latrodectus | fe5e31d0d20eea7dc2cfc16a65d81663dfadf519d8c5ed847245875b95261ea3

General

Target

d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
Size

7.9MB
MD5

dcadeda5754a0fe953156eb69f966bf2
SHA1

3fb6f6bb20ef5d4db9f7996662d6fbd84d2a0ee9
SHA256

d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1
SHA512

ffb6c3546af692fb48a96f1288c2b96cdad91647e2d9331ceef67cde54548870e387488f17db503e7666540e62450441140220fdc7c8be6410023488953fb290
SSDEEP

196608:MddurOkR/ykbTpWm+Jmj3qDc2YDW2nGg+MmzM+dxkh:wdIR6Aamj3qQ2x2nGfMmzh/kh

Score

10^/10

latrodectus discovery execution loader

Malware Config

Extracted

Family

latrodectus

C2

https://restoreviner.com/test/

https://peronikilinfer.com/test/

Signatures

Detects Latrodectus 1 IoCs

Detects Latrodectus v1.4.

Processes:

resource	yara_rule
behavioral1/memory/2816-37-0x000000013FE00000-0x000000013FE15000-memory.dmp	family_latrodectus_1_4

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Drops startup file 1 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\todaydatabaseovlresig.lnk	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

todaydatabaseovlresig.exeUpdate_2569b386.exe

pid process

2816 todaydatabaseovlresig.exe
2572 Update_2569b386.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exetodaydatabaseovlresig.exe

pid process

2744 cmd.exe
2744 cmd.exe
2816 todaydatabaseovlresig.exe
2816 todaydatabaseovlresig.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2928 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2816	todaydatabaseovlresig.exe
2572	Update_2569b386.exe

pid	process
2744	cmd.exe
2744	cmd.exe
2816	todaydatabaseovlresig.exe
2816	todaydatabaseovlresig.exe

pid	process
2928	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exed8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.execmd.exexcopy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2928 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2928 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
2928	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2928	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.execmd.exetodaydatabaseovlresig.exe

description	pid	process	target process
PID 2352 wrote to memory of 2744	2352	d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe	cmd.exe
PID 2352 wrote to memory of 2744	2352	d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe	cmd.exe
PID 2352 wrote to memory of 2744	2352	d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe	cmd.exe
PID 2352 wrote to memory of 2744	2352	d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe	cmd.exe
PID 2744 wrote to memory of 2932	2744	cmd.exe	xcopy.exe
PID 2744 wrote to memory of 2932	2744	cmd.exe	xcopy.exe
PID 2744 wrote to memory of 2932	2744	cmd.exe	xcopy.exe
PID 2744 wrote to memory of 2932	2744	cmd.exe	xcopy.exe
PID 2744 wrote to memory of 2928	2744	cmd.exe	powershell.exe
PID 2744 wrote to memory of 2928	2744	cmd.exe	powershell.exe
PID 2744 wrote to memory of 2928	2744	cmd.exe	powershell.exe
PID 2744 wrote to memory of 2928	2744	cmd.exe	powershell.exe
PID 2744 wrote to memory of 2816	2744	cmd.exe	todaydatabaseovlresig.exe
PID 2744 wrote to memory of 2816	2744	cmd.exe	todaydatabaseovlresig.exe
PID 2744 wrote to memory of 2816	2744	cmd.exe	todaydatabaseovlresig.exe
PID 2744 wrote to memory of 2816	2744	cmd.exe	todaydatabaseovlresig.exe
PID 2816 wrote to memory of 2572	2816	todaydatabaseovlresig.exe	Update_2569b386.exe
PID 2816 wrote to memory of 2572	2816	todaydatabaseovlresig.exe	Update_2569b386.exe
PID 2816 wrote to memory of 2572	2816	todaydatabaseovlresig.exe	Update_2569b386.exe
PID 2816 wrote to memory of 2660	2816	todaydatabaseovlresig.exe	WerFault.exe
PID 2816 wrote to memory of 2660	2816	todaydatabaseovlresig.exe	WerFault.exe
PID 2816 wrote to memory of 2660	2816	todaydatabaseovlresig.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
"C:\Users\Admin\AppData\Local\Temp\d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS722.tmp\autorun.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy C:\Users\Admin\AppData\Local\Temp\7zS722.tmp\todaydatabaseovlresig.exe C:\Users\Admin\AppData\Local\Temp
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:2932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $Shortcut = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\todaydatabaseovlresig.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exe'; $Shortcut.Save()"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exe
    C:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Roaming\Custom_update\Update_2569b386.exe
      "C:\Users\Admin\AppData\Roaming\Custom_update\Update_2569b386.exe"
      4⤵
      Executes dropped EXE
      PID:2572
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2816 -s 256
      4⤵
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS722.tmp\autorun.bat

Filesize
478B

MD5
de2823825a54c5df96225c795808e42d

SHA1
c076f08f7fc3d1e44c3a0450f4b9f2b2c92ed669

SHA256
60e863e70dce64bbd564b98113a75f58c455ae604235ed1339a595944a19321a

SHA512
c8f127d1ac1abf0edcdabfa8ff90ae83ea5c65a7d450631a20c87b60ccd0610f4174ae146e961ab0ab59792f654e14dc303dd176a042e5b0c83b0ae637a3673d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS722.tmp\todaydatabaseovlresig.exe

Filesize
11.0MB

MD5
262d733731abd4b67a97b682bfc9861f

SHA1
254734707cfd4f34388e0b907240c26732434c99

SHA256
989f811ac3c4ba5413fef99154ba60d930835d17832d6c26e3b66d9d45e01126

SHA512
ec49736c73700a2eeeac0c048e1999a081ea2537564ef2e57a04d4a9bbe9016a511955ca78806c6fa18649b4abed790c35c00ed3db7296a2145590fe201c51bc

Download Submit
memory/2816-37-0x000000013FE00000-0x000000013FE15000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads