latrodectus | 7f1af59a4de54b17902c28501adebb074b586acd66cd0bc81850fe7927ab4b20

Analysis

max time kernel
1168s
max time network
1169s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Run-Malware-1.bat
Size

52B
MD5

c3aaf7a42c7171931aa42cbb02acbe73
SHA1

4561841d5e84c5f9f6c07e4fd5d477bc0edf10b4
SHA256

02974799a1ed8674bd0fdd9435a5efe53236740f5de8f6d126591329b738abff
SHA512

2cb6583df78893081590366f65200a4da613a5a903acd220b70b7d7f19b11ca0dbd90545a0d1f5d3519cae2333b4284d08c4e24544059038e4a5cf2457fceb51

Score

10^/10

latrodectus discovery loader

Malware Config

Signatures

Detects Latrodectus 7 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral1/memory/2248-0-0x00000291A8730000-0x00000291A8746000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2248-1-0x00000291A8730000-0x00000291A8746000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2248-3-0x00000291A8730000-0x00000291A8746000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2248-6-0x00000291A8730000-0x00000291A8746000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/4596-8-0x000002734BD50000-0x000002734BD66000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/4596-9-0x000002734BD50000-0x000002734BD66000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/4596-10-0x000002734BD50000-0x000002734BD66000-memory.dmp	family_latrodectus_1_4

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Blocklisted process makes network request 34 IoCs

flow	pid	Process
70	4596	rundll32.exe
72	4596	rundll32.exe
75	4596	rundll32.exe
76	4596	rundll32.exe
77	4596	rundll32.exe
78	4596	rundll32.exe
83	4596	rundll32.exe
84	4596	rundll32.exe
86	4596	rundll32.exe
87	4596	rundll32.exe
88	4596	rundll32.exe
89	4596	rundll32.exe
90	4596	rundll32.exe
91	4596	rundll32.exe
92	4596	rundll32.exe
93	4596	rundll32.exe
94	4596	rundll32.exe
95	4596	rundll32.exe
96	4596	rundll32.exe
97	4596	rundll32.exe
98	4596	rundll32.exe
99	4596	rundll32.exe
100	4596	rundll32.exe
101	4596	rundll32.exe
102	4596	rundll32.exe
103	4596	rundll32.exe
104	4596	rundll32.exe
105	4596	rundll32.exe
106	4596	rundll32.exe
107	4596	rundll32.exe
108	4596	rundll32.exe
109	4596	rundll32.exe
110	4596	rundll32.exe
111	4596	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4596	rundll32.exe
1832	rundll32.exe
4836	rundll32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2248	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2248	1504	cmd.exe	85
PID 1504 wrote to memory of 2248	1504	cmd.exe	85
PID 2248 wrote to memory of 4596	2248	rundll32.exe	86
PID 2248 wrote to memory of 4596	2248	rundll32.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-Malware-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\system32\rundll32.exe
  rundll32.exe rxgamepadremapping.dll, RxDetourRxInput
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ba10e692.dll", RxDetourRxInput
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4596

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ba10e692.dll", RxDetourRxInput
1⤵
- Loads dropped DLL
PID:1832

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ba10e692.dll", RxDetourRxInput
1⤵
- Loads dropped DLL
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_ba10e692.dll

Filesize
1.4MB

MD5
56abe58e12de144476751b3540c3837f

SHA1
00f30bfbaa8637ba6e3b7a928b0ba5e86cd48056

SHA256
19b96b42b2c27e4d4868b6afc44c6fe87573b857b4829bede999c5513eec61d0

SHA512
07f292ee074dfb2d40038f68bfc8ef4c0d28fac51036a1ed85ebbc01f84d24d4aa0a2f91cbae468aa8228e9a1a85bc8b016ab4602624abbe66a10ca6369aab70

Download Submit
memory/2248-0-0x00000291A8730000-0x00000291A8746000-memory.dmp

Filesize
88KB

Download
memory/2248-1-0x00000291A8730000-0x00000291A8746000-memory.dmp

Filesize
88KB

Download
memory/2248-3-0x00000291A8730000-0x00000291A8746000-memory.dmp

Filesize
88KB

Download
memory/2248-4-0x0000000180000000-0x0000000180172000-memory.dmp

Filesize
1.4MB

Download
memory/2248-6-0x00000291A8730000-0x00000291A8746000-memory.dmp

Filesize
88KB

Download
memory/4596-8-0x000002734BD50000-0x000002734BD66000-memory.dmp

Filesize
88KB

Download
memory/4596-9-0x000002734BD50000-0x000002734BD66000-memory.dmp

Filesize
88KB

Download
memory/4596-10-0x000002734BD50000-0x000002734BD66000-memory.dmp

Filesize
88KB

Download