Overview

overview

10

Static

static

1

DLPAgent.msi

windows10-2004-x64

10

DLPAgent.msi

windows11-21h2-x64

8

Analysis

  • max time kernel
    1797s
  • max time network
    1800s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DLPAgent.msi

  • Size

    2.1MB

  • MD5

    d75db138a6519ace7795ba35ea62a498

  • SHA1

    dc8ec40f846dd55be5661d43a80acb4d442f6cd3

  • SHA256

    1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa

  • SHA512

    eeef3b0620cfbd332110b8123e2548b8b6a6b4d2259932463755aae2569440a8807eed7a5b5274b9bb01cde7604bc7aeb560b606609d7fc885cd97621c9106c1

  • SSDEEP

    49152:56s3YhW8zBQSc0ZnSKSZKumZr7AKMLQanYBQDpridgYaU:HYY0ZnQK/AvL8BpgPU

Score
10/10
latrodectusdiscoveryloaderpersistenceprivilege_escalation

Malware Config

Signatures

  • Detects Latrodectus 3 IoCs

    Detects Latrodectus v1.4.

  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Blocklisted process makes network request 64 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3420
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DLPAgent.msi
      2⤵
      • Enumerates connected drives
      • Event Triggered Execution: Installer Packages
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4460
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\x64_stealth.dll, clBuildProgram
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:748
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4364
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 63FB74934E1A499BA8BBF91202C0FBA9
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1756
    • C:\Windows\Installer\MSI9338.tmp
      "C:\Windows\Installer\MSI9338.tmp" /DontWait C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Roaming\x64_stealth.dll, clBuildProgram
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:644
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4016
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3852,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:8
    1⤵
      PID:1184
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4220,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:8
      1⤵
        PID:2972

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e588e15.rbs
        Filesize

        1KB

        MD5

        23765b4f96648659a2266259bf139ef2

        SHA1

        fa8644fcb483dece97e6030707c61475a16fa4bd

        SHA256

        60c7b004a9227459555fe2f6efc132f02aa4cfadf9b19964af15ee0dc80c4d7b

        SHA512

        f3ed36a4b4dcae6fd687f3c74de9f98c38e0e7b1022e193a63f2cdd9134a9b4b07b38f6889d8336d889f8329c577c8c6fbaa63a54747a341ce3810572ebfc252

        Download Submit

      • C:\Users\Admin\AppData\Roaming\x64_stealth.dll
        Filesize

        1.7MB

        MD5

        4d343ce28a572f1bca64473232a039a9

        SHA1

        aaf14040d4ee2a03d48d961f7d70970d4513237f

        SHA256

        5c7a3bd2baa8303354d8098b8d5961f111e467002bb0c6fee120825b32798228

        SHA512

        bd723a89aef1778fff3af72459b59aa2316cb010b290e9d5679c8e72959db70086d65ee0ef16e8cb45349be04b3ae9daeb53b63defbebfac8452a97ce46da814

        Download Submit

      • C:\Windows\Installer\MSI8E51.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Windows\Installer\MSI9338.tmp
        Filesize

        389KB

        MD5

        b9545ed17695a32face8c3408a6a3553

        SHA1

        f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

        SHA256

        1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

        SHA512

        f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.7MB

        MD5

        e9488a91e9b61602b67269869899f2bf

        SHA1

        3d7d7b8a4d58bce54024a15503537c62b956e1c8

        SHA256

        3005aa48b2e7d5cb3bdd330390fb96977fd7785c7ede24d7dbe4231c778e5abf

        SHA512

        9f5c488bff350ea98b1fa575b4f445ccdc252c7f1a7219109cedbab24b97fcb7b96fc67df2da3b6cdeae56ea24da447f35bc2a0718ac5afffa22032c20f22606

        Download Submit

      • \??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{054282dc-70a2-47b5-8934-03f17986f2dc}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        5ae49c3ceb0ab7f7407222290c1aba88

        SHA1

        c9822fab548d97cfdeb6b6da118b1ec43028aa17

        SHA256

        0973eba1ac45f9876da3b1a82f8ab1a66bb98d9516c2faa6988fe23995ca9db8

        SHA512

        f11d20287dd741ad5d76c43d911261f0df00596efc35a93063d5b089cbf0d4de44b143b295746d18467b6b15eaac15198aa2c3ad57dc0022be48a50bec4d1653

        Download Submit

      • memory/748-61-0x00000002E4D10000-0x00000002E4D5B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/748-94-0x00007FF4307A0000-0x00007FF4307A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-50-0x00007FFC0ACD0000-0x00007FFC0AF99000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/748-52-0x000001F2C1640000-0x000001F2C168C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/748-48-0x00007FFC0D0C0000-0x00007FFC0D17E000-memory.dmp

        Filesize

        760KB

        Download

      • memory/748-68-0x000001F2C1640000-0x000001F2C168C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/748-45-0x00000002E4D10000-0x00000002E4D5B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/748-44-0x00000002E4D10000-0x00000002E4D5B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/748-95-0x00007FF430780000-0x00007FF430795000-memory.dmp

        Filesize

        84KB

        Download

      • memory/748-46-0x00007FFC0D1D0000-0x00007FFC0D3C5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/748-104-0x000001F2C1640000-0x000001F2C168C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/748-99-0x00007FF430740000-0x00007FF430741000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-98-0x00007FF430750000-0x00007FF430751000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-97-0x00007FF430760000-0x00007FF430761000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-96-0x00007FF430770000-0x00007FF430771000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3420-101-0x0000000002630000-0x0000000002645000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3420-100-0x0000000002630000-0x0000000002645000-memory.dmp

        Filesize

        84KB

        Download