Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-10-2024 19:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
_rtl.dll
Resource
win10-20240404-en
windows10-1703-x64
7 signatures
150 seconds
General
-
Target
_rtl.dll
-
Size
749KB
-
MD5
b1ca25f5bb4edd293b3711c77eb99a6f
-
SHA1
178bba8686ea329b884a652fe0f8a0ae0c53d367
-
SHA256
97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
-
SHA512
d5a282a8f81e117b79616c44a260d89c7fee06f4ac1387675bc79c3bd7599a5d49fbe3d8fb3d4d42eea81a17564abc2d42288bc2dc468d1b16ed633ba421b32d
-
SSDEEP
12288:/h/M5nsxW5fFcrGn7Q21Svj07MGpmeSM6q4LWYv1AoMJPPyogk31OkRK1OKeQeq:/rD+JPPn8kM1Oej
Score
10/10
Malware Config
Signatures
-
Detects Latrodectus 4 IoCs
Detects Latrodectus v1.4.
resource yara_rule behavioral1/memory/4276-51-0x00007FF6AF3D0000-0x00007FF6AF3E5000-memory.dmp family_latrodectus_1_4 behavioral1/memory/3316-57-0x0000000000AD0000-0x0000000000AE5000-memory.dmp family_latrodectus_1_4 behavioral1/memory/3316-58-0x0000000000AD0000-0x0000000000AE5000-memory.dmp family_latrodectus_1_4 behavioral1/memory/3316-59-0x0000000000AD0000-0x0000000000AE5000-memory.dmp family_latrodectus_1_4 -
Latrodectus loader
Latrodectus is a loader written in C++.
-
Blocklisted process makes network request 64 IoCs
flow pid Process 10 4276 rundll32.exe 11 4276 rundll32.exe 12 4276 rundll32.exe 15 4276 rundll32.exe 16 4276 rundll32.exe 17 4276 rundll32.exe 18 4276 rundll32.exe 19 4276 rundll32.exe 20 4276 rundll32.exe 21 4276 rundll32.exe 22 4276 rundll32.exe 23 4276 rundll32.exe 25 4276 rundll32.exe 27 4276 rundll32.exe 29 4276 rundll32.exe 33 4276 rundll32.exe 34 4276 rundll32.exe 37 4276 rundll32.exe 38 4276 rundll32.exe 39 4276 rundll32.exe 40 4276 rundll32.exe 41 4276 rundll32.exe 42 4276 rundll32.exe 43 4276 rundll32.exe 44 4276 rundll32.exe 45 4276 rundll32.exe 46 4276 rundll32.exe 47 4276 rundll32.exe 48 4276 rundll32.exe 49 4276 rundll32.exe 50 4276 rundll32.exe 51 4276 rundll32.exe 52 4276 rundll32.exe 53 4276 rundll32.exe 54 4276 rundll32.exe 55 4276 rundll32.exe 59 4276 rundll32.exe 60 4276 rundll32.exe 61 4276 rundll32.exe 62 4276 rundll32.exe 63 4276 rundll32.exe 64 4276 rundll32.exe 65 4276 rundll32.exe 66 4276 rundll32.exe 67 4276 rundll32.exe 68 4276 rundll32.exe 69 4276 rundll32.exe 70 4276 rundll32.exe 71 4276 rundll32.exe 72 4276 rundll32.exe 73 4276 rundll32.exe 74 4276 rundll32.exe 75 4276 rundll32.exe 76 4276 rundll32.exe 77 4276 rundll32.exe 78 4276 rundll32.exe 79 4276 rundll32.exe 80 4276 rundll32.exe 81 4276 rundll32.exe 82 4276 rundll32.exe 83 4276 rundll32.exe 84 4276 rundll32.exe 87 4276 rundll32.exe 88 4276 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe 4276 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3316 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3316 Explorer.EXE Token: SeCreatePagefilePrivilege 3316 Explorer.EXE Token: SeShutdownPrivilege 3316 Explorer.EXE Token: SeCreatePagefilePrivilege 3316 Explorer.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4112 wrote to memory of 4276 4112 cmd.exe 79 PID 4112 wrote to memory of 4276 4112 cmd.exe 79 PID 4276 wrote to memory of 3316 4276 rundll32.exe 54
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3316 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\_rtl.dll,#12⤵PID:512
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\rundll32.exerundll32 _rtl.dll,#53⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4276
-
-