Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
submitted
30-09-2024 16:35
Static task
static1
Behavioral task
behavioral1
Sample
877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe
Resource
win10v2004-20240802-en
General
-
Target
877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe
-
Size
3.5MB
-
MD5
e0768a6da09a16c08b60ffbfa874a2a5
-
SHA1
8b2db9fafb8069486d01943847ece90d49cf8fc2
-
SHA256
877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa
-
SHA512
5daef2dd43e288fda8dfa88ada672ff5baf155058fecda1fb13e60f2d39cde70a99fae4064ec16e3783f663a93b84b3fdb2a7dcf20809a16794c17b0ab0509d9
-
SSDEEP
49152:nAil1zLyAEOAvKtNFZhMo3UAHe8SGz8OYKSgFVDzOWTniN+GQeCUYdCRGkSCLcnq:n9MAgcjZhmKLnzdr8CUycSCLcnq
Malware Config
Extracted
latrodectus
1.4
https://torifalemarta.com/test/
-
group
Epsilon
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Signatures
-
Detects Latrodectus 6 IoCs
Detects Latrodectus v1.4.
resource yara_rule behavioral2/memory/2320-0-0x0000000000460000-0x0000000000476000-memory.dmp family_latrodectus_1_4 behavioral2/memory/2320-1-0x0000000000460000-0x0000000000476000-memory.dmp family_latrodectus_1_4 behavioral2/memory/2320-2-0x0000000000460000-0x0000000000476000-memory.dmp family_latrodectus_1_4 behavioral2/memory/2320-8-0x0000000000460000-0x0000000000476000-memory.dmp family_latrodectus_1_4 behavioral2/memory/2280-10-0x0000000000530000-0x0000000000546000-memory.dmp family_latrodectus_1_4 behavioral2/memory/2280-9-0x0000000000530000-0x0000000000546000-memory.dmp family_latrodectus_1_4 -
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Deletes itself 1 IoCs
pid Process 2320 877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe -
Executes dropped EXE 1 IoCs
pid Process 2280 Update_ba10e692.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2320 877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2280 2320 877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe 82 PID 2320 wrote to memory of 2280 2320 877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe"C:\Users\Admin\AppData\Local\Temp\877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa.exe"1⤵
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Roaming\Custom_update\Update_ba10e692.exe"C:\Users\Admin\AppData\Roaming\Custom_update\Update_ba10e692.exe"2⤵
- Executes dropped EXE
PID:2280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5e0768a6da09a16c08b60ffbfa874a2a5
SHA18b2db9fafb8069486d01943847ece90d49cf8fc2
SHA256877925b41dad686c247e309ae0059db79ecf44185ae52ceeb20bfef6d73689fa
SHA5125daef2dd43e288fda8dfa88ada672ff5baf155058fecda1fb13e60f2d39cde70a99fae4064ec16e3783f663a93b84b3fdb2a7dcf20809a16794c17b0ab0509d9