latrodectus | 25c47009be94c92f2c0e1c4c2d8a85df40d9e5efcadf20b55d330e786310d75d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.bat
Size

52B
MD5

e5aeedc3eaec3b7f095cc076da3c285f
SHA1

85b1d204f6505e8c4ccaaf62c47566590f7eca69
SHA256

a1f2597f6804c5f40401ed2ec981022a601fe8a1e4eca70b3c9a84a68012ef78
SHA512

8c549ea66298ba1dde7882d32a0dbe70111a8bd3afd59dc06e1dcf0a0f9de396ac25c1e93fd1470ec68e46f03c10a403d64651e793dbc0d398b20d94b7b9f0ec

Score

10^/10

latrodectus loader

Malware Config

Signatures

Detects Latrodectus 6 IoCs

Detects Latrodectus v1.4 Payload.

Processes:

resource	yara_rule
behavioral1/memory/4984-2-0x0000023796DA0000-0x0000023798A53000-memory.dmp	Latrodectus14
behavioral1/memory/4984-0-0x0000023796DA0000-0x0000023798A53000-memory.dmp	Latrodectus14
behavioral1/memory/4984-6-0x0000023796DA0000-0x0000023798A53000-memory.dmp	Latrodectus14
behavioral1/memory/1132-7-0x00000179FCD10000-0x00000179FE9C3000-memory.dmp	Latrodectus14
behavioral1/memory/1132-8-0x00000179FCD10000-0x00000179FE9C3000-memory.dmp	Latrodectus14
behavioral1/memory/4984-10-0x0000023796DA0000-0x0000023798A53000-memory.dmp	Latrodectus14

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid	Process
1132	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exerundll32.exe

description	pid	Process	procid_target
PID 4284 wrote to memory of 4984	4284	cmd.exe	84
PID 4284 wrote to memory of 4984	4284	cmd.exe	84
PID 4984 wrote to memory of 1132	4984	rundll32.exe	85
PID 4984 wrote to memory of 1132	4984	rundll32.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sample.dll,Object
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_ef8f4b76.dll", Object
    3⤵
    - Loads dropped DLL
    PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_ef8f4b76.dll

Filesize
1.6MB

MD5
d5c83fb50dfea0d0e33584ac228b4036

SHA1
f0d42f81e73f4b49985c3a2a547987771cb3b6a9

SHA256
69a1709290bf91fd4a5c81eb78b18e22b312a3517db4651659c4c8a98782b769

SHA512
9b9b8953450697afe85bf7e80a4a624428eec5433e65128e19364886950ba6ce16a74e787cba16739388ba1c2135354af9500b37bac98951a300ec19ba997765

Download Submit
memory/1132-7-0x00000179FCD10000-0x00000179FE9C3000-memory.dmp

Filesize
28.7MB

Download
memory/1132-8-0x00000179FCD10000-0x00000179FE9C3000-memory.dmp

Filesize
28.7MB

Download
memory/4984-2-0x0000023796DA0000-0x0000023798A53000-memory.dmp

Filesize
28.7MB

Download
memory/4984-0-0x0000023796DA0000-0x0000023798A53000-memory.dmp

Filesize
28.7MB

Download
memory/4984-3-0x0000000072010000-0x00000000721BE000-memory.dmp

Filesize
1.7MB

Download
memory/4984-6-0x0000023796DA0000-0x0000023798A53000-memory.dmp

Filesize
28.7MB

Download
memory/4984-10-0x0000023796DA0000-0x0000023798A53000-memory.dmp

Filesize
28.7MB

Download