General

  • Target

    8c4b7faad766aea25bebe85e8f15f705.exe

  • Size

    312KB

  • Sample

    230222-m33hracg4w

  • MD5

    8c4b7faad766aea25bebe85e8f15f705

  • SHA1

    7e3588daf272343e6404195355dca4fb45b21bca

  • SHA256

    9a8d4f6c8f24d96d32ef8974ba8c96cc02d4fca7d46c3d1edf7e70d6027805f5

  • SHA512

    c0b3a92cbbae4c696039eb8dd543c8fd705ddfcbc9885070eac7ae31f3948cad1be3553fd1a8b222b50810d7dc4ca785ae636b6a979f5ab3395b34290b03abfc

  • SSDEEP

    6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQswEPn:6aeqeO0UQB8KFHqAYwEPn

Malware Config

Targets

    • Target

      8c4b7faad766aea25bebe85e8f15f705.exe

    • Size

      312KB

    • MD5

      8c4b7faad766aea25bebe85e8f15f705

    • SHA1

      7e3588daf272343e6404195355dca4fb45b21bca

    • SHA256

      9a8d4f6c8f24d96d32ef8974ba8c96cc02d4fca7d46c3d1edf7e70d6027805f5

    • SHA512

      c0b3a92cbbae4c696039eb8dd543c8fd705ddfcbc9885070eac7ae31f3948cad1be3553fd1a8b222b50810d7dc4ca785ae636b6a979f5ab3395b34290b03abfc

    • SSDEEP

      6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQswEPn:6aeqeO0UQB8KFHqAYwEPn

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks