General

  • Target

    1af3b850a3f5413a98994c570aadebd894378dc728deaf1144a6e5f5b17823ae

  • Size

    312KB

  • Sample

    230222-jzmfkscb7y

  • MD5

    6c1df3b53f468f844558955948efd519

  • SHA1

    0b2368cf53281fd0c11115ce01f02b062ec42a16

  • SHA256

    1af3b850a3f5413a98994c570aadebd894378dc728deaf1144a6e5f5b17823ae

  • SHA512

    a8d003a9beeec13fa9326babbce56adc243ad4312283ca3a5491d945908ab285d3b50f2ce8e2d03c79bc4db7e9aa786eb1192769ef3443a615d858ce532f892b

  • SSDEEP

    6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQsrEPn:6aeqeO0UQB8KFHqAYrEPn

Malware Config

Targets

    • Target

      1af3b850a3f5413a98994c570aadebd894378dc728deaf1144a6e5f5b17823ae

    • Size

      312KB

    • MD5

      6c1df3b53f468f844558955948efd519

    • SHA1

      0b2368cf53281fd0c11115ce01f02b062ec42a16

    • SHA256

      1af3b850a3f5413a98994c570aadebd894378dc728deaf1144a6e5f5b17823ae

    • SHA512

      a8d003a9beeec13fa9326babbce56adc243ad4312283ca3a5491d945908ab285d3b50f2ce8e2d03c79bc4db7e9aa786eb1192769ef3443a615d858ce532f892b

    • SSDEEP

      6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQsrEPn:6aeqeO0UQB8KFHqAYrEPn

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks