Analysis
-
max time kernel
1797s -
max time network
1799s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-09-2024 00:36
Static task
static1
Behavioral task
behavioral1
Sample
dsa.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
13 signatures
1800 seconds
Behavioral task
behavioral2
Sample
dsa.msi
Resource
win11-20240802-en
windows11-21h2-x64
15 signatures
1800 seconds
General
-
Target
dsa.msi
-
Size
1.6MB
-
MD5
9775cb36162fab5d8dbe372cd5910ba7
-
SHA1
a06d73422ecb931b6b6ae9f2af5f08f50b3d52dc
-
SHA256
29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9
-
SHA512
42cc3d3746fc416097b7de340cf1782febe957ee45e17b5c368f6509bb5112cfdd808d223283ef424b5ee1aab0dddc78562a778f196f7962c3f27839f4f60564
-
SSDEEP
49152:gfj3YhW8zBQSc0ZnSKSZKumZr7AlFBBdtM:cYY0ZnQK/AlprM
Malware Config
Signatures
-
Detects Latrodectus 3 IoCs
Detects Latrodectus v1.4.
resource yara_rule behavioral2/memory/3304-79-0x0000000000EA0000-0x0000000000EB5000-memory.dmp family_latrodectus_1_4 behavioral2/memory/1900-74-0x00007FF4D17F0000-0x00007FF4D1805000-memory.dmp family_latrodectus_1_4 behavioral2/memory/3304-80-0x0000000000EA0000-0x0000000000EB5000-memory.dmp family_latrodectus_1_4 -
Latrodectus loader
Latrodectus is a loader written in C++.
-
Blocklisted process makes network request 64 IoCs
flow pid Process 2 1900 rundll32.exe 4 1900 rundll32.exe 5 1900 rundll32.exe 6 1900 rundll32.exe 8 1900 rundll32.exe 9 1900 rundll32.exe 10 1900 rundll32.exe 11 1900 rundll32.exe 12 1900 rundll32.exe 13 1900 rundll32.exe 14 1900 rundll32.exe 15 1900 rundll32.exe 16 1900 rundll32.exe 17 1900 rundll32.exe 18 1900 rundll32.exe 19 1900 rundll32.exe 20 1900 rundll32.exe 21 1900 rundll32.exe 22 1900 rundll32.exe 23 1900 rundll32.exe 24 1900 rundll32.exe 25 1900 rundll32.exe 26 1900 rundll32.exe 28 1900 rundll32.exe 29 1900 rundll32.exe 30 1900 rundll32.exe 31 1900 rundll32.exe 33 1900 rundll32.exe 34 1900 rundll32.exe 35 1900 rundll32.exe 36 1900 rundll32.exe 37 1900 rundll32.exe 38 1900 rundll32.exe 39 1900 rundll32.exe 40 1900 rundll32.exe 41 1900 rundll32.exe 42 1900 rundll32.exe 43 1900 rundll32.exe 44 1900 rundll32.exe 45 1900 rundll32.exe 46 1900 rundll32.exe 47 1900 rundll32.exe 48 1900 rundll32.exe 50 1900 rundll32.exe 51 1900 rundll32.exe 54 1900 rundll32.exe 55 1900 rundll32.exe 56 1900 rundll32.exe 57 1900 rundll32.exe 58 1900 rundll32.exe 59 1900 rundll32.exe 60 1900 rundll32.exe 61 1900 rundll32.exe 62 1900 rundll32.exe 63 1900 rundll32.exe 64 1900 rundll32.exe 65 1900 rundll32.exe 66 1900 rundll32.exe 67 1900 rundll32.exe 68 1900 rundll32.exe 69 1900 rundll32.exe 70 1900 rundll32.exe 71 1900 rundll32.exe 74 1900 rundll32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File created C:\Windows\SystemTemp\~DFAFE1CD2C138A1D97.TMP msiexec.exe File created C:\Windows\Installer\e57c0a0.msi msiexec.exe File opened for modification C:\Windows\Installer\e57c0a0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC229.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC0EE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC374.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF17F5889F7B69CA54.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIC306.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFCCFF8CAC80B63D00.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF13BF9C83A97BE811.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIC1E9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC259.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{61449C75-AB36-4299-A465-A142FC439D7F} msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 5088 MSIC374.tmp -
Loads dropped DLL 6 IoCs
pid Process 4736 MsiExec.exe 4736 MsiExec.exe 4736 MsiExec.exe 4736 MsiExec.exe 4024 rundll32.exe 1900 rundll32.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2760 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIC374.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b38cc7aac7e825c30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b38cc7aa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b38cc7aa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db38cc7aa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b38cc7aa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4904 msiexec.exe 4904 msiexec.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe 1900 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2760 msiexec.exe Token: SeIncreaseQuotaPrivilege 2760 msiexec.exe Token: SeSecurityPrivilege 4904 msiexec.exe Token: SeCreateTokenPrivilege 2760 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2760 msiexec.exe Token: SeLockMemoryPrivilege 2760 msiexec.exe Token: SeIncreaseQuotaPrivilege 2760 msiexec.exe Token: SeMachineAccountPrivilege 2760 msiexec.exe Token: SeTcbPrivilege 2760 msiexec.exe Token: SeSecurityPrivilege 2760 msiexec.exe Token: SeTakeOwnershipPrivilege 2760 msiexec.exe Token: SeLoadDriverPrivilege 2760 msiexec.exe Token: SeSystemProfilePrivilege 2760 msiexec.exe Token: SeSystemtimePrivilege 2760 msiexec.exe Token: SeProfSingleProcessPrivilege 2760 msiexec.exe Token: SeIncBasePriorityPrivilege 2760 msiexec.exe Token: SeCreatePagefilePrivilege 2760 msiexec.exe Token: SeCreatePermanentPrivilege 2760 msiexec.exe Token: SeBackupPrivilege 2760 msiexec.exe Token: SeRestorePrivilege 2760 msiexec.exe Token: SeShutdownPrivilege 2760 msiexec.exe Token: SeDebugPrivilege 2760 msiexec.exe Token: SeAuditPrivilege 2760 msiexec.exe Token: SeSystemEnvironmentPrivilege 2760 msiexec.exe Token: SeChangeNotifyPrivilege 2760 msiexec.exe Token: SeRemoteShutdownPrivilege 2760 msiexec.exe Token: SeUndockPrivilege 2760 msiexec.exe Token: SeSyncAgentPrivilege 2760 msiexec.exe Token: SeEnableDelegationPrivilege 2760 msiexec.exe Token: SeManageVolumePrivilege 2760 msiexec.exe Token: SeImpersonatePrivilege 2760 msiexec.exe Token: SeCreateGlobalPrivilege 2760 msiexec.exe Token: SeBackupPrivilege 1836 vssvc.exe Token: SeRestorePrivilege 1836 vssvc.exe Token: SeAuditPrivilege 1836 vssvc.exe Token: SeBackupPrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeTakeOwnershipPrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeTakeOwnershipPrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeTakeOwnershipPrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeTakeOwnershipPrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeTakeOwnershipPrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeTakeOwnershipPrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeTakeOwnershipPrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeTakeOwnershipPrivilege 4904 msiexec.exe Token: SeRestorePrivilege 4904 msiexec.exe Token: SeTakeOwnershipPrivilege 4904 msiexec.exe Token: SeBackupPrivilege 1548 srtasks.exe Token: SeRestorePrivilege 1548 srtasks.exe Token: SeSecurityPrivilege 1548 srtasks.exe Token: SeTakeOwnershipPrivilege 1548 srtasks.exe Token: SeBackupPrivilege 1548 srtasks.exe Token: SeRestorePrivilege 1548 srtasks.exe Token: SeSecurityPrivilege 1548 srtasks.exe Token: SeTakeOwnershipPrivilege 1548 srtasks.exe Token: SeShutdownPrivilege 3304 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2760 msiexec.exe 2760 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4904 wrote to memory of 1548 4904 msiexec.exe 84 PID 4904 wrote to memory of 1548 4904 msiexec.exe 84 PID 4904 wrote to memory of 4736 4904 msiexec.exe 86 PID 4904 wrote to memory of 4736 4904 msiexec.exe 86 PID 4904 wrote to memory of 4736 4904 msiexec.exe 86 PID 4904 wrote to memory of 5088 4904 msiexec.exe 87 PID 4904 wrote to memory of 5088 4904 msiexec.exe 87 PID 4904 wrote to memory of 5088 4904 msiexec.exe 87 PID 4024 wrote to memory of 1900 4024 rundll32.exe 89 PID 4024 wrote to memory of 1900 4024 rundll32.exe 89 PID 1900 wrote to memory of 3304 1900 rundll32.exe 52 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\dsa.msi2⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2760
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\system32\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2F5312BFFA7CA3DDC1AAA37B0B04FBC22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4736
-
-
C:\Windows\Installer\MSIC374.tmp"C:\Windows\Installer\MSIC374.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5088
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD535fc9754ea6a900c4336d0cd798147d0
SHA1e7282dadb5b4ed69190943426c8416a55ef3ea4a
SHA2560a39f1906bab244a2b692eff0d779afe606cace3dbb5b3b644e0a5000e5c18f4
SHA512f079e90ad122e4c15e906694c324810f06ee5d18855d1bec73787ebff51e66ef43d8369d2cb883dd04fc0c308a28d47d70131328ccbf95ee7c2857a39886941c
-
Filesize
666KB
MD5877c8b214d984656143d7576f832d935
SHA126bedae9e05afbff75ede2efc7777a376e362b6a
SHA25628f5e949ecad3606c430cea5a34d0f3e7218f239bcfa758a834dceb649e78abc
SHA512f07ac6795f4d8de38ac7f92a5ae308d2bdc30e29cebdf93b7fdee958c04bb83b1a28c4e6ac4e6a770b6d207af2a886cc93028b26e8850327f55391118f2d621a
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04
-
Filesize
12.8MB
MD50e73a61d00c6391ddac5241bec3da0af
SHA19ce611cf293a34770752247ce9e8bcb0b78d2446
SHA2566417f7224d64c7787296126fc42d694601d4cef02eb9117849b9bd4087454c42
SHA512ddad61acec14e9596c1ab0878abb72f00deacffbca3d7ff369fda0bc48f929020442a3c1db415ab274628ef291ab007fc9dcdc8efe8ce06aa5e7a951c628f1c6
-
\??\Volume{aac78cb3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fb7189b6-8b39-41f5-8e2b-97b76250fe64}_OnDiskSnapshotProp
Filesize6KB
MD54c6a529dee55a7b74cada7fcf290798e
SHA1ed0d3b9572e1381e33fa44eb5e028336553cb77e
SHA256908a7750b72daa829c306ac06089453106dba2af35eaefe236341287ec0a231f
SHA5120055fd17e114f3438b5db3275de4573972fd8869e91ab6b939be1cb196cad3a31a206376b95eb37a2aaa1771d0d2fcfdee187f5796cce952aaffa09eebe6cca1