latrodectus | a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417.msi
Size

1.3MB
MD5

f83ed040b4e52088817df73ef51fe0d3
SHA1

3d011c54ae9a66ef2a865afd694712b338feed5d
SHA256

a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417
SHA512

c4fe6171f4590a3f588bba5818d05ed525619fc3333f911ea785bebea11788f144b71974254f6dbf270a2b89f9c21698d882d378274cf63005223fe5618d15f0
SSDEEP

24576:ezTxLN3YlMvZCFlp8zBQSc0ZoCvqKox0ECIgYmfLVYeBZr7AL7EveuFPY:ezz3YuW8zBQSc0ZnSKmZKumZr7AfEvLY

Score

10^/10

latrodectus discovery loader persistence privilege_escalation

Malware Config

Extracted

Family

latrodectus

https://jarinamaers.shop/live/

https://startmast.shop/live/

Signatures

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 2 1 IoCs

loader

resource	yara_rule
behavioral2/memory/1840-62-0x000001A723230000-0x000001A723244000-memory.dmp	family_latrodectus_v2

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29A8861A-C6FC-4DA7-A825-218C6068F28B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC1AC.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bf87.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bf87.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC014.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC249.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4784	MSIC249.tmp

Loads dropped DLL 11 IoCs

pid	Process
64	MsiExec.exe
64	MsiExec.exe
64	MsiExec.exe
64	MsiExec.exe
64	MsiExec.exe
64	MsiExec.exe
2012	MsiExec.exe
2012	MsiExec.exe
4148	rundll32.exe
1840	rundll32.exe
4704	rundll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
740	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIC249.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4008	msiexec.exe
4008	msiexec.exe
4784	MSIC249.tmp
4784	MSIC249.tmp
4148	rundll32.exe
4148	rundll32.exe
4148	rundll32.exe
4148	rundll32.exe
1840	rundll32.exe
1840	rundll32.exe
1840	rundll32.exe
1840	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	740	msiexec.exe
Token: SeSecurityPrivilege	4008	msiexec.exe
Token: SeCreateTokenPrivilege	740	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	740	msiexec.exe
Token: SeLockMemoryPrivilege	740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	740	msiexec.exe
Token: SeMachineAccountPrivilege	740	msiexec.exe
Token: SeTcbPrivilege	740	msiexec.exe
Token: SeSecurityPrivilege	740	msiexec.exe
Token: SeTakeOwnershipPrivilege	740	msiexec.exe
Token: SeLoadDriverPrivilege	740	msiexec.exe
Token: SeSystemProfilePrivilege	740	msiexec.exe
Token: SeSystemtimePrivilege	740	msiexec.exe
Token: SeProfSingleProcessPrivilege	740	msiexec.exe
Token: SeIncBasePriorityPrivilege	740	msiexec.exe
Token: SeCreatePagefilePrivilege	740	msiexec.exe
Token: SeCreatePermanentPrivilege	740	msiexec.exe
Token: SeBackupPrivilege	740	msiexec.exe
Token: SeRestorePrivilege	740	msiexec.exe
Token: SeShutdownPrivilege	740	msiexec.exe
Token: SeDebugPrivilege	740	msiexec.exe
Token: SeAuditPrivilege	740	msiexec.exe
Token: SeSystemEnvironmentPrivilege	740	msiexec.exe
Token: SeChangeNotifyPrivilege	740	msiexec.exe
Token: SeRemoteShutdownPrivilege	740	msiexec.exe
Token: SeUndockPrivilege	740	msiexec.exe
Token: SeSyncAgentPrivilege	740	msiexec.exe
Token: SeEnableDelegationPrivilege	740	msiexec.exe
Token: SeManageVolumePrivilege	740	msiexec.exe
Token: SeImpersonatePrivilege	740	msiexec.exe
Token: SeCreateGlobalPrivilege	740	msiexec.exe
Token: SeCreateTokenPrivilege	740	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	740	msiexec.exe
Token: SeLockMemoryPrivilege	740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	740	msiexec.exe
Token: SeMachineAccountPrivilege	740	msiexec.exe
Token: SeTcbPrivilege	740	msiexec.exe
Token: SeSecurityPrivilege	740	msiexec.exe
Token: SeTakeOwnershipPrivilege	740	msiexec.exe
Token: SeLoadDriverPrivilege	740	msiexec.exe
Token: SeSystemProfilePrivilege	740	msiexec.exe
Token: SeSystemtimePrivilege	740	msiexec.exe
Token: SeProfSingleProcessPrivilege	740	msiexec.exe
Token: SeIncBasePriorityPrivilege	740	msiexec.exe
Token: SeCreatePagefilePrivilege	740	msiexec.exe
Token: SeCreatePermanentPrivilege	740	msiexec.exe
Token: SeBackupPrivilege	740	msiexec.exe
Token: SeRestorePrivilege	740	msiexec.exe
Token: SeShutdownPrivilege	740	msiexec.exe
Token: SeDebugPrivilege	740	msiexec.exe
Token: SeAuditPrivilege	740	msiexec.exe
Token: SeSystemEnvironmentPrivilege	740	msiexec.exe
Token: SeChangeNotifyPrivilege	740	msiexec.exe
Token: SeRemoteShutdownPrivilege	740	msiexec.exe
Token: SeUndockPrivilege	740	msiexec.exe
Token: SeSyncAgentPrivilege	740	msiexec.exe
Token: SeEnableDelegationPrivilege	740	msiexec.exe
Token: SeManageVolumePrivilege	740	msiexec.exe
Token: SeImpersonatePrivilege	740	msiexec.exe
Token: SeCreateGlobalPrivilege	740	msiexec.exe
Token: SeCreateTokenPrivilege	740	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	740	msiexec.exe
Token: SeLockMemoryPrivilege	740	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
740	msiexec.exe
740	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 64	4008	msiexec.exe	86
PID 4008 wrote to memory of 64	4008	msiexec.exe	86
PID 4008 wrote to memory of 64	4008	msiexec.exe	86
PID 4008 wrote to memory of 536	4008	msiexec.exe	100
PID 4008 wrote to memory of 536	4008	msiexec.exe	100
PID 4008 wrote to memory of 2012	4008	msiexec.exe	102
PID 4008 wrote to memory of 2012	4008	msiexec.exe	102
PID 4008 wrote to memory of 2012	4008	msiexec.exe	102
PID 4008 wrote to memory of 4784	4008	msiexec.exe	103
PID 4008 wrote to memory of 4784	4008	msiexec.exe	103
PID 4008 wrote to memory of 4784	4008	msiexec.exe	103
PID 4148 wrote to memory of 1840	4148	rundll32.exe	105
PID 4148 wrote to memory of 1840	4148	rundll32.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a9fa025fe912c8ad5e6566c675e045732c4d89f4187bfd94c4e916dd9fe25417.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B821E137F584282FAFFE461DAA916B3C C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:64
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:536
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7562618E30ACB2BDC4E594EC56B948E1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\Installer\MSIC249.tmp
  "C:\Windows\Installer\MSIC249.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Local\glosar\beta.dll, homq
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2340

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\glosar\beta.dll, homq
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\System32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.dll", homq
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1840

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.dll", homq
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bf88.rbs

Filesize
1KB

MD5
db670803fa0d107471911a14a1ae3649

SHA1
248ef8b8fd712731068489b938aed0e795574c8e

SHA256
27d537945d68068c4e67032b8241142c68a81797b88dac8d93a76e1fe60b01ac

SHA512
3a84e29299abf53725c89d8168d3f53e9fddcc38cf867e1c2a799a6ac88bef1f1c3ea7dd79439d190b2481481cdb5e442eb9b6620b2281fe662efa12a9269e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7242.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\glosar\beta.dll

Filesize
364KB

MD5
a1c84c14a82f2cbb7e9a5f253d721159

SHA1
3aa5e70111c290c45daac06984281dfb5439115b

SHA256
53e65d071870f127bc6bf6c8e8ddfd131558153513976744ee7460eeb766d081

SHA512
f76691853fa45d93246dfd8569af5ec7e66fdd7536241b92ee10bb9202b0502e66dfd030fe539956fb28fe20e71b33cae524038c356facf555d4a130c64665ed

Download Submit
C:\Windows\Installer\MSIC249.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
93b9cdf0f82ec4f5ba849ba7f70b562d

SHA1
a610d848d196f3f05d5f5ed8dfd9ed862f0a9b58

SHA256
20242fc5f9cdca80e07f71ab3116c9671074c18dce7a04cb7afdf7d1dfcc9477

SHA512
03408eb5a15faddc53495859904eb7546ca784b8a624fefdfc0b8b790a8b60570f2782dacf5ea7c42061be9bf9355353a1b24e8aeb60a69cdd757b860b98913b

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ba384db0-6127-49fe-be5d-d8abfc3dbe60}_OnDiskSnapshotProp

Filesize
6KB

MD5
8375a23c17a33b52cbf3b0b953733bce

SHA1
51826ff7018dd1e2745e440647b82551c13434c4

SHA256
8f94eb3171bc02ab82100c1ad6dd5859b5baae66b50c05ac7a2560d454e5c055

SHA512
e98339a815561acb11c0cc66bc76c8be4e393135b532a29f024dbae5cda7ccf093584cb1e532555126077a27b6577c1f1f742eafbbf7dc490533489f686ac568

Download Submit
memory/1840-62-0x000001A723230000-0x000001A723244000-memory.dmp

Filesize
80KB

Download
memory/4148-50-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download