latrodectus | 7f1af59a4de54b17902c28501adebb074b586acd66cd0bc81850fe7927ab4b20

Analysis

max time kernel
1146s
max time network
1152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
28-08-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Run-Malware-1.bat
Size

52B
MD5

c3aaf7a42c7171931aa42cbb02acbe73
SHA1

4561841d5e84c5f9f6c07e4fd5d477bc0edf10b4
SHA256

02974799a1ed8674bd0fdd9435a5efe53236740f5de8f6d126591329b738abff
SHA512

2cb6583df78893081590366f65200a4da613a5a903acd220b70b7d7f19b11ca0dbd90545a0d1f5d3519cae2333b4284d08c4e24544059038e4a5cf2457fceb51

Score

10^/10

latrodectus discovery loader

Malware Config

Signatures

Detects Latrodectus 6 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral2/memory/4160-0-0x000001626F750000-0x000001626F766000-memory.dmp	family_latrodectus_1_4
behavioral2/memory/4160-1-0x000001626F750000-0x000001626F766000-memory.dmp	family_latrodectus_1_4
behavioral2/memory/4160-2-0x000001626F750000-0x000001626F766000-memory.dmp	family_latrodectus_1_4
behavioral2/memory/4160-6-0x000001626F750000-0x000001626F766000-memory.dmp	family_latrodectus_1_4
behavioral2/memory/1140-9-0x0000018C00770000-0x0000018C00786000-memory.dmp	family_latrodectus_1_4
behavioral2/memory/1140-8-0x0000018C00770000-0x0000018C00786000-memory.dmp	family_latrodectus_1_4

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Blocklisted process makes network request 32 IoCs

flow	pid	Process
3	1140	rundll32.exe
4	1140	rundll32.exe
5	1140	rundll32.exe
6	1140	rundll32.exe
11	1140	rundll32.exe
12	1140	rundll32.exe
14	1140	rundll32.exe
15	1140	rundll32.exe
17	1140	rundll32.exe
18	1140	rundll32.exe
19	1140	rundll32.exe
20	1140	rundll32.exe
21	1140	rundll32.exe
22	1140	rundll32.exe
23	1140	rundll32.exe
24	1140	rundll32.exe
25	1140	rundll32.exe
26	1140	rundll32.exe
27	1140	rundll32.exe
28	1140	rundll32.exe
29	1140	rundll32.exe
30	1140	rundll32.exe
31	1140	rundll32.exe
32	1140	rundll32.exe
33	1140	rundll32.exe
34	1140	rundll32.exe
35	1140	rundll32.exe
36	1140	rundll32.exe
37	1140	rundll32.exe
38	1140	rundll32.exe
39	1140	rundll32.exe
40	1140	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
1140	rundll32.exe
2504	rundll32.exe
1432	rundll32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4160	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 4160	2992	cmd.exe	83
PID 2992 wrote to memory of 4160	2992	cmd.exe	83
PID 4160 wrote to memory of 1140	4160	rundll32.exe	84
PID 4160 wrote to memory of 1140	4160	rundll32.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-Malware-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\system32\rundll32.exe
  rundll32.exe rxgamepadremapping.dll, RxDetourRxInput
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_fd2f8641.dll", RxDetourRxInput
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1140

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_fd2f8641.dll", RxDetourRxInput
1⤵
- Loads dropped DLL
PID:2504

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_fd2f8641.dll", RxDetourRxInput
1⤵
- Loads dropped DLL
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_fd2f8641.dll

Filesize
1.4MB

MD5
56abe58e12de144476751b3540c3837f

SHA1
00f30bfbaa8637ba6e3b7a928b0ba5e86cd48056

SHA256
19b96b42b2c27e4d4868b6afc44c6fe87573b857b4829bede999c5513eec61d0

SHA512
07f292ee074dfb2d40038f68bfc8ef4c0d28fac51036a1ed85ebbc01f84d24d4aa0a2f91cbae468aa8228e9a1a85bc8b016ab4602624abbe66a10ca6369aab70

Download Submit
memory/1140-9-0x0000018C00770000-0x0000018C00786000-memory.dmp

Filesize
88KB

Download
memory/1140-8-0x0000018C00770000-0x0000018C00786000-memory.dmp

Filesize
88KB

Download
memory/4160-0-0x000001626F750000-0x000001626F766000-memory.dmp

Filesize
88KB

Download
memory/4160-1-0x000001626F750000-0x000001626F766000-memory.dmp

Filesize
88KB

Download
memory/4160-2-0x000001626F750000-0x000001626F766000-memory.dmp

Filesize
88KB

Download
memory/4160-6-0x000001626F750000-0x000001626F766000-memory.dmp

Filesize
88KB

Download
memory/4160-4-0x0000000180000000-0x0000000180172000-memory.dmp

Filesize
1.4MB

Download