latrodectus | 17ebc368abd92f7f8d10ac0247c1445c4b7707beef4335c3fd661951aceb7ee7

Analysis

max time kernel
95s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.bat
Size

50B
MD5

04d14de9b2fe12f2503888036bfecd59
SHA1

45cbf5679a06a1c3239ac5ba8d34c50d1bdea309
SHA256

9e1bb5313275a591c5abd02bb5c78fafd4e22b04e70180eb656fda60f65295a7
SHA512

c3815029c9c01eae5a3f9ffa4cd6ccc235e3ce3236fe212578418c5cc7fedd5ca5ccdfc76bcec69db5ed5908af285cf1125a641fe9516958916f2e53cd126445

Score

10^/10

latrodectus loader

Malware Config

Signatures

Detects Latrodectus 6 IoCs

Detects Latrodectus v1.4 Payload.

resource	yara_rule
behavioral1/memory/4820-0-0x000001B279CC0000-0x000001B27B973000-memory.dmp	Latrodectus14
behavioral1/memory/4820-3-0x000001B279CC0000-0x000001B27B973000-memory.dmp	Latrodectus14
behavioral1/memory/4820-2-0x000001B279CC0000-0x000001B27B973000-memory.dmp	Latrodectus14
behavioral1/memory/4820-7-0x000001B279CC0000-0x000001B27B973000-memory.dmp	Latrodectus14
behavioral1/memory/2612-8-0x000001D4F1030000-0x000001D4F2CE3000-memory.dmp	Latrodectus14
behavioral1/memory/2612-9-0x000001D4F1030000-0x000001D4F2CE3000-memory.dmp	Latrodectus14

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Loads dropped DLL 1 IoCs

pid	Process
2612	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4820	2148	cmd.exe	84
PID 2148 wrote to memory of 4820	2148	cmd.exe	84
PID 4820 wrote to memory of 2612	4820	rundll32.exe	85
PID 4820 wrote to memory of 2612	4820	rundll32.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sample.dll,Object
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_f491a703.dll", Object
    3⤵
    - Loads dropped DLL
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_f491a703.dll

Filesize
1.6MB

MD5
09c971d37b0d9b139b03950914304735

SHA1
b4aa149092c41b3f478d0d3984ed1c71f9d5c0cf

SHA256
ce9a17687a6aa71b1f382c292a085bd31eb4c15a851cc11e49b1302bd3d1602b

SHA512
928c00c0dfe3d14d15e16f1af5e954fe257914d40e453cf8bc32b67dac927877c7bf3c740c1f20dc7584227c41b1bd0ef1e4bafced8bddd445de6c6f68a08d42

Download Submit
memory/2612-8-0x000001D4F1030000-0x000001D4F2CE3000-memory.dmp

Filesize
28.7MB

Download
memory/2612-9-0x000001D4F1030000-0x000001D4F2CE3000-memory.dmp

Filesize
28.7MB

Download
memory/4820-0-0x000001B279CC0000-0x000001B27B973000-memory.dmp

Filesize
28.7MB

Download
memory/4820-3-0x000001B279CC0000-0x000001B27B973000-memory.dmp

Filesize
28.7MB

Download
memory/4820-4-0x0000000070E00000-0x0000000070FAE000-memory.dmp

Filesize
1.7MB

Download
memory/4820-2-0x000001B279CC0000-0x000001B27B973000-memory.dmp

Filesize
28.7MB

Download
memory/4820-7-0x000001B279CC0000-0x000001B27B973000-memory.dmp

Filesize
28.7MB

Download