Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 01:55
Static task
static1
Behavioral task
behavioral1
Sample
d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
Resource
win10v2004-20241007-en
General
-
Target
d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
-
Size
7.9MB
-
MD5
dcadeda5754a0fe953156eb69f966bf2
-
SHA1
3fb6f6bb20ef5d4db9f7996662d6fbd84d2a0ee9
-
SHA256
d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1
-
SHA512
ffb6c3546af692fb48a96f1288c2b96cdad91647e2d9331ceef67cde54548870e387488f17db503e7666540e62450441140220fdc7c8be6410023488953fb290
-
SSDEEP
196608:MddurOkR/ykbTpWm+Jmj3qDc2YDW2nGg+MmzM+dxkh:wdIR6Aamj3qQ2x2nGfMmzh/kh
Malware Config
Extracted
latrodectus
https://restoreviner.com/test/
https://peronikilinfer.com/test/
Signatures
-
Detects Latrodectus 1 IoCs
Detects Latrodectus v1.4.
resource yara_rule behavioral1/memory/2816-37-0x000000013FE00000-0x000000013FE15000-memory.dmp family_latrodectus_1_4 -
Latrodectus loader
Latrodectus is a loader written in C++.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\todaydatabaseovlresig.lnk powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2816 todaydatabaseovlresig.exe 2572 Update_2569b386.exe -
Loads dropped DLL 4 IoCs
pid Process 2744 cmd.exe 2744 cmd.exe 2816 todaydatabaseovlresig.exe 2816 todaydatabaseovlresig.exe -
pid Process 2928 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2928 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2744 2352 d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe 30 PID 2352 wrote to memory of 2744 2352 d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe 30 PID 2352 wrote to memory of 2744 2352 d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe 30 PID 2352 wrote to memory of 2744 2352 d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe 30 PID 2744 wrote to memory of 2932 2744 cmd.exe 32 PID 2744 wrote to memory of 2932 2744 cmd.exe 32 PID 2744 wrote to memory of 2932 2744 cmd.exe 32 PID 2744 wrote to memory of 2932 2744 cmd.exe 32 PID 2744 wrote to memory of 2928 2744 cmd.exe 33 PID 2744 wrote to memory of 2928 2744 cmd.exe 33 PID 2744 wrote to memory of 2928 2744 cmd.exe 33 PID 2744 wrote to memory of 2928 2744 cmd.exe 33 PID 2744 wrote to memory of 2816 2744 cmd.exe 34 PID 2744 wrote to memory of 2816 2744 cmd.exe 34 PID 2744 wrote to memory of 2816 2744 cmd.exe 34 PID 2744 wrote to memory of 2816 2744 cmd.exe 34 PID 2816 wrote to memory of 2572 2816 todaydatabaseovlresig.exe 35 PID 2816 wrote to memory of 2572 2816 todaydatabaseovlresig.exe 35 PID 2816 wrote to memory of 2572 2816 todaydatabaseovlresig.exe 35 PID 2816 wrote to memory of 2660 2816 todaydatabaseovlresig.exe 36 PID 2816 wrote to memory of 2660 2816 todaydatabaseovlresig.exe 36 PID 2816 wrote to memory of 2660 2816 todaydatabaseovlresig.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe"C:\Users\Admin\AppData\Local\Temp\d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS722.tmp\autorun.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\xcopy.exexcopy C:\Users\Admin\AppData\Local\Temp\7zS722.tmp\todaydatabaseovlresig.exe C:\Users\Admin\AppData\Local\Temp3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2932
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $Shortcut = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\todaydatabaseovlresig.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exe'; $Shortcut.Save()"3⤵
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exeC:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\Custom_update\Update_2569b386.exe"C:\Users\Admin\AppData\Roaming\Custom_update\Update_2569b386.exe"4⤵
- Executes dropped EXE
PID:2572
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2816 -s 2564⤵PID:2660
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
478B
MD5de2823825a54c5df96225c795808e42d
SHA1c076f08f7fc3d1e44c3a0450f4b9f2b2c92ed669
SHA25660e863e70dce64bbd564b98113a75f58c455ae604235ed1339a595944a19321a
SHA512c8f127d1ac1abf0edcdabfa8ff90ae83ea5c65a7d450631a20c87b60ccd0610f4174ae146e961ab0ab59792f654e14dc303dd176a042e5b0c83b0ae637a3673d
-
Filesize
11.0MB
MD5262d733731abd4b67a97b682bfc9861f
SHA1254734707cfd4f34388e0b907240c26732434c99
SHA256989f811ac3c4ba5413fef99154ba60d930835d17832d6c26e3b66d9d45e01126
SHA512ec49736c73700a2eeeac0c048e1999a081ea2537564ef2e57a04d4a9bbe9016a511955ca78806c6fa18649b4abed790c35c00ed3db7296a2145590fe201c51bc