latrodectus | 334c3f529b1c580ea83e2ea1e85b7a937dcceb3dd3b2a533afb936f53100c222

Analysis

max time kernel
136s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

334c3f529b1c580ea83e2ea1e85b7a937dcceb3dd3b2a533afb936f53100c222.msi
Size

1.6MB
MD5

329259260ebe046b0e80bec91f632ba0
SHA1

db1184c14af32cf859d7f089d1dacc685257cc11
SHA256

334c3f529b1c580ea83e2ea1e85b7a937dcceb3dd3b2a533afb936f53100c222
SHA512

cfa0235623ec962266dbe9bcba5eac4535eff365aa784e6cf4d2a877aa6fedcc0801e5ba751b35ad176997337b72e4141f42ee07faf1017abcfda42b3228b2a4
SSDEEP

49152:L/c3YuW8zBQSc0ZnSKYZKumZr7AVXP4XnEPvw:CY90ZniK/AVXP

Score

10^/10

latrodectus discovery loader persistence privilege_escalation

Malware Config

Signatures

Detects Latrodectus 1 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral2/memory/1632-64-0x000001E54B590000-0x000001E54B5A6000-memory.dmp	family_latrodectus_1_4

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58be98.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC070.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C3EF75B7-DF56-4658-B4FD-77A897CEA03F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC001.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58be98.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBED6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF64.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1480	MSIC070.tmp

Loads dropped DLL 10 IoCs

pid	Process
6136	MsiExec.exe
6136	MsiExec.exe
6136	MsiExec.exe
6136	MsiExec.exe
6136	MsiExec.exe
6136	MsiExec.exe
4652	MsiExec.exe
4652	MsiExec.exe
4476	rundll32.exe
1632	rundll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2940	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIC070.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f7b83aff83bcb26e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f7b83aff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f7b83aff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df7b83aff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f7b83aff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1544	msiexec.exe
1544	msiexec.exe
1480	MSIC070.tmp
1480	MSIC070.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2940	msiexec.exe
Token: SeSecurityPrivilege	1544	msiexec.exe
Token: SeCreateTokenPrivilege	2940	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2940	msiexec.exe
Token: SeLockMemoryPrivilege	2940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2940	msiexec.exe
Token: SeMachineAccountPrivilege	2940	msiexec.exe
Token: SeTcbPrivilege	2940	msiexec.exe
Token: SeSecurityPrivilege	2940	msiexec.exe
Token: SeTakeOwnershipPrivilege	2940	msiexec.exe
Token: SeLoadDriverPrivilege	2940	msiexec.exe
Token: SeSystemProfilePrivilege	2940	msiexec.exe
Token: SeSystemtimePrivilege	2940	msiexec.exe
Token: SeProfSingleProcessPrivilege	2940	msiexec.exe
Token: SeIncBasePriorityPrivilege	2940	msiexec.exe
Token: SeCreatePagefilePrivilege	2940	msiexec.exe
Token: SeCreatePermanentPrivilege	2940	msiexec.exe
Token: SeBackupPrivilege	2940	msiexec.exe
Token: SeRestorePrivilege	2940	msiexec.exe
Token: SeShutdownPrivilege	2940	msiexec.exe
Token: SeDebugPrivilege	2940	msiexec.exe
Token: SeAuditPrivilege	2940	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2940	msiexec.exe
Token: SeChangeNotifyPrivilege	2940	msiexec.exe
Token: SeRemoteShutdownPrivilege	2940	msiexec.exe
Token: SeUndockPrivilege	2940	msiexec.exe
Token: SeSyncAgentPrivilege	2940	msiexec.exe
Token: SeEnableDelegationPrivilege	2940	msiexec.exe
Token: SeManageVolumePrivilege	2940	msiexec.exe
Token: SeImpersonatePrivilege	2940	msiexec.exe
Token: SeCreateGlobalPrivilege	2940	msiexec.exe
Token: SeCreateTokenPrivilege	2940	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2940	msiexec.exe
Token: SeLockMemoryPrivilege	2940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2940	msiexec.exe
Token: SeMachineAccountPrivilege	2940	msiexec.exe
Token: SeTcbPrivilege	2940	msiexec.exe
Token: SeSecurityPrivilege	2940	msiexec.exe
Token: SeTakeOwnershipPrivilege	2940	msiexec.exe
Token: SeLoadDriverPrivilege	2940	msiexec.exe
Token: SeSystemProfilePrivilege	2940	msiexec.exe
Token: SeSystemtimePrivilege	2940	msiexec.exe
Token: SeProfSingleProcessPrivilege	2940	msiexec.exe
Token: SeIncBasePriorityPrivilege	2940	msiexec.exe
Token: SeCreatePagefilePrivilege	2940	msiexec.exe
Token: SeCreatePermanentPrivilege	2940	msiexec.exe
Token: SeBackupPrivilege	2940	msiexec.exe
Token: SeRestorePrivilege	2940	msiexec.exe
Token: SeShutdownPrivilege	2940	msiexec.exe
Token: SeDebugPrivilege	2940	msiexec.exe
Token: SeAuditPrivilege	2940	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2940	msiexec.exe
Token: SeChangeNotifyPrivilege	2940	msiexec.exe
Token: SeRemoteShutdownPrivilege	2940	msiexec.exe
Token: SeUndockPrivilege	2940	msiexec.exe
Token: SeSyncAgentPrivilege	2940	msiexec.exe
Token: SeEnableDelegationPrivilege	2940	msiexec.exe
Token: SeManageVolumePrivilege	2940	msiexec.exe
Token: SeImpersonatePrivilege	2940	msiexec.exe
Token: SeCreateGlobalPrivilege	2940	msiexec.exe
Token: SeCreateTokenPrivilege	2940	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2940	msiexec.exe
Token: SeLockMemoryPrivilege	2940	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2940	msiexec.exe
2940	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 6136	1544	msiexec.exe	93
PID 1544 wrote to memory of 6136	1544	msiexec.exe	93
PID 1544 wrote to memory of 6136	1544	msiexec.exe	93
PID 1544 wrote to memory of 4156	1544	msiexec.exe	109
PID 1544 wrote to memory of 4156	1544	msiexec.exe	109
PID 1544 wrote to memory of 4652	1544	msiexec.exe	111
PID 1544 wrote to memory of 4652	1544	msiexec.exe	111
PID 1544 wrote to memory of 4652	1544	msiexec.exe	111
PID 1544 wrote to memory of 1480	1544	msiexec.exe	112
PID 1544 wrote to memory of 1480	1544	msiexec.exe	112
PID 1544 wrote to memory of 1480	1544	msiexec.exe	112
PID 4476 wrote to memory of 1632	4476	rundll32.exe	114
PID 4476 wrote to memory of 1632	4476	rundll32.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\334c3f529b1c580ea83e2ea1e85b7a937dcceb3dd3b2a533afb936f53100c222.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3276BEC2F16EDEE04D64394C0463B1E8 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6136
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7B6BC715C9CFAF659C24E69FC7A8E445
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4652
- C:\Windows\Installer\MSIC070.tmp
  "C:\Windows\Installer\MSIC070.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Roaming\tz6.dll, NvCreateMPEG4MuxSink
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4768,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8
1⤵
PID:116

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\tz6.dll, NvCreateMPEG4MuxSink
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\System32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_31db8e5f.dll", NvCreateMPEG4MuxSink
  2⤵
  - Loads dropped DLL
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58be99.rbs

Filesize
1KB

MD5
0cd0e3f3b30c994bd92b6e40bca6c4ce

SHA1
cc52a4e90f4c03181a81ebccee91e763f6aafbd9

SHA256
7bb1442a8dd6d275aed94c62d8d5c6944736679d64be6ff2f43e72a417ac424c

SHA512
a3faf42b6e3a338032e937a02ebe403eb2c296d9b26d002619de2677d38c2340ae3144a4552fbd8246e75aa58c0e5e7f20b624b90e4fad7169d4008ec0634417

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8085.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Roaming\tz6.dll

Filesize
1.1MB

MD5
11bba295ee381161292c384c2eca7a0c

SHA1
2ce64388e396af0c1d96c8544fca6cfee0644f54

SHA256
4dabba4dbabba2b5201fca7e525859946ad860e2693574dc2a6d18348b0c8b95

SHA512
42d926b2a6a4dc99f264a7a38ab951e55f5b126313d8f3250698aca65aea6330030940c91179b29b563c625ddd8f2672ddb7ec3a4f440ffe32dcd3d6cb982f55

Download Submit
C:\Windows\Installer\MSIC070.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
5cc6a92dc477a941ec7a2beb6d2c2268

SHA1
9114997920a425151c70d86fa79aa24b43cd67a9

SHA256
1c26dc9f6d265e80862767e8749cc0022a064eec3e52f72da820459ad53f35c7

SHA512
58a1301a32d2ca7f823ed000074cc4103c1d52e2f2195dd84297f225f64d6419fbf8ab89f3ebf97aae721dc25ec5e755102d5afed935459e702bc3b0258e751e

Download Submit
\??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1eccb94d-c116-4742-a6a3-f9f497ea5510}_OnDiskSnapshotProp

Filesize
6KB

MD5
7eb969e58892b7cdc2e819dfb187b638

SHA1
cb24e09c5e484437692100d0803df8add466ea60

SHA256
41ced9a0f9d5878d8850af660250ac5e639a365b35de8683bd3a8004c41e29c1

SHA512
bc38f9482a291dae2995c826612b64e0ecc94a345bf9f630fe6e3afe40fd8cdfab7b5500e56c61b7ceb57cb89339b2f84fe0b8dc6f9a13c225b4fa20589bab1f

Download Submit
memory/1632-64-0x000001E54B590000-0x000001E54B5A6000-memory.dmp

Filesize
88KB

Download
memory/4476-50-0x0000000180000000-0x0000000180122000-memory.dmp

Filesize
1.1MB

Download