Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417.msi
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417.msi
Resource
win10v2004-20241007-en
General
-
Target
a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417.msi
-
Size
1.3MB
-
MD5
f83ed040b4e52088817df73ef51fe0d3
-
SHA1
3d011c54ae9a66ef2a865afd694712b338feed5d
-
SHA256
a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417
-
SHA512
c4fe6171f4590a3f588bba5818d05ed525619fc3333f911ea785bebea11788f144b71974254f6dbf270a2b89f9c21698d882d378274cf63005223fe5618d15f0
-
SSDEEP
24576:ezTxLN3YlMvZCFlp8zBQSc0ZoCvqKox0ECIgYmfLVYeBZr7AL7EveuFPY:ezz3YuW8zBQSc0ZnSKmZKumZr7AfEvLY
Malware Config
Extracted
latrodectus
https://jarinamaers.shop/live/
https://startmast.shop/live/
Signatures
-
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Detect larodectus Loader variant 2 1 IoCs
resource yara_rule behavioral2/memory/1840-62-0x000001A723230000-0x000001A723244000-memory.dmp family_latrodectus_v2 -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC0D0.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{29A8861A-C6FC-4DA7-A825-218C6068F28B} msiexec.exe File opened for modification C:\Windows\Installer\MSIC1AC.tmp msiexec.exe File created C:\Windows\Installer\e57bf87.msi msiexec.exe File opened for modification C:\Windows\Installer\e57bf87.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC014.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC249.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 4784 MSIC249.tmp -
Loads dropped DLL 11 IoCs
pid Process 64 MsiExec.exe 64 MsiExec.exe 64 MsiExec.exe 64 MsiExec.exe 64 MsiExec.exe 64 MsiExec.exe 2012 MsiExec.exe 2012 MsiExec.exe 4148 rundll32.exe 1840 rundll32.exe 4704 rundll32.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 740 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIC249.tmp -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4008 msiexec.exe 4008 msiexec.exe 4784 MSIC249.tmp 4784 MSIC249.tmp 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 4148 rundll32.exe 1840 rundll32.exe 1840 rundll32.exe 1840 rundll32.exe 1840 rundll32.exe 4704 rundll32.exe 4704 rundll32.exe 4704 rundll32.exe 4704 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 740 msiexec.exe Token: SeIncreaseQuotaPrivilege 740 msiexec.exe Token: SeSecurityPrivilege 4008 msiexec.exe Token: SeCreateTokenPrivilege 740 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 740 msiexec.exe Token: SeLockMemoryPrivilege 740 msiexec.exe Token: SeIncreaseQuotaPrivilege 740 msiexec.exe Token: SeMachineAccountPrivilege 740 msiexec.exe Token: SeTcbPrivilege 740 msiexec.exe Token: SeSecurityPrivilege 740 msiexec.exe Token: SeTakeOwnershipPrivilege 740 msiexec.exe Token: SeLoadDriverPrivilege 740 msiexec.exe Token: SeSystemProfilePrivilege 740 msiexec.exe Token: SeSystemtimePrivilege 740 msiexec.exe Token: SeProfSingleProcessPrivilege 740 msiexec.exe Token: SeIncBasePriorityPrivilege 740 msiexec.exe Token: SeCreatePagefilePrivilege 740 msiexec.exe Token: SeCreatePermanentPrivilege 740 msiexec.exe Token: SeBackupPrivilege 740 msiexec.exe Token: SeRestorePrivilege 740 msiexec.exe Token: SeShutdownPrivilege 740 msiexec.exe Token: SeDebugPrivilege 740 msiexec.exe Token: SeAuditPrivilege 740 msiexec.exe Token: SeSystemEnvironmentPrivilege 740 msiexec.exe Token: SeChangeNotifyPrivilege 740 msiexec.exe Token: SeRemoteShutdownPrivilege 740 msiexec.exe Token: SeUndockPrivilege 740 msiexec.exe Token: SeSyncAgentPrivilege 740 msiexec.exe Token: SeEnableDelegationPrivilege 740 msiexec.exe Token: SeManageVolumePrivilege 740 msiexec.exe Token: SeImpersonatePrivilege 740 msiexec.exe Token: SeCreateGlobalPrivilege 740 msiexec.exe Token: SeCreateTokenPrivilege 740 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 740 msiexec.exe Token: SeLockMemoryPrivilege 740 msiexec.exe Token: SeIncreaseQuotaPrivilege 740 msiexec.exe Token: SeMachineAccountPrivilege 740 msiexec.exe Token: SeTcbPrivilege 740 msiexec.exe Token: SeSecurityPrivilege 740 msiexec.exe Token: SeTakeOwnershipPrivilege 740 msiexec.exe Token: SeLoadDriverPrivilege 740 msiexec.exe Token: SeSystemProfilePrivilege 740 msiexec.exe Token: SeSystemtimePrivilege 740 msiexec.exe Token: SeProfSingleProcessPrivilege 740 msiexec.exe Token: SeIncBasePriorityPrivilege 740 msiexec.exe Token: SeCreatePagefilePrivilege 740 msiexec.exe Token: SeCreatePermanentPrivilege 740 msiexec.exe Token: SeBackupPrivilege 740 msiexec.exe Token: SeRestorePrivilege 740 msiexec.exe Token: SeShutdownPrivilege 740 msiexec.exe Token: SeDebugPrivilege 740 msiexec.exe Token: SeAuditPrivilege 740 msiexec.exe Token: SeSystemEnvironmentPrivilege 740 msiexec.exe Token: SeChangeNotifyPrivilege 740 msiexec.exe Token: SeRemoteShutdownPrivilege 740 msiexec.exe Token: SeUndockPrivilege 740 msiexec.exe Token: SeSyncAgentPrivilege 740 msiexec.exe Token: SeEnableDelegationPrivilege 740 msiexec.exe Token: SeManageVolumePrivilege 740 msiexec.exe Token: SeImpersonatePrivilege 740 msiexec.exe Token: SeCreateGlobalPrivilege 740 msiexec.exe Token: SeCreateTokenPrivilege 740 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 740 msiexec.exe Token: SeLockMemoryPrivilege 740 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 740 msiexec.exe 740 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4008 wrote to memory of 64 4008 msiexec.exe 86 PID 4008 wrote to memory of 64 4008 msiexec.exe 86 PID 4008 wrote to memory of 64 4008 msiexec.exe 86 PID 4008 wrote to memory of 536 4008 msiexec.exe 100 PID 4008 wrote to memory of 536 4008 msiexec.exe 100 PID 4008 wrote to memory of 2012 4008 msiexec.exe 102 PID 4008 wrote to memory of 2012 4008 msiexec.exe 102 PID 4008 wrote to memory of 2012 4008 msiexec.exe 102 PID 4008 wrote to memory of 4784 4008 msiexec.exe 103 PID 4008 wrote to memory of 4784 4008 msiexec.exe 103 PID 4008 wrote to memory of 4784 4008 msiexec.exe 103 PID 4148 wrote to memory of 1840 4148 rundll32.exe 105 PID 4148 wrote to memory of 1840 4148 rundll32.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:740
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B821E137F584282FAFFE461DAA916B3C C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:64
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:536
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7562618E30ACB2BDC4E594EC56B948E12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2012
-
-
C:\Windows\Installer\MSIC249.tmp"C:\Windows\Installer\MSIC249.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Local\glosar\beta.dll, homq2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4784
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2340
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\glosar\beta.dll, homq1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\System32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.dll", homq2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1840
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.dll", homq1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5db670803fa0d107471911a14a1ae3649
SHA1248ef8b8fd712731068489b938aed0e795574c8e
SHA25627d537945d68068c4e67032b8241142c68a81797b88dac8d93a76e1fe60b01ac
SHA5123a84e29299abf53725c89d8168d3f53e9fddcc38cf867e1c2a799a6ac88bef1f1c3ea7dd79439d190b2481481cdb5e442eb9b6620b2281fe662efa12a9269e8e
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
364KB
MD5a1c84c14a82f2cbb7e9a5f253d721159
SHA13aa5e70111c290c45daac06984281dfb5439115b
SHA25653e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081
SHA512f76691853fa45d93246dfd8569af5ec7e66fdd7536241b92ee10bb9202b0502e66dfd030fe539956fb28fe20e71b33cae524038c356facf555d4a130c64665ed
-
Filesize
389KB
MD5b9545ed17695a32face8c3408a6a3553
SHA1f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA2561e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04
-
Filesize
24.1MB
MD593b9cdf0f82ec4f5ba849ba7f70b562d
SHA1a610d848d196f3f05d5f5ed8dfd9ed862f0a9b58
SHA25620242fc5f9cdca80e07f71ab3116c9671074c18dce7a04cb7afdf7d1dfcc9477
SHA51203408eb5a15faddc53495859904eb7546ca784b8a624fefdfc0b8b790a8b60570f2782dacf5ea7c42061be9bf9355353a1b24e8aeb60a69cdd757b860b98913b
-
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ba384db0-6127-49fe-be5d-d8abfc3dbe60}_OnDiskSnapshotProp
Filesize6KB
MD58375a23c17a33b52cbf3b0b953733bce
SHA151826ff7018dd1e2745e440647b82551c13434c4
SHA2568f94eb3171bc02ab82100c1ad6dd5859b5baae66b50c05ac7a2560d454e5c055
SHA512e98339a815561acb11c0cc66bc76c8be4e393135b532a29f024dbae5cda7ccf093584cb1e532555126077a27b6577c1f1f742eafbbf7dc490533489f686ac568