Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/03/2025, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
aswavdetection.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aswavdetection.dll
Resource
win10v2004-20250314-en
General
-
Target
aswavdetection.dll
-
Size
1.8MB
-
MD5
22e933c9c5532d13fbcae3d9f2080c35
-
SHA1
6311eb48932a5544cbe3c2c2fe2b036231432bd4
-
SHA256
52a81e514d1113019f39273179f691379fbb78cd70a370aea22a00397cef5b99
-
SHA512
20a4d7d2328332dc017fd4ced63c8efc45ac90d749db06345422749545cd4391682d37a01b9a91b21b5e70f1f8c8006c80b7e35ed696a239f76911ddf50ed5ac
-
SSDEEP
49152:9srSb808eyLlSRqVNPseFyTJ1CLXuzYYjc8F4HcDsYfPFGMSugRP:KL1PYTI9Hco
Malware Config
Extracted
latrodectus
1.4
https://remustarofilac.com/test/
https://horetimodual.com/test/
-
group
Ferrary
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Extracted
latrodectus
Signatures
-
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Deletes itself 1 IoCs
pid Process 764 rundll32.exe -
Loads dropped DLL 4 IoCs
pid Process 2788 rundll32.exe 2788 rundll32.exe 2788 rundll32.exe 2788 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 764 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 764 wrote to memory of 2788 764 rundll32.exe 31 PID 764 wrote to memory of 2788 764 rundll32.exe 31 PID 764 wrote to memory of 2788 764 rundll32.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aswavdetection.dll,#11⤵
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_fa1f471.dll", #12⤵
- Loads dropped DLL
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD522e933c9c5532d13fbcae3d9f2080c35
SHA16311eb48932a5544cbe3c2c2fe2b036231432bd4
SHA25652a81e514d1113019f39273179f691379fbb78cd70a370aea22a00397cef5b99
SHA51220a4d7d2328332dc017fd4ced63c8efc45ac90d749db06345422749545cd4391682d37a01b9a91b21b5e70f1f8c8006c80b7e35ed696a239f76911ddf50ed5ac