latrodectus | 97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-10-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_rtl.dll
Size

749KB
MD5

b1ca25f5bb4edd293b3711c77eb99a6f
SHA1

178bba8686ea329b884a652fe0f8a0ae0c53d367
SHA256

97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
SHA512

d5a282a8f81e117b79616c44a260d89c7fee06f4ac1387675bc79c3bd7599a5d49fbe3d8fb3d4d42eea81a17564abc2d42288bc2dc468d1b16ed633ba421b32d
SSDEEP

12288:/h/M5nsxW5fFcrGn7Q21Svj07MGpmeSM6q4LWYv1AoMJPPyogk31OkRK1OKeQeq:/rD+JPPn8kM1Oej

Score

10^/10

latrodectus loader

Malware Config

Signatures

Detects Latrodectus 4 IoCs

Detects Latrodectus v1.4.

resource	yara_rule
behavioral1/memory/4276-51-0x00007FF6AF3D0000-0x00007FF6AF3E5000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/3316-57-0x0000000000AD0000-0x0000000000AE5000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/3316-58-0x0000000000AD0000-0x0000000000AE5000-memory.dmp	family_latrodectus_1_4
behavioral1/memory/3316-59-0x0000000000AD0000-0x0000000000AE5000-memory.dmp	family_latrodectus_1_4

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Blocklisted process makes network request 64 IoCs

flow	pid	Process
10	4276	rundll32.exe
11	4276	rundll32.exe
12	4276	rundll32.exe
15	4276	rundll32.exe
16	4276	rundll32.exe
17	4276	rundll32.exe
18	4276	rundll32.exe
19	4276	rundll32.exe
20	4276	rundll32.exe
21	4276	rundll32.exe
22	4276	rundll32.exe
23	4276	rundll32.exe
25	4276	rundll32.exe
27	4276	rundll32.exe
29	4276	rundll32.exe
33	4276	rundll32.exe
34	4276	rundll32.exe
37	4276	rundll32.exe
38	4276	rundll32.exe
39	4276	rundll32.exe
40	4276	rundll32.exe
41	4276	rundll32.exe
42	4276	rundll32.exe
43	4276	rundll32.exe
44	4276	rundll32.exe
45	4276	rundll32.exe
46	4276	rundll32.exe
47	4276	rundll32.exe
48	4276	rundll32.exe
49	4276	rundll32.exe
50	4276	rundll32.exe
51	4276	rundll32.exe
52	4276	rundll32.exe
53	4276	rundll32.exe
54	4276	rundll32.exe
55	4276	rundll32.exe
59	4276	rundll32.exe
60	4276	rundll32.exe
61	4276	rundll32.exe
62	4276	rundll32.exe
63	4276	rundll32.exe
64	4276	rundll32.exe
65	4276	rundll32.exe
66	4276	rundll32.exe
67	4276	rundll32.exe
68	4276	rundll32.exe
69	4276	rundll32.exe
70	4276	rundll32.exe
71	4276	rundll32.exe
72	4276	rundll32.exe
73	4276	rundll32.exe
74	4276	rundll32.exe
75	4276	rundll32.exe
76	4276	rundll32.exe
77	4276	rundll32.exe
78	4276	rundll32.exe
79	4276	rundll32.exe
80	4276	rundll32.exe
81	4276	rundll32.exe
82	4276	rundll32.exe
83	4276	rundll32.exe
84	4276	rundll32.exe
87	4276	rundll32.exe
88	4276	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe
4276	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3316	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4276	4112	cmd.exe	79
PID 4112 wrote to memory of 4276	4112	cmd.exe	79
PID 4276 wrote to memory of 3316	4276	rundll32.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3316
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\_rtl.dll,#1
  2⤵
  PID:512
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\rundll32.exe
    rundll32 _rtl.dll,#5
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3316-57-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/3316-59-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/3316-58-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/4276-33-0x0000017E93DD0000-0x0000017E93E1C000-memory.dmp

Filesize
304KB

Download
memory/4276-50-0x00007FF6AF3F0000-0x00007FF6AF3F1000-memory.dmp

Filesize
4KB

Download
memory/4276-9-0x00007FF84CAB0000-0x00007FF84CCF9000-memory.dmp

Filesize
2.3MB

Download
memory/4276-7-0x00007FF84D860000-0x00007FF84D90E000-memory.dmp

Filesize
696KB

Download
memory/4276-3-0x0000000273F40000-0x0000000273F8A000-memory.dmp

Filesize
296KB

Download
memory/4276-2-0x0000000273F40000-0x0000000273F8A000-memory.dmp

Filesize
296KB

Download
memory/4276-1-0x0000017E92380000-0x0000017E923C7000-memory.dmp

Filesize
284KB

Download
memory/4276-0-0x0000000273F40000-0x0000000273F8A000-memory.dmp

Filesize
296KB

Download
memory/4276-51-0x00007FF6AF3D0000-0x00007FF6AF3E5000-memory.dmp

Filesize
84KB

Download
memory/4276-11-0x0000017E93DD0000-0x0000017E93E1C000-memory.dmp

Filesize
304KB

Download
memory/4276-20-0x00007FF84FDF1000-0x00007FF84FEFF000-memory.dmp

Filesize
1.1MB

Download
memory/4276-5-0x00007FF84FDF0000-0x00007FF84FFCB000-memory.dmp

Filesize
1.9MB

Download
memory/4276-55-0x00007FF6AF390000-0x00007FF6AF391000-memory.dmp

Filesize
4KB

Download
memory/4276-54-0x00007FF6AF3A0000-0x00007FF6AF3A1000-memory.dmp

Filesize
4KB

Download
memory/4276-53-0x00007FF6AF3B0000-0x00007FF6AF3B1000-memory.dmp

Filesize
4KB

Download
memory/4276-52-0x00007FF6AF3C0000-0x00007FF6AF3C1000-memory.dmp

Filesize
4KB

Download
memory/4276-4-0x0000017E93C90000-0x0000017E93CCE000-memory.dmp

Filesize
248KB

Download
memory/4276-62-0x0000017E93DD0000-0x0000017E93E1C000-memory.dmp

Filesize
304KB

Download