Overview

overview

10

Static

static

1

94b8ab735d...0a.msi

windows7-x64

10

94b8ab735d...0a.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a.msi

  • Size

    1.5MB

  • MD5

    9c8696dbb48add540a75737327c537d2

  • SHA1

    78b4eb7d363e017eb06e03408d7952bbb843f9a9

  • SHA256

    94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a

  • SHA512

    6ee26ecedd0386eca113e61086f6623b36ca093d24e41d90cf45412072d94d91dddb39c86ce726c3514da3d0221d3cf03455b00cc5d0987ca63d45c12225cf4a

  • SSDEEP

    49152:yErvYpW8zBQSc0ZnSKeZKumZr7Amyq3TGtezO:RYQ0ZncK/AEs

Score
10/10
latrodectusdiscoveryloaderpersistenceprivilege_escalation

Malware Config

Extracted

Family

latrodectus

C2

https://fluraresto.me/live/

https://mastralakkot.live/live/

Signatures

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Detect larodectus Loader variant 1 4 IoCs
    loader
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2780
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3632
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AE6D9E1A3A6F908DF007EB2811AC3B38 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1828
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4340
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding FCF7A1072B095FA8AF4A992ECA00E633
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3944
      • C:\Windows\Installer\MSIB057.tmp
        "C:\Windows\Installer\MSIB057.tmp" /DontWait C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Local\Putty/setordinal.dll,bhuf
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3824
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:212
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Putty/setordinal.dll,bhuf
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\System32\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_e12aef0e.dll", bhuf
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57add5.rbs
      Filesize

      1KB

      MD5

      d615ccb521a870bd055eade411e3554a

      SHA1

      5bcf522a1d4145e1724139bb812fdaf332d4136c

      SHA256

      a91dc851ea3628433815fc5d4e00aebffb8ebbae9ba64c8d16195e630dbfc95e

      SHA512

      e6d5c7152b394bc47704e539b5551060259ac1b428f866bcf1cede4e8f19790ccf690356a2f48cfc9409497bb1a9c7f3e39ae024517ec953e4b6811a5ead4632

      Download Submit

    • C:\Users\Admin\AppData\Local\Putty\setordinal.dll
      Filesize

      809KB

      MD5

      4b8ecaac3e8a17382932e3daa29dc688

      SHA1

      3ed854b6fda284fdad105cb158949edd9276cd67

      SHA256

      61925bfd71b4d2be670b0bd373b33645d6af062e5d41cb2b6f6c984acbd69de3

      SHA512

      de0459c85786c97ff1b5b0051139fb30fb56cfba45b56384adf8d813faadda0fde80fe9c5fb99aba356d8f0e43f61a8b1bdc232cf12d5f3ba4c99403d9c7a8e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI7772.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Windows\Installer\MSIB057.tmp
      Filesize

      389KB

      MD5

      b9545ed17695a32face8c3408a6a3553

      SHA1

      f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

      SHA256

      1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

      SHA512

      f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      4729277051b85c61700e32b0b5e04b35

      SHA1

      f64098589d0d794262c962591a03c6c23d665cce

      SHA256

      f18b64f128153fe807879fb2f738ea8a1ca2c7ea69caeb147af6d57b96e91881

      SHA512

      220563ce339803e7cd01b81cfe3d7dcdd8899262f3cc5411b6e582962b9dfe1c4a18293f3284f25bb7355e0dc40440bb1db4f90af7b4b4b49703973125962906

      Download Submit

    • \??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cafd117b-570c-4853-90cc-df8adfe5ee71}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      63272ac243b8cdcc1d2a68adaafc57d0

      SHA1

      b80e3c1e36d43d648e3cb52f7fb6c7c320f158a5

      SHA256

      8b6537dbe7d60a9d093be7280db72dd0aed3151caedbcdd37efee6f75e789a85

      SHA512

      4a1b0d2e6edc5e8e73477b6535f01b05adaac3fe388981054c2c69b7ada2cd9cb7ff92ecf7e2c542b46847a4de45c7f156cb9ceddc4fb4c064fda8e58267357e

      Download Submit

    • memory/400-75-0x000001F647A20000-0x000001F647A33000-memory.dmp

      Filesize

      76KB

      Download

    • memory/400-76-0x000001F647A20000-0x000001F647A33000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2784-63-0x00000236B7F10000-0x00000236B7F24000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2784-66-0x00000236B7F30000-0x00000236B7F43000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2784-68-0x0000000180000000-0x00000001800D0000-memory.dmp

      Filesize

      832KB

      Download