Analysis
-
max time kernel
31s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 13:45
Static task
static1
Behavioral task
behavioral1
Sample
08075e8a6dcc6a5fca089348edbd5fc07b2b0b26a26a46e0dd401121fdaa88d3.msi
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
08075e8a6dcc6a5fca089348edbd5fc07b2b0b26a26a46e0dd401121fdaa88d3.msi
Resource
win10v2004-20240709-en
General
-
Target
08075e8a6dcc6a5fca089348edbd5fc07b2b0b26a26a46e0dd401121fdaa88d3.msi
-
Size
1.6MB
-
MD5
b1532277024424c2071f0293eb39431a
-
SHA1
ca7b962b28407f02f715a1cd8e027146184342a2
-
SHA256
08075e8a6dcc6a5fca089348edbd5fc07b2b0b26a26a46e0dd401121fdaa88d3
-
SHA512
30c1e2468a8277d41befda9d855be34617d3cb143e047a4aaeb070e948ccb615d636c5942a45278bd947f14dae78c1c92126fd8cc88224c5c132a7440e8de1f1
-
SSDEEP
49152:6VUvYIW8zBQSc0ZnSKeZKumZr7A4iTBdx:BYP0ZncK/A4iFf
Malware Config
Extracted
latrodectus
https://winarkamaps.com/live/
https://stratimasesstr.com/live/
Signatures
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Detect larodectus Loader variant 2 1 IoCs
resource yara_rule behavioral1/memory/1748-47-0x0000000001B00000-0x0000000001B14000-memory.dmp family_latrodectus_v2 -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Installer\f789fc9.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA48A.tmp msiexec.exe File opened for modification C:\Windows\Installer\f789fc9.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f789fc8.msi msiexec.exe File opened for modification C:\Windows\Installer\f789fc8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA0F1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA69E.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 1084 MSIA69E.tmp -
Loads dropped DLL 10 IoCs
pid Process 2884 MsiExec.exe 2884 MsiExec.exe 2884 MsiExec.exe 2884 MsiExec.exe 2884 MsiExec.exe 3056 MsiExec.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
pid Process 2388 msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 972 msiexec.exe 972 msiexec.exe 1084 MSIA69E.tmp 1748 rundll32.exe 1748 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2388 msiexec.exe Token: SeIncreaseQuotaPrivilege 2388 msiexec.exe Token: SeRestorePrivilege 972 msiexec.exe Token: SeTakeOwnershipPrivilege 972 msiexec.exe Token: SeSecurityPrivilege 972 msiexec.exe Token: SeCreateTokenPrivilege 2388 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2388 msiexec.exe Token: SeLockMemoryPrivilege 2388 msiexec.exe Token: SeIncreaseQuotaPrivilege 2388 msiexec.exe Token: SeMachineAccountPrivilege 2388 msiexec.exe Token: SeTcbPrivilege 2388 msiexec.exe Token: SeSecurityPrivilege 2388 msiexec.exe Token: SeTakeOwnershipPrivilege 2388 msiexec.exe Token: SeLoadDriverPrivilege 2388 msiexec.exe Token: SeSystemProfilePrivilege 2388 msiexec.exe Token: SeSystemtimePrivilege 2388 msiexec.exe Token: SeProfSingleProcessPrivilege 2388 msiexec.exe Token: SeIncBasePriorityPrivilege 2388 msiexec.exe Token: SeCreatePagefilePrivilege 2388 msiexec.exe Token: SeCreatePermanentPrivilege 2388 msiexec.exe Token: SeBackupPrivilege 2388 msiexec.exe Token: SeRestorePrivilege 2388 msiexec.exe Token: SeShutdownPrivilege 2388 msiexec.exe Token: SeDebugPrivilege 2388 msiexec.exe Token: SeAuditPrivilege 2388 msiexec.exe Token: SeSystemEnvironmentPrivilege 2388 msiexec.exe Token: SeChangeNotifyPrivilege 2388 msiexec.exe Token: SeRemoteShutdownPrivilege 2388 msiexec.exe Token: SeUndockPrivilege 2388 msiexec.exe Token: SeSyncAgentPrivilege 2388 msiexec.exe Token: SeEnableDelegationPrivilege 2388 msiexec.exe Token: SeManageVolumePrivilege 2388 msiexec.exe Token: SeImpersonatePrivilege 2388 msiexec.exe Token: SeCreateGlobalPrivilege 2388 msiexec.exe Token: SeCreateTokenPrivilege 2388 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2388 msiexec.exe Token: SeLockMemoryPrivilege 2388 msiexec.exe Token: SeIncreaseQuotaPrivilege 2388 msiexec.exe Token: SeMachineAccountPrivilege 2388 msiexec.exe Token: SeTcbPrivilege 2388 msiexec.exe Token: SeSecurityPrivilege 2388 msiexec.exe Token: SeTakeOwnershipPrivilege 2388 msiexec.exe Token: SeLoadDriverPrivilege 2388 msiexec.exe Token: SeSystemProfilePrivilege 2388 msiexec.exe Token: SeSystemtimePrivilege 2388 msiexec.exe Token: SeProfSingleProcessPrivilege 2388 msiexec.exe Token: SeIncBasePriorityPrivilege 2388 msiexec.exe Token: SeCreatePagefilePrivilege 2388 msiexec.exe Token: SeCreatePermanentPrivilege 2388 msiexec.exe Token: SeBackupPrivilege 2388 msiexec.exe Token: SeRestorePrivilege 2388 msiexec.exe Token: SeShutdownPrivilege 2388 msiexec.exe Token: SeDebugPrivilege 2388 msiexec.exe Token: SeAuditPrivilege 2388 msiexec.exe Token: SeSystemEnvironmentPrivilege 2388 msiexec.exe Token: SeChangeNotifyPrivilege 2388 msiexec.exe Token: SeRemoteShutdownPrivilege 2388 msiexec.exe Token: SeUndockPrivilege 2388 msiexec.exe Token: SeSyncAgentPrivilege 2388 msiexec.exe Token: SeEnableDelegationPrivilege 2388 msiexec.exe Token: SeManageVolumePrivilege 2388 msiexec.exe Token: SeImpersonatePrivilege 2388 msiexec.exe Token: SeCreateGlobalPrivilege 2388 msiexec.exe Token: SeCreateTokenPrivilege 2388 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2388 msiexec.exe 2388 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 972 wrote to memory of 2884 972 msiexec.exe 30 PID 972 wrote to memory of 2884 972 msiexec.exe 30 PID 972 wrote to memory of 2884 972 msiexec.exe 30 PID 972 wrote to memory of 2884 972 msiexec.exe 30 PID 972 wrote to memory of 2884 972 msiexec.exe 30 PID 972 wrote to memory of 2884 972 msiexec.exe 30 PID 972 wrote to memory of 2884 972 msiexec.exe 30 PID 972 wrote to memory of 3056 972 msiexec.exe 34 PID 972 wrote to memory of 3056 972 msiexec.exe 34 PID 972 wrote to memory of 3056 972 msiexec.exe 34 PID 972 wrote to memory of 3056 972 msiexec.exe 34 PID 972 wrote to memory of 3056 972 msiexec.exe 34 PID 972 wrote to memory of 3056 972 msiexec.exe 34 PID 972 wrote to memory of 3056 972 msiexec.exe 34 PID 972 wrote to memory of 1084 972 msiexec.exe 35 PID 972 wrote to memory of 1084 972 msiexec.exe 35 PID 972 wrote to memory of 1084 972 msiexec.exe 35 PID 972 wrote to memory of 1084 972 msiexec.exe 35 PID 972 wrote to memory of 1084 972 msiexec.exe 35 PID 972 wrote to memory of 1084 972 msiexec.exe 35 PID 972 wrote to memory of 1084 972 msiexec.exe 35 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\08075e8a6dcc6a5fca089348edbd5fc07b2b0b26a26a46e0dd401121fdaa88d3.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2388
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 71312417914DA154F305FCAA57428627 C2⤵
- Loads dropped DLL
PID:2884
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 15491BD03CADA0F54EDC948532F36F592⤵
- Loads dropped DLL
PID:3056
-
-
C:\Windows\Installer\MSIA69E.tmp"C:\Windows\Installer\MSIA69E.tmp" C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\digistamp\360Util.dll, homq2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1084
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2848
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003F4" "00000000000005F0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2596
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\digistamp\360Util.dll, homq1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a8f045127507c29933343c01de2251cf
SHA1bec3d6f78c7849e3522e4109f4bda5f0816a6ed2
SHA256ec7d24abc1ea25e61a8c50c954806f9efc80fd20f1b7d812cfb52be6e94d634a
SHA512dfa007d8980be140166c5b500232f9c0b484cf83d1ae71a74b6f6c03541052d7d12bb9de3adedf3b8dfe307045b016813d8f793d106690ae5e78554bcef592b9
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04
-
Filesize
895KB
MD5d158665d5beda7f0fd02fe0a0b78d0a3
SHA12decd5a2fb6f85414a2b7b0c0d314a60c517e562
SHA2568ed1ba513b298c2dea57d5d47b3bdb8dc3d622e8e8b64ed244633ae8ccab8cfc
SHA51278499c3d04d7cc2a24aaead4644530647f8c6d5ce5fb03fa88b99f58429d86208371a92e138405948c47ff7672fc37bc3418f52d2b1ff924c262b207c8785b18