Analysis
-
max time kernel
283s -
max time network
272s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 06:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
sqx.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
11 signatures
300 seconds
General
-
Target
sqx.dll
-
Size
1.3MB
-
MD5
dd862590d9e4ea1791df147912ae4c8f
-
SHA1
852d7a9ea4db5ff4cd51a92447a8d5701cfb322b
-
SHA256
14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
-
SHA512
3e9222d8bd91d3e53f5e378318a78a7c5aa12011272031f7c0d8c36c5b255db1d0a168cc02e1159eb021dd18206352dd6dcb857fefc2222937c467350dc6d568
-
SSDEEP
24576:pQrDp6J8JM3IgVvF7EtPCo1Frk5fRJhqYEjTvpAbHT0HRZonw4by:pQpI8JM3IwEtPCo1F45fvhq/jTyb4HR+
Score
10/10
Malware Config
Extracted
Family
latrodectus
C2
https://bestmarsgood.com/test/
https://cerwintifed.com/test/
Signatures
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/memory/1472-0-0x00000160472F0000-0x000001604732E000-memory.dmp family_bruteratel -
Detects Latrodectus 6 IoCs
Detects Latrodectus v1.4.
resource yara_rule behavioral1/memory/1472-20-0x00007FF4DE290000-0x00007FF4DE2A5000-memory.dmp family_latrodectus_1_4 behavioral1/memory/1472-20-0x00007FF4DE290000-0x00007FF4DE2A5000-memory.dmp Latrodectus14 behavioral1/memory/3496-25-0x0000000001550000-0x0000000001565000-memory.dmp family_latrodectus_1_4 behavioral1/memory/3496-25-0x0000000001550000-0x0000000001565000-memory.dmp Latrodectus14 behavioral1/memory/3496-26-0x0000000001550000-0x0000000001565000-memory.dmp family_latrodectus_1_4 behavioral1/memory/3496-26-0x0000000001550000-0x0000000001565000-memory.dmp Latrodectus14 -
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Blocklisted process makes network request 9 IoCs
flow pid Process 16 1472 rundll32.exe 18 1472 rundll32.exe 20 1472 rundll32.exe 25 1472 rundll32.exe 49 1472 rundll32.exe 58 1472 rundll32.exe 59 1472 rundll32.exe 66 1472 rundll32.exe 67 1472 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3496 Explorer.EXE Token: SeCreatePagefilePrivilege 3496 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3496 Explorer.EXE -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 1472 wrote to memory of 3496 1472 rundll32.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3496 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\sqx.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1472
-