

Score

10^/10

latrodectus discovery loader

Malware Config

Extracted

Family

latrodectus

https://jarinamaers.shop/live/

https://wrankaget.site/live/

Signatures

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 2 4 IoCs

loader

resource	yara_rule
behavioral2/memory/2064-0-0x000001D821E30000-0x000001D821E44000-memory.dmp	family_latrodectus_v2
behavioral2/memory/2064-5-0x000001D821E30000-0x000001D821E44000-memory.dmp	family_latrodectus_v2
behavioral2/memory/3628-6-0x00000229BBA10000-0x00000229BBA24000-memory.dmp	family_latrodectus_v2
behavioral2/memory/3628-10-0x00000229BBA10000-0x00000229BBA24000-memory.dmp	family_latrodectus_v2

Blocklisted process makes network request 64 IoCs

flow	pid	Process
69	3628	rundll32.exe
71	3628	rundll32.exe
72	3628	rundll32.exe
74	3628	rundll32.exe
75	3628	rundll32.exe
76	3628	rundll32.exe
77	3628	rundll32.exe
78	3628	rundll32.exe
79	3628	rundll32.exe
80	3628	rundll32.exe
81	3628	rundll32.exe
82	3628	rundll32.exe
83	3628	rundll32.exe
84	3628	rundll32.exe
85	3628	rundll32.exe
86	3628	rundll32.exe
87	3628	rundll32.exe
88	3628	rundll32.exe
89	3628	rundll32.exe
90	3628	rundll32.exe
91	3628	rundll32.exe
92	3628	rundll32.exe
93	3628	rundll32.exe
94	3628	rundll32.exe
95	3628	rundll32.exe
96	3628	rundll32.exe
97	3628	rundll32.exe
98	3628	rundll32.exe
99	3628	rundll32.exe
100	3628	rundll32.exe
101	3628	rundll32.exe
102	3628	rundll32.exe
104	3628	rundll32.exe
105	3628	rundll32.exe
106	3628	rundll32.exe
107	3628	rundll32.exe
108	3628	rundll32.exe
109	3628	rundll32.exe
110	3628	rundll32.exe
111	3628	rundll32.exe
112	3628	rundll32.exe
113	3628	rundll32.exe
114	3628	rundll32.exe
115	3628	rundll32.exe
116	3628	rundll32.exe
117	3628	rundll32.exe
118	3628	rundll32.exe
119	3628	rundll32.exe
120	3628	rundll32.exe
121	3628	rundll32.exe
122	3628	rundll32.exe
123	3628	rundll32.exe
124	3628	rundll32.exe
125	3628	rundll32.exe
126	3628	rundll32.exe
127	3628	rundll32.exe
128	3628	rundll32.exe
129	3628	rundll32.exe
130	3628	rundll32.exe
131	3628	rundll32.exe
132	3628	rundll32.exe
133	3628	rundll32.exe
134	3628	rundll32.exe
135	3628	rundll32.exe

Deletes itself 1 IoCs

pid	Process
2064	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
3628	rundll32.exe
3128	rundll32.exe
2400	rundll32.exe
4960	rundll32.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2064	rundll32.exe
2064	rundll32.exe
2064	rundll32.exe
2064	rundll32.exe
3628	rundll32.exe
3628	rundll32.exe
3628	rundll32.exe
3628	rundll32.exe
3128	rundll32.exe
3128	rundll32.exe
3128	rundll32.exe
3128	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
4960	rundll32.exe
4960	rundll32.exe
4960	rundll32.exe
4960	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2064	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3628	2064	rundll32.exe	91
PID 2064 wrote to memory of 3628	2064	rundll32.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\74143402c40ac2e61e9f040a2d7e2d00_NeikiAnalytics.dll,#1
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_939bf747.dll", #1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
1⤵
PID:4224

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_939bf747.dll", #1
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4396,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
1⤵
PID:3320

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_939bf747.dll", #1
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_939bf747.dll", #1
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_939bf747.dll

Filesize
885KB

MD5
74143402c40ac2e61e9f040a2d7e2d00

SHA1
4053dc85bb86c47c63f96681d6a62c21cd6342a3

SHA256
1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11

SHA512
4aa55b859f15be8b14c4a0ff6f3971f49b47c1c8c8427f179eb4ab0c76e321441adfd173469facb12aae1e81e25f1328fd621214b42e66f690ba4e9ee1e54cf9

Download Submit
memory/2064-0-0x000001D821E30000-0x000001D821E44000-memory.dmp

Filesize
80KB

Download
memory/2064-5-0x000001D821E30000-0x000001D821E44000-memory.dmp

Filesize
80KB

Download
memory/2064-2-0x0000000180000000-0x0000000180184000-memory.dmp

Filesize
1.5MB

Download
memory/3628-6-0x00000229BBA10000-0x00000229BBA24000-memory.dmp

Filesize
80KB

Download
memory/3628-10-0x00000229BBA10000-0x00000229BBA24000-memory.dmp

Filesize
80KB

Download
memory/3628-11-0x0000000180000000-0x0000000180184000-memory.dmp

Filesize
1.5MB

Download