General

  • Target

    a69e004ffbde2f0a620c910d21640c112b79b2064daad8c21ed1ec4cbc685bbe

  • Size

    312KB

  • Sample

    230222-j4xgcacc2y

  • MD5

    07073b8c40d569efc1e8c3cde3bcaf8e

  • SHA1

    8dfffe512951714f3846e14a09f426861aff9d74

  • SHA256

    a69e004ffbde2f0a620c910d21640c112b79b2064daad8c21ed1ec4cbc685bbe

  • SHA512

    27ff558bad3885a501324a365bb8b712765f537ac81cac7b179219f829ab18ff45f549282f862994f1d368a2d540db9a694ead9be50cf662406bde3cd2f546b7

  • SSDEEP

    6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQsJEPn:6aeqeO0UQB8KFHqAYJEPn

Malware Config

Targets

    • Target

      a69e004ffbde2f0a620c910d21640c112b79b2064daad8c21ed1ec4cbc685bbe

    • Size

      312KB

    • MD5

      07073b8c40d569efc1e8c3cde3bcaf8e

    • SHA1

      8dfffe512951714f3846e14a09f426861aff9d74

    • SHA256

      a69e004ffbde2f0a620c910d21640c112b79b2064daad8c21ed1ec4cbc685bbe

    • SHA512

      27ff558bad3885a501324a365bb8b712765f537ac81cac7b179219f829ab18ff45f549282f862994f1d368a2d540db9a694ead9be50cf662406bde3cd2f546b7

    • SSDEEP

      6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQsJEPn:6aeqeO0UQB8KFHqAYJEPn

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks