latrodectus | fe5e31d0d20eea7dc2cfc16a65d81663dfadf519d8c5ed847245875b95261ea3

General

Target

d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
Size

7.9MB
MD5

dcadeda5754a0fe953156eb69f966bf2
SHA1

3fb6f6bb20ef5d4db9f7996662d6fbd84d2a0ee9
SHA256

d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1
SHA512

ffb6c3546af692fb48a96f1288c2b96cdad91647e2d9331ceef67cde54548870e387488f17db503e7666540e62450441140220fdc7c8be6410023488953fb290
SSDEEP

196608:MddurOkR/ykbTpWm+Jmj3qDc2YDW2nGg+MmzM+dxkh:wdIR6Aamj3qQ2x2nGfMmzh/kh

Score

10^/10

latrodectus discovery execution loader

Malware Config

Extracted

Family

latrodectus

C2

https://restoreviner.com/test/

https://peronikilinfer.com/test/

Signatures

Detects Latrodectus 1 IoCs

Detects Latrodectus v1.4.

Processes:

resource	yara_rule
behavioral2/memory/712-41-0x00007FF7FEB70000-0x00007FF7FEB85000-memory.dmp	family_latrodectus_1_4

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe

Drops startup file 1 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\todaydatabaseovlresig.lnk	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

todaydatabaseovlresig.exeUpdate_3107186b.exe

pid process

712 todaydatabaseovlresig.exe
8 Update_3107186b.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3660 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
712	todaydatabaseovlresig.exe
8	Update_3107186b.exe

pid	process
3660	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.execmd.exexcopy.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3660 powershell.exe
3660 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3660 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
3660	powershell.exe
3660	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3660	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.execmd.exetodaydatabaseovlresig.exe

description	pid	process	target process
PID 3332 wrote to memory of 1304	3332	d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe	cmd.exe
PID 3332 wrote to memory of 1304	3332	d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe	cmd.exe
PID 3332 wrote to memory of 1304	3332	d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe	cmd.exe
PID 1304 wrote to memory of 4940	1304	cmd.exe	xcopy.exe
PID 1304 wrote to memory of 4940	1304	cmd.exe	xcopy.exe
PID 1304 wrote to memory of 4940	1304	cmd.exe	xcopy.exe
PID 1304 wrote to memory of 3660	1304	cmd.exe	powershell.exe
PID 1304 wrote to memory of 3660	1304	cmd.exe	powershell.exe
PID 1304 wrote to memory of 3660	1304	cmd.exe	powershell.exe
PID 1304 wrote to memory of 712	1304	cmd.exe	todaydatabaseovlresig.exe
PID 1304 wrote to memory of 712	1304	cmd.exe	todaydatabaseovlresig.exe
PID 712 wrote to memory of 8	712	todaydatabaseovlresig.exe	Update_3107186b.exe
PID 712 wrote to memory of 8	712	todaydatabaseovlresig.exe	Update_3107186b.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
"C:\Users\Admin\AppData\Local\Temp\d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSAE03.tmp\autorun.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy C:\Users\Admin\AppData\Local\Temp\7zSAE03.tmp\todaydatabaseovlresig.exe C:\Users\Admin\AppData\Local\Temp
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:4940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $Shortcut = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\todaydatabaseovlresig.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exe'; $Shortcut.Save()"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- - C:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exe
    C:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Users\Admin\AppData\Roaming\Custom_update\Update_3107186b.exe
      "C:\Users\Admin\AppData\Roaming\Custom_update\Update_3107186b.exe"
      4⤵
      Executes dropped EXE
      PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSAE03.tmp\autorun.bat

Filesize
478B

MD5
de2823825a54c5df96225c795808e42d

SHA1
c076f08f7fc3d1e44c3a0450f4b9f2b2c92ed669

SHA256
60e863e70dce64bbd564b98113a75f58c455ae604235ed1339a595944a19321a

SHA512
c8f127d1ac1abf0edcdabfa8ff90ae83ea5c65a7d450631a20c87b60ccd0610f4174ae146e961ab0ab59792f654e14dc303dd176a042e5b0c83b0ae637a3673d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE03.tmp\todaydatabaseovlresig.exe

Filesize
11.0MB

MD5
262d733731abd4b67a97b682bfc9861f

SHA1
254734707cfd4f34388e0b907240c26732434c99

SHA256
989f811ac3c4ba5413fef99154ba60d930835d17832d6c26e3b66d9d45e01126

SHA512
ec49736c73700a2eeeac0c048e1999a081ea2537564ef2e57a04d4a9bbe9016a511955ca78806c6fa18649b4abed790c35c00ed3db7296a2145590fe201c51bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_532knxwv.v1m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/712-41-0x00007FF7FEB70000-0x00007FF7FEB85000-memory.dmp

Filesize
84KB

Download
memory/3660-13-0x00000000739E0000-0x0000000074190000-memory.dmp

Filesize
7.7MB

Download
memory/3660-14-0x0000000005880000-0x0000000005EA8000-memory.dmp

Filesize
6.2MB

Download
memory/3660-15-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/3660-16-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/3660-12-0x0000000002DD0000-0x0000000002E06000-memory.dmp

Filesize
216KB

Download
memory/3660-17-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/3660-27-0x0000000005FB0000-0x0000000006304000-memory.dmp

Filesize
3.3MB

Download
memory/3660-28-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/3660-29-0x0000000006410000-0x000000000645C000-memory.dmp

Filesize
304KB

Download
memory/3660-31-0x00000000068F0000-0x000000000690A000-memory.dmp

Filesize
104KB

Download
memory/3660-30-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/3660-36-0x00000000739E0000-0x0000000074190000-memory.dmp

Filesize
7.7MB

Download
memory/3660-11-0x00000000739EE000-0x00000000739EF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads