latrodectus | 7f1af59a4de54b17902c28501adebb074b586acd66cd0bc81850fe7927ab4b20

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
28-08-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Run-Malware-1.bat
Size

52B
MD5

c3aaf7a42c7171931aa42cbb02acbe73
SHA1

4561841d5e84c5f9f6c07e4fd5d477bc0edf10b4
SHA256

02974799a1ed8674bd0fdd9435a5efe53236740f5de8f6d126591329b738abff
SHA512

2cb6583df78893081590366f65200a4da613a5a903acd220b70b7d7f19b11ca0dbd90545a0d1f5d3519cae2333b4284d08c4e24544059038e4a5cf2457fceb51

Score

10^/10

latrodectus discovery loader

Malware Config

Signatures

Detects Latrodectus 6 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral2/memory/3180-0-0x0000018E85EA0000-0x0000018E85EB6000-memory.dmp	family_latrodectus_1_4
behavioral2/memory/3180-1-0x0000018E85EA0000-0x0000018E85EB6000-memory.dmp	family_latrodectus_1_4
behavioral2/memory/3180-3-0x0000018E85EA0000-0x0000018E85EB6000-memory.dmp	family_latrodectus_1_4
behavioral2/memory/3180-6-0x0000018E85EA0000-0x0000018E85EB6000-memory.dmp	family_latrodectus_1_4
behavioral2/memory/2988-9-0x0000017A42930000-0x0000017A42946000-memory.dmp	family_latrodectus_1_4
behavioral2/memory/2988-8-0x0000017A42930000-0x0000017A42946000-memory.dmp	family_latrodectus_1_4

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Loads dropped DLL 1 IoCs

pid	Process
2988	rundll32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3180	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3180	4512	cmd.exe	82
PID 4512 wrote to memory of 3180	4512	cmd.exe	82
PID 3180 wrote to memory of 2988	3180	rundll32.exe	83
PID 3180 wrote to memory of 2988	3180	rundll32.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-Malware-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\system32\rundll32.exe
  rundll32.exe rxgamepadremapping.dll, RxDetourRxInput
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_3b3afc02.dll", RxDetourRxInput
    3⤵
    - Loads dropped DLL
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_3b3afc02.dll

Filesize
1.4MB

MD5
56abe58e12de144476751b3540c3837f

SHA1
00f30bfbaa8637ba6e3b7a928b0ba5e86cd48056

SHA256
19b96b42b2c27e4d4868b6afc44c6fe87573b857b4829bede999c5513eec61d0

SHA512
07f292ee074dfb2d40038f68bfc8ef4c0d28fac51036a1ed85ebbc01f84d24d4aa0a2f91cbae468aa8228e9a1a85bc8b016ab4602624abbe66a10ca6369aab70

Download Submit
memory/2988-9-0x0000017A42930000-0x0000017A42946000-memory.dmp

Filesize
88KB

Download
memory/2988-8-0x0000017A42930000-0x0000017A42946000-memory.dmp

Filesize
88KB

Download
memory/3180-0-0x0000018E85EA0000-0x0000018E85EB6000-memory.dmp

Filesize
88KB

Download
memory/3180-1-0x0000018E85EA0000-0x0000018E85EB6000-memory.dmp

Filesize
88KB

Download
memory/3180-3-0x0000018E85EA0000-0x0000018E85EB6000-memory.dmp

Filesize
88KB

Download
memory/3180-6-0x0000018E85EA0000-0x0000018E85EB6000-memory.dmp

Filesize
88KB

Download
memory/3180-4-0x0000000180000000-0x0000000180172000-memory.dmp

Filesize
1.4MB

Download