latrodectus | 2333dd858fc40899a1bff3fb39fbc0b4e65a864bfd4eb73c26b48aaddcca7061

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update_e5cd0b5a.dll
Size

1.8MB
MD5

6dc0d350d735fd1acc8219cfa5d02b9b
SHA1

7ba0708a4404715fb21a23acfbd88a25b7245ef1
SHA256

2333dd858fc40899a1bff3fb39fbc0b4e65a864bfd4eb73c26b48aaddcca7061
SHA512

99c9b6310363ce3a7d9ff680c4a0ae976553fc4789b12f9b60d9f629608d90cf4d64b4c8a037264f8aaa48fba69ae397236ef4c32c2eb6779fb5d9e0b3b0d52f
SSDEEP

24576:jn6mclQ1O/p0g/9fTeVB1SATDqj2/lDRa+QR6P3r3dl60NWEEk6d:jnhclke0wfoHSASyNNFI6P3rNlHNp

Score

10^/10

latrodectus loader

Malware Config

Signatures

Detects Latrodectus 6 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral1/memory/2264-0-0x00000000002E0000-0x00000000002F6000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2264-2-0x00000000002E0000-0x00000000002F6000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2264-1-0x00000000002E0000-0x00000000002F6000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2264-6-0x00000000002E0000-0x00000000002F6000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2228-11-0x00000000003C0000-0x00000000003D6000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/2228-12-0x00000000003C0000-0x00000000003D6000-memory.dmp	family_latrodectus_1_4

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Deletes itself 1 IoCs

pid	Process
2264	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2264	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2228	2264	rundll32.exe	30
PID 2264 wrote to memory of 2228	2264	rundll32.exe	30
PID 2264 wrote to memory of 2228	2264	rundll32.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Update_e5cd0b5a.dll,#1
1⤵
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_3657e781.dll", #1
  2⤵
  - Loads dropped DLL
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_3657e781.dll

Filesize
1.8MB

MD5
6dc0d350d735fd1acc8219cfa5d02b9b

SHA1
7ba0708a4404715fb21a23acfbd88a25b7245ef1

SHA256
2333dd858fc40899a1bff3fb39fbc0b4e65a864bfd4eb73c26b48aaddcca7061

SHA512
99c9b6310363ce3a7d9ff680c4a0ae976553fc4789b12f9b60d9f629608d90cf4d64b4c8a037264f8aaa48fba69ae397236ef4c32c2eb6779fb5d9e0b3b0d52f

Download Submit
memory/2228-11-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/2228-12-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/2264-0-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/2264-2-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/2264-1-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/2264-6-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/2264-4-0x0000000180000000-0x00000001801DC000-memory.dmp

Filesize
1.9MB

Download