General

  • Target

    file.exe

  • Size

    312KB

  • Sample

    230222-t3n4paed7v

  • MD5

    a64c4c4083e817d1b75536c30dd0ce5e

  • SHA1

    a4667b3ae9b83bc12f9d53543c41783b343afac3

  • SHA256

    b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab

  • SHA512

    fa39341ae0d245459174707c4dfd5fa4830e26eb7b58a1c81395977a27536ef1813bc42c2536556901a8a9cb238bd88b081df602f4d2a5242c95320d55d80d8f

  • SSDEEP

    6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQs8EPn:6aeqeO0UQB8KFHqAY8EPn

Malware Config

Targets

    • Target

      file.exe

    • Size

      312KB

    • MD5

      a64c4c4083e817d1b75536c30dd0ce5e

    • SHA1

      a4667b3ae9b83bc12f9d53543c41783b343afac3

    • SHA256

      b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab

    • SHA512

      fa39341ae0d245459174707c4dfd5fa4830e26eb7b58a1c81395977a27536ef1813bc42c2536556901a8a9cb238bd88b081df602f4d2a5242c95320d55d80d8f

    • SSDEEP

      6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQs8EPn:6aeqeO0UQB8KFHqAY8EPn

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks