latrodectus | 50f9e6cca7d09a8e75615634e0e497fcca48069df7f243060f6c30e91de514a0

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
submitted
06-09-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wtfbbq (copy).exe
Size

69KB
MD5

390a3755dcdb75b85b597244edd1914a
SHA1

dd70e1f0c9442d23f66b6a4224448728c6b84183
SHA256

50f9e6cca7d09a8e75615634e0e497fcca48069df7f243060f6c30e91de514a0
SHA512

bc0366513b6ca66bd9ebeb2739c54a97939fc35f7cd2d74bf076ff93bf5b274f9cb7efc69f9deaeb5f2e896c322071fd57817ad6b2fe830fa8ad540a26ba001e
SSDEEP

768:7zrvRTYS4YxeO7ZD4SrcIuMHuOt79NguEdC+1986wzy7crreZAaf8Ic8vprE54Gf:7zx/oOfr9ltc19v6reZDf8Ic85E5Zf

Score

10^/10

latrodectus loader

Malware Config

Extracted

Family

latrodectus

https://restoreviner.com/test/

https://peronikilinfer.com/test/

Signatures

Detects Latrodectus 2 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral1/files/0x000800000001747b-2.dat	family_latrodectus_1_4
behavioral1/memory/1860-8-0x000000013F370000-0x000000013F385000-memory.dmp	family_latrodectus_1_4

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Deletes itself 1 IoCs

pid	Process
1860	wtfbbq (copy).exe

Executes dropped EXE 1 IoCs

pid	Process
3016	Update_22447c5c.exe

Loads dropped DLL 2 IoCs

pid	Process
1860	wtfbbq (copy).exe
1860	wtfbbq (copy).exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1860	wtfbbq (copy).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 3016	1860	wtfbbq (copy).exe	30
PID 1860 wrote to memory of 3016	1860	wtfbbq (copy).exe	30
PID 1860 wrote to memory of 3016	1860	wtfbbq (copy).exe	30
PID 1860 wrote to memory of 3028	1860	wtfbbq (copy).exe	31
PID 1860 wrote to memory of 3028	1860	wtfbbq (copy).exe	31
PID 1860 wrote to memory of 3028	1860	wtfbbq (copy).exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\wtfbbq (copy).exe
"C:\Users\Admin\AppData\Local\Temp\wtfbbq (copy).exe"
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Roaming\Custom_update\Update_22447c5c.exe
  "C:\Users\Admin\AppData\Roaming\Custom_update\Update_22447c5c.exe"
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1860 -s 304
  2⤵
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Custom_update\Update_22447c5c.exe

Filesize
69KB

MD5
390a3755dcdb75b85b597244edd1914a

SHA1
dd70e1f0c9442d23f66b6a4224448728c6b84183

SHA256
50f9e6cca7d09a8e75615634e0e497fcca48069df7f243060f6c30e91de514a0

SHA512
bc0366513b6ca66bd9ebeb2739c54a97939fc35f7cd2d74bf076ff93bf5b274f9cb7efc69f9deaeb5f2e896c322071fd57817ad6b2fe830fa8ad540a26ba001e

Download Submit
memory/1860-8-0x000000013F370000-0x000000013F385000-memory.dmp

Filesize
84KB

Download