Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 06:57
Static task
static1
Behavioral task
behavioral1
Sample
d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe
Resource
win10v2004-20241007-en
General
-
Target
d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe
-
Size
2.5MB
-
MD5
187b9b21317fc31a90a5b804102e15b0
-
SHA1
c99f09128e405dd75bf218e80c048c613ef90359
-
SHA256
d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051
-
SHA512
d75fe63e440260c701fecb500e2f8f62e97207f31610d6a93b28fa0f33a0df9d80c665c1e86692933862cb1ecc4979f48aa643b0ad95aa484d6822a24bd44434
-
SSDEEP
49152:q2daHSl4E1Kn2w719v6ODWb2h7dk2YCRq7fjN8QC7a0N9esKsJIV4:P1K2Vio2h7G2YCRq7h5C7aHs7o
Malware Config
Extracted
latrodectus
https://proliforetka.com/test/
https://dogirafer.com/test/
Signatures
-
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Deletes itself 1 IoCs
pid Process 1056 d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe -
Executes dropped EXE 1 IoCs
pid Process 5088 Update_ed389c67.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1056 d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1056 wrote to memory of 5088 1056 d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe 81 PID 1056 wrote to memory of 5088 1056 d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe"C:\Users\Admin\AppData\Local\Temp\d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051N.exe"1⤵
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.exe"C:\Users\Admin\AppData\Roaming\Custom_update\Update_ed389c67.exe"2⤵
- Executes dropped EXE
PID:5088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5187b9b21317fc31a90a5b804102e15b0
SHA1c99f09128e405dd75bf218e80c048c613ef90359
SHA256d1e47440f39aa38030291c418b411fdb89e30cf8b909069da2c3b70fb02c8051
SHA512d75fe63e440260c701fecb500e2f8f62e97207f31610d6a93b28fa0f33a0df9d80c665c1e86692933862cb1ecc4979f48aa643b0ad95aa484d6822a24bd44434