latrodectus | 8acb675710a2906506098266edddd3895c33ec07307035f7e92d2dda2613d3d6

Analysis

max time kernel
138s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
submitted
31-08-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UpdaterTag.dll
Size

74KB
MD5

972da9469d08afb5028f7c5aa70e9ac9
SHA1

83e00c329d98f4d9747e7c361c5eabaaeff7ee87
SHA256

8acb675710a2906506098266edddd3895c33ec07307035f7e92d2dda2613d3d6
SHA512

077aab2448755bb25ff5242fdb0a6e88e1145a3e93429a80a04fcc9a9c238e9b8721a3a78bb81770e2a8af97d36b9c5e2a3078a6bb08261d0b80f3a094a0a784
SSDEEP

1536:U4zhHuRqOoGc2WsV/bWM5wpokf8mwrl/Jk:U4zhHuRooWM5wBkmwrJJ

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

https://isomicrotich.com/test/

https://rilomenifis.com/test/

Signatures

Detects Latrodectus 2 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral2/files/0x0007000000023612-3.dat	family_latrodectus_1_4
behavioral2/memory/1200-1-0x00007FF9E5720000-0x00007FF9E5736000-memory.dmp	family_latrodectus_1_4

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Deletes itself 1 IoCs

pid	Process
1200	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
3960	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1200	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 3960	1200	rundll32.exe	93
PID 1200 wrote to memory of 3960	1200	rundll32.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\UpdaterTag.dll,#1
1⤵
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_31db8e5f.dll", #1
  2⤵
  - Loads dropped DLL
  PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4768,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_31db8e5f.dll

Filesize
74KB

MD5
972da9469d08afb5028f7c5aa70e9ac9

SHA1
83e00c329d98f4d9747e7c361c5eabaaeff7ee87

SHA256
8acb675710a2906506098266edddd3895c33ec07307035f7e92d2dda2613d3d6

SHA512
077aab2448755bb25ff5242fdb0a6e88e1145a3e93429a80a04fcc9a9c238e9b8721a3a78bb81770e2a8af97d36b9c5e2a3078a6bb08261d0b80f3a094a0a784

Download Submit
memory/1200-1-0x00007FF9E5720000-0x00007FF9E5736000-memory.dmp

Filesize
88KB

Download