Analysis

  • max time kernel
    144s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 12:53

General

  • Target

    a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417.msi

  • Size

    1.3MB

  • MD5

    f83ed040b4e52088817df73ef51fe0d3

  • SHA1

    3d011c54ae9a66ef2a865afd694712b338feed5d

  • SHA256

    a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417

  • SHA512

    c4fe6171f4590a3f588bba5818d05ed525619fc3333f911ea785bebea11788f144b71974254f6dbf270a2b89f9c21698d882d378274cf63005223fe5618d15f0

  • SSDEEP

    24576:ezTxLN3YlMvZCFlp8zBQSc0ZoCvqKox0ECIgYmfLVYeBZr7AL7EveuFPY:ezz3YuW8zBQSc0ZnSKmZKumZr7AfEvLY

Malware Config

Extracted

Family

latrodectus

C2

https://jarinamaers.shop/live/

https://startmast.shop/live/

Signatures

  • Latrodectus family
  • Latrodectus loader

    Latrodectus is a loader written in C++.

  • Detect larodectus Loader variant 2 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:740
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B821E137F584282FAFFE461DAA916B3C C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:64
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:536
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 7562618E30ACB2BDC4E594EC56B948E1
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2012
      • C:\Windows\Installer\MSIC249.tmp
        "C:\Windows\Installer\MSIC249.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Local\glosar\beta.dll, homq
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4784
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2340
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\glosar\beta.dll, homq
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\System32\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.dll", homq
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1840
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.dll", homq
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:4704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57bf88.rbs

      Filesize

      1KB

      MD5

      db670803fa0d107471911a14a1ae3649

      SHA1

      248ef8b8fd712731068489b938aed0e795574c8e

      SHA256

      27d537945d68068c4e67032b8241142c68a81797b88dac8d93a76e1fe60b01ac

      SHA512

      3a84e29299abf53725c89d8168d3f53e9fddcc38cf867e1c2a799a6ac88bef1f1c3ea7dd79439d190b2481481cdb5e442eb9b6620b2281fe662efa12a9269e8e

    • C:\Users\Admin\AppData\Local\Temp\MSI7242.tmp

      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    • C:\Users\Admin\AppData\Local\glosar\beta.dll

      Filesize

      364KB

      MD5

      a1c84c14a82f2cbb7e9a5f253d721159

      SHA1

      3aa5e70111c290c45daac06984281dfb5439115b

      SHA256

      53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081

      SHA512

      f76691853fa45d93246dfd8569af5ec7e66fdd7536241b92ee10bb9202b0502e66dfd030fe539956fb28fe20e71b33cae524038c356facf555d4a130c64665ed

    • C:\Windows\Installer\MSIC249.tmp

      Filesize

      389KB

      MD5

      b9545ed17695a32face8c3408a6a3553

      SHA1

      f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

      SHA256

      1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

      SHA512

      f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      24.1MB

      MD5

      93b9cdf0f82ec4f5ba849ba7f70b562d

      SHA1

      a610d848d196f3f05d5f5ed8dfd9ed862f0a9b58

      SHA256

      20242fc5f9cdca80e07f71ab3116c9671074c18dce7a04cb7afdf7d1dfcc9477

      SHA512

      03408eb5a15faddc53495859904eb7546ca784b8a624fefdfc0b8b790a8b60570f2782dacf5ea7c42061be9bf9355353a1b24e8aeb60a69cdd757b860b98913b

    • \??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ba384db0-6127-49fe-be5d-d8abfc3dbe60}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      8375a23c17a33b52cbf3b0b953733bce

      SHA1

      51826ff7018dd1e2745e440647b82551c13434c4

      SHA256

      8f94eb3171bc02ab82100c1ad6dd5859b5baae66b50c05ac7a2560d454e5c055

      SHA512

      e98339a815561acb11c0cc66bc76c8be4e393135b532a29f024dbae5cda7ccf093584cb1e532555126077a27b6577c1f1f742eafbbf7dc490533489f686ac568

    • memory/1840-62-0x000001A723230000-0x000001A723244000-memory.dmp

      Filesize

      80KB

    • memory/4148-50-0x0000000180000000-0x0000000180066000-memory.dmp

      Filesize

      408KB