General

  • Target

    dc719929115e50ed4383bcc7f7182be3.exe

  • Size

    312KB

  • Sample

    230222-m33hracg4x

  • MD5

    dc719929115e50ed4383bcc7f7182be3

  • SHA1

    562e69bdf814c156872fd6ad6a3d0116b0304516

  • SHA256

    5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365

  • SHA512

    34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

  • SSDEEP

    6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQspEPn:6aeqeO0UQB8KFHqAYpEPn

Malware Config

Targets

    • Target

      dc719929115e50ed4383bcc7f7182be3.exe

    • Size

      312KB

    • MD5

      dc719929115e50ed4383bcc7f7182be3

    • SHA1

      562e69bdf814c156872fd6ad6a3d0116b0304516

    • SHA256

      5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365

    • SHA512

      34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

    • SSDEEP

      6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQspEPn:6aeqeO0UQB8KFHqAYpEPn

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks