Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
submitted
31/08/2024, 12:21
Behavioral task
behavioral1
Sample
UpdaterTag.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
UpdaterTag.dll
Resource
win10v2004-20240802-en
General
-
Target
UpdaterTag.dll
-
Size
74KB
-
MD5
972da9469d08afb5028f7c5aa70e9ac9
-
SHA1
83e00c329d98f4d9747e7c361c5eabaaeff7ee87
-
SHA256
8acb675710a2906506098266edddd3895c33ec07307035f7e92d2dda2613d3d6
-
SHA512
077aab2448755bb25ff5242fdb0a6e88e1145a3e93429a80a04fcc9a9c238e9b8721a3a78bb81770e2a8af97d36b9c5e2a3078a6bb08261d0b80f3a094a0a784
-
SSDEEP
1536:U4zhHuRqOoGc2WsV/bWM5wpokf8mwrl/Jk:U4zhHuRooWM5wBkmwrJJ
Malware Config
Extracted
latrodectus
https://isomicrotich.com/test/
https://rilomenifis.com/test/
Signatures
-
Detects Latrodectus 2 IoCs
Detects Latrodectus v1.4.
resource yara_rule behavioral1/files/0x000900000001756a-1.dat family_latrodectus_1_4 behavioral1/memory/1980-6-0x000007FEFB110000-0x000007FEFB126000-memory.dmp family_latrodectus_1_4 -
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Deletes itself 1 IoCs
pid Process 1980 rundll32.exe -
Loads dropped DLL 8 IoCs
pid Process 2972 rundll32.exe 2972 rundll32.exe 2972 rundll32.exe 2972 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe 1612 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1980 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2972 1980 rundll32.exe 30 PID 1980 wrote to memory of 2972 1980 rundll32.exe 30 PID 1980 wrote to memory of 2972 1980 rundll32.exe 30 PID 1980 wrote to memory of 2412 1980 rundll32.exe 31 PID 1980 wrote to memory of 2412 1980 rundll32.exe 31 PID 1980 wrote to memory of 2412 1980 rundll32.exe 31 PID 2304 wrote to memory of 1612 2304 taskeng.exe 34 PID 2304 wrote to memory of 1612 2304 taskeng.exe 34 PID 2304 wrote to memory of 1612 2304 taskeng.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\UpdaterTag.dll,#11⤵
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_8427c75a.dll", #12⤵
- Loads dropped DLL
PID:2972
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1980 -s 2762⤵PID:2412
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {059A4547-0111-426E-9984-8C893A718B75} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_8427c75a.dll", #12⤵
- Loads dropped DLL
PID:1612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5972da9469d08afb5028f7c5aa70e9ac9
SHA183e00c329d98f4d9747e7c361c5eabaaeff7ee87
SHA2568acb675710a2906506098266edddd3895c33ec07307035f7e92d2dda2613d3d6
SHA512077aab2448755bb25ff5242fdb0a6e88e1145a3e93429a80a04fcc9a9c238e9b8721a3a78bb81770e2a8af97d36b9c5e2a3078a6bb08261d0b80f3a094a0a784