latrodectus | 5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8

Resubmissions

17-10-2024 07:22

241017-h7j5raxdpc 10

19-09-2024 09:46

240919-lr5nassbmg 10

22-08-2024 01:33

240822-byp63svhjj 7

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe
Size

68KB
MD5

58e3fdda803852666f535b132e6a8160
SHA1

34550c1402b823b5cf3bc7edfeec0cc00cb6a953
SHA256

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8
SHA512

90ee1949a0cb79ee9ea20351f15fe2d27c8c171e398f01e42849e2cba6a9531cf792757f7fec6aeaea5b3a5e7198e3f875ab702275541acbcd420d46c1a9ba2a
SSDEEP

1536:3R2zxbOmOBVjGqV3g5I+va6z5f85NGducEe0e:h2zxqfU5I+xknGd30e

Score

10^/10

latrodectus loader

Malware Config

Signatures

Detects Latrodectus 2 IoCs

Detects Latrodectus v1.4.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Custom_update\Update_1fd6b39.exe	family_latrodectus_1_4
behavioral1/memory/1868-10-0x000000013F9F0000-0x000000013FA05000-memory.dmp	family_latrodectus_1_4

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus
Deletes itself 1 IoCs

Processes:

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe

pid process

1868 5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe
Executes dropped EXE 2 IoCs

Processes:

Update_1fd6b39.exeUpdate_1fd6b39.exe

pid process

1988 Update_1fd6b39.exe
2828 Update_1fd6b39.exe

pid	process
1988	Update_1fd6b39.exe
2828	Update_1fd6b39.exe

Loads dropped DLL 3 IoCs

Processes:

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exetaskeng.exe

pid	process
1868	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe
1868	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe
2752	taskeng.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe

pid process

1868 5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exetaskeng.exe

description	pid	process	target process
PID 1868 wrote to memory of 1988	1868	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	Update_1fd6b39.exe
PID 1868 wrote to memory of 1988	1868	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	Update_1fd6b39.exe
PID 1868 wrote to memory of 1988	1868	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	Update_1fd6b39.exe
PID 1868 wrote to memory of 1064	1868	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	WerFault.exe
PID 1868 wrote to memory of 1064	1868	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	WerFault.exe
PID 1868 wrote to memory of 1064	1868	5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe	WerFault.exe
PID 2752 wrote to memory of 2828	2752	taskeng.exe	Update_1fd6b39.exe
PID 2752 wrote to memory of 2828	2752	taskeng.exe	Update_1fd6b39.exe
PID 2752 wrote to memory of 2828	2752	taskeng.exe	Update_1fd6b39.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe
"C:\Users\Admin\AppData\Local\Temp\5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8.exe"
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Roaming\Custom_update\Update_1fd6b39.exe
  "C:\Users\Admin\AppData\Roaming\Custom_update\Update_1fd6b39.exe"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1868 -s 252
  2⤵
  PID:1064

C:\Windows\system32\taskeng.exe
taskeng.exe {98A6B568-9B7B-4849-B8D9-667176108CB8} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Roaming\Custom_update\Update_1fd6b39.exe
  C:\Users\Admin\AppData\Roaming\Custom_update\Update_1fd6b39.exe
  2⤵
  - Executes dropped EXE
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_1fd6b39.exe

Filesize
68KB

MD5
58e3fdda803852666f535b132e6a8160

SHA1
34550c1402b823b5cf3bc7edfeec0cc00cb6a953

SHA256
5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8

SHA512
90ee1949a0cb79ee9ea20351f15fe2d27c8c171e398f01e42849e2cba6a9531cf792757f7fec6aeaea5b3a5e7198e3f875ab702275541acbcd420d46c1a9ba2a

Download Submit
memory/1868-10-0x000000013F9F0000-0x000000013FA05000-memory.dmp

Filesize
84KB

Download