Analysis
-
max time kernel
95s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 01:55
Static task
static1
Behavioral task
behavioral1
Sample
d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
Resource
win10v2004-20241007-en
General
-
Target
d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe
-
Size
7.9MB
-
MD5
dcadeda5754a0fe953156eb69f966bf2
-
SHA1
3fb6f6bb20ef5d4db9f7996662d6fbd84d2a0ee9
-
SHA256
d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1
-
SHA512
ffb6c3546af692fb48a96f1288c2b96cdad91647e2d9331ceef67cde54548870e387488f17db503e7666540e62450441140220fdc7c8be6410023488953fb290
-
SSDEEP
196608:MddurOkR/ykbTpWm+Jmj3qDc2YDW2nGg+MmzM+dxkh:wdIR6Aamj3qQ2x2nGfMmzh/kh
Malware Config
Extracted
latrodectus
https://restoreviner.com/test/
https://peronikilinfer.com/test/
Signatures
-
Detects Latrodectus 1 IoCs
Detects Latrodectus v1.4.
resource yara_rule behavioral2/memory/712-41-0x00007FF7FEB70000-0x00007FF7FEB85000-memory.dmp family_latrodectus_1_4 -
Latrodectus loader
Latrodectus is a loader written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\todaydatabaseovlresig.lnk powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 712 todaydatabaseovlresig.exe 8 Update_3107186b.exe -
pid Process 3660 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3660 powershell.exe 3660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3660 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3332 wrote to memory of 1304 3332 d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe 86 PID 3332 wrote to memory of 1304 3332 d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe 86 PID 3332 wrote to memory of 1304 3332 d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe 86 PID 1304 wrote to memory of 4940 1304 cmd.exe 89 PID 1304 wrote to memory of 4940 1304 cmd.exe 89 PID 1304 wrote to memory of 4940 1304 cmd.exe 89 PID 1304 wrote to memory of 3660 1304 cmd.exe 90 PID 1304 wrote to memory of 3660 1304 cmd.exe 90 PID 1304 wrote to memory of 3660 1304 cmd.exe 90 PID 1304 wrote to memory of 712 1304 cmd.exe 91 PID 1304 wrote to memory of 712 1304 cmd.exe 91 PID 712 wrote to memory of 8 712 todaydatabaseovlresig.exe 92 PID 712 wrote to memory of 8 712 todaydatabaseovlresig.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe"C:\Users\Admin\AppData\Local\Temp\d8ff7b3040d2674dbdc77b184266ddef54444c0d8db4880ddd3bcd45d610e0c1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSAE03.tmp\autorun.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\xcopy.exexcopy C:\Users\Admin\AppData\Local\Temp\7zSAE03.tmp\todaydatabaseovlresig.exe C:\Users\Admin\AppData\Local\Temp3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4940
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $Shortcut = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\todaydatabaseovlresig.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exe'; $Shortcut.Save()"3⤵
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
C:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exeC:\Users\Admin\AppData\Local\Temp\todaydatabaseovlresig.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Roaming\Custom_update\Update_3107186b.exe"C:\Users\Admin\AppData\Roaming\Custom_update\Update_3107186b.exe"4⤵
- Executes dropped EXE
PID:8
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
478B
MD5de2823825a54c5df96225c795808e42d
SHA1c076f08f7fc3d1e44c3a0450f4b9f2b2c92ed669
SHA25660e863e70dce64bbd564b98113a75f58c455ae604235ed1339a595944a19321a
SHA512c8f127d1ac1abf0edcdabfa8ff90ae83ea5c65a7d450631a20c87b60ccd0610f4174ae146e961ab0ab59792f654e14dc303dd176a042e5b0c83b0ae637a3673d
-
Filesize
11.0MB
MD5262d733731abd4b67a97b682bfc9861f
SHA1254734707cfd4f34388e0b907240c26732434c99
SHA256989f811ac3c4ba5413fef99154ba60d930835d17832d6c26e3b66d9d45e01126
SHA512ec49736c73700a2eeeac0c048e1999a081ea2537564ef2e57a04d4a9bbe9016a511955ca78806c6fa18649b4abed790c35c00ed3db7296a2145590fe201c51bc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82