Overview

overview

10

Static

static

3

018150d42e...d1.exe

windows7-x64

10

018150d42e...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-02-2025 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    018150d42eef2a004821b1ae6242a1daaeb122786b6ba4c5437f45390ccb7cd1.exe

  • Size

    8.8MB

  • MD5

    028903c61dc62459f4241124b7ce3e8d

  • SHA1

    65beb2be5d0cac1f246f43dfe3bbfd2124919137

  • SHA256

    018150d42eef2a004821b1ae6242a1daaeb122786b6ba4c5437f45390ccb7cd1

  • SHA512

    fc616aad411d0dafdde18b2b9dd78978cfe3cb10fc7932928eed528b16a425d96f82b995cdb3c3258370c5a25402eaf5220e6d2e39a52fafb95ab68fd2dc5a00

  • SSDEEP

    196608:7cC8osdUCWzpt8iSjiTF6pS7MO8Q6gLawggMNr2ieZMpbfn:7clFPWzpt8iSqopS7MO8Q6gLawOyiQM5

Score
10/10
latrodectusloader

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://piloferstaf.com/test/

https://ypredoninen.com/test/
Attributes
  • group

    Sigma

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)

aes.hex

Extracted

Family

latrodectus

aes.hex

Signatures

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\018150d42eef2a004821b1ae6242a1daaeb122786b6ba4c5437f45390ccb7cd1.exe
    "C:\Users\Admin\AppData\Local\Temp\018150d42eef2a004821b1ae6242a1daaeb122786b6ba4c5437f45390ccb7cd1.exe"
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Roaming\Custom_update\Update_974db905.exe
      "C:\Users\Admin\AppData\Roaming\Custom_update\Update_974db905.exe"
      2⤵
      • Executes dropped EXE
      PID:2672
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A223DE30-579A-4012-B3EA-13594DEAD95C} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Roaming\Custom_update\Update_974db905.exe
      C:\Users\Admin\AppData\Roaming\Custom_update\Update_974db905.exe
      2⤵
      • Executes dropped EXE
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Custom_update\Update_974db905.exe
    Filesize

    8.8MB

    MD5

    028903c61dc62459f4241124b7ce3e8d

    SHA1

    65beb2be5d0cac1f246f43dfe3bbfd2124919137

    SHA256

    018150d42eef2a004821b1ae6242a1daaeb122786b6ba4c5437f45390ccb7cd1

    SHA512

    fc616aad411d0dafdde18b2b9dd78978cfe3cb10fc7932928eed528b16a425d96f82b995cdb3c3258370c5a25402eaf5220e6d2e39a52fafb95ab68fd2dc5a00

    Download Submit

  • memory/2828-1-0x0000000140000000-0x0000000141CB2000-memory.dmp

    Filesize

    28.7MB

    Download

  • memory/2828-5-0x00000000026C0000-0x0000000004370000-memory.dmp

    Filesize

    28.7MB

    Download

  • memory/2828-10-0x000000013F030000-0x000000013F955000-memory.dmp

    Filesize

    9.1MB

    Download