latrodectus | 8acb675710a2906506098266edddd3895c33ec07307035f7e92d2dda2613d3d6

General

Target

UpdaterTag.dll
Size

74KB
MD5

972da9469d08afb5028f7c5aa70e9ac9
SHA1

83e00c329d98f4d9747e7c361c5eabaaeff7ee87
SHA256

8acb675710a2906506098266edddd3895c33ec07307035f7e92d2dda2613d3d6
SHA512

077aab2448755bb25ff5242fdb0a6e88e1145a3e93429a80a04fcc9a9c238e9b8721a3a78bb81770e2a8af97d36b9c5e2a3078a6bb08261d0b80f3a094a0a784
SSDEEP

1536:U4zhHuRqOoGc2WsV/bWM5wpokf8mwrl/Jk:U4zhHuRooWM5wBkmwrJJ

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

C2

https://isomicrotich.com/test/

https://rilomenifis.com/test/

Signatures

Detects Latrodectus 2 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral1/files/0x000900000001756a-1.dat	family_latrodectus_1_4
behavioral1/memory/1980-6-0x000007FEFB110000-0x000007FEFB126000-memory.dmp	family_latrodectus_1_4

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Deletes itself 1 IoCs

pid	Process
1980	rundll32.exe

Loads dropped DLL 8 IoCs

pid	Process
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1980	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2972	1980	rundll32.exe	30
PID 1980 wrote to memory of 2972	1980	rundll32.exe	30
PID 1980 wrote to memory of 2972	1980	rundll32.exe	30
PID 1980 wrote to memory of 2412	1980	rundll32.exe	31
PID 1980 wrote to memory of 2412	1980	rundll32.exe	31
PID 1980 wrote to memory of 2412	1980	rundll32.exe	31
PID 2304 wrote to memory of 1612	2304	taskeng.exe	34
PID 2304 wrote to memory of 1612	2304	taskeng.exe	34
PID 2304 wrote to memory of 1612	2304	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\UpdaterTag.dll,#1
1⤵
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_8427c75a.dll", #1
  2⤵
  - Loads dropped DLL
  PID:2972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1980 -s 276
  2⤵
  PID:2412

C:\Windows\system32\taskeng.exe
taskeng.exe {059A4547-0111-426E-9984-8C893A718B75} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_8427c75a.dll", #1
  2⤵
  - Loads dropped DLL
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_8427c75a.dll

Filesize
74KB

MD5
972da9469d08afb5028f7c5aa70e9ac9

SHA1
83e00c329d98f4d9747e7c361c5eabaaeff7ee87

SHA256
8acb675710a2906506098266edddd3895c33ec07307035f7e92d2dda2613d3d6

SHA512
077aab2448755bb25ff5242fdb0a6e88e1145a3e93429a80a04fcc9a9c238e9b8721a3a78bb81770e2a8af97d36b9c5e2a3078a6bb08261d0b80f3a094a0a784

Download Submit
memory/1980-6-0x000007FEFB110000-0x000007FEFB126000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing