Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
submitted
18-09-2024 22:35
General
-
Target
mal_dump.dll
-
Size
72KB
-
MD5
827bf3ffc5646444ee770de24008a5fc
-
SHA1
e66f50f2c9792b8ecc9317f74d51c98380d7df36
-
SHA256
ba9b2c8a37a1a1d45713d26578a8ab0abc5b439581faa3d770bcfe441c12b8f0
-
SHA512
57b0e97e15833b10e11a521dedeec5dfaa3d5dee12d6455e82ba453e7b494a01ab8ad5cad7ca50f4c1e422c0e14868b75cadf588f32b556362c4f90008309a3a
-
SSDEEP
1536:Izhn3OA/88fZVS18GpH50f88d0cTJ5Kga:Izhnt/vVS18zk8dDba
Malware Config
Extracted
latrodectus
https://isomicrotich.com/test/
https://rilomenifis.com/test/
Signatures
-
Detects Latrodectus 2 IoCs
Detects Latrodectus v1.4.
-
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\mal_dump.dll,#11⤵
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_125fc62e.dll", #12⤵
- Loads dropped DLL
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1152 -s 3162⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5827bf3ffc5646444ee770de24008a5fc
SHA1e66f50f2c9792b8ecc9317f74d51c98380d7df36
SHA256ba9b2c8a37a1a1d45713d26578a8ab0abc5b439581faa3d770bcfe441c12b8f0
SHA51257b0e97e15833b10e11a521dedeec5dfaa3d5dee12d6455e82ba453e7b494a01ab8ad5cad7ca50f4c1e422c0e14868b75cadf588f32b556362c4f90008309a3a
-
Filesize
88KB