Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23-02-2023 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe

  • Size

    312KB

  • MD5

    eb7d2add3fe15ee8524a07c2c75bedb9

  • SHA1

    d13c52cd6709f416aefe338922c77bae33a85f31

  • SHA256

    4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822

  • SHA512

    484f1172d1c0c240a8b3cb7412f41cafc25a6473256d96da4a2ed7657a7606e1a2ae202b4db43e5db180dc3325c3211b524f2d52389bd52452c5f09e2d194701

  • SSDEEP

    6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQshEPn:6aeqeO0UQB8KFHqAYhEPn

Score
10/10
pseudomanuscryptloader

Malware Config

Signatures

  • Detects PseudoManuscrypt payload 8 IoCs
    loader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    loaderpseudomanuscrypt
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:460
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:840
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k WspService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1916
    • C:\Users\Admin\AppData\Local\Temp\4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
      "C:\Users\Admin\AppData\Local\Temp\4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe"
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Users\Admin\AppData\Local\Temp\4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe
        "C:\Users\Admin\AppData\Local\Temp\4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe" -h
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1588
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:576

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\db.dat
      Filesize

      557KB

      MD5

      30d5f615722d12fdda4f378048221909

      SHA1

      e94e3e3a6fae8b29f0f80128761ad1b69304a7eb

      SHA256

      b7cb464cd0c61026ec38d89c0a041393bc9369e217303677551eec65a09d2628

      SHA512

      a561a224d7228ec531a966c7dbd6bc88138e2f4a1c8112e5950644f69bf3a43b1e87e03bc1b4fd5e9ca071b5a9353b18697573404602ccd51f2946faf95144c2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\db.dll
      Filesize

      52KB

      MD5

      1b20e998d058e813dfc515867d31124f

      SHA1

      c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

      SHA256

      24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

      SHA512

      79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      304B

      MD5

      7f1a6299db263a6cce78bae711f06989

      SHA1

      0dac16cedecc5dad7c8607a2b4614524eab9ad3f

      SHA256

      7bda298da588a839f10fe0697ae7e02d223237203b4d743ea887fcb93d2fcaaa

      SHA512

      06f85e041c9829f38da0c00c676605708920aab2f5532a84ed3fb983b09450d5d846324843bf55a633765e77eac3a1715ce3dc042f4622c9dc4ad6835e104d9e

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      f7219891020bd88600e54103a8add379

      SHA1

      0ab22dc6de6c1bcf88741a8b2db91cc5b5f0b35b

      SHA256

      fbba29a5114552fa950a555dedf8249e2da14b10b6d804e9be220f4557ac3d85

      SHA512

      7d8f157dd3260a85a7860a10ebc23df67f10ad46e39d4015f394396c2c5834577ac27aac5d36f563537d34b0c8209960ce5b30b2195bad5adfd50712637f435f

      Download Submit

    • C:\Windows\Temp\Cab8623.tmp
      Filesize

      29KB

      MD5

      d59a6b36c5a94916241a3ead50222b6f

      SHA1

      e274e9486d318c383bc4b9812844ba56f0cff3c6

      SHA256

      a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

      SHA512

      17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

      Download Submit

    • C:\Windows\Temp\Tar883D.tmp
      Filesize

      161KB

      MD5

      73b4b714b42fc9a6aaefd0ae59adb009

      SHA1

      efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

      SHA256

      c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

      SHA512

      73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

      Download Submit

    • \Users\Admin\AppData\Local\Temp\db.dll
      Filesize

      52KB

      MD5

      1b20e998d058e813dfc515867d31124f

      SHA1

      c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

      SHA256

      24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

      SHA512

      79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\db.dll
      Filesize

      52KB

      MD5

      1b20e998d058e813dfc515867d31124f

      SHA1

      c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

      SHA256

      24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

      SHA512

      79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\db.dll
      Filesize

      52KB

      MD5

      1b20e998d058e813dfc515867d31124f

      SHA1

      c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

      SHA256

      24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

      SHA512

      79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\db.dll
      Filesize

      52KB

      MD5

      1b20e998d058e813dfc515867d31124f

      SHA1

      c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

      SHA256

      24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

      SHA512

      79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

      Download Submit

    • memory/576-71-0x0000000000740000-0x000000000079E000-memory.dmp

      Filesize

      376KB

      Download

    • memory/576-70-0x0000000001F70000-0x0000000002071000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/840-73-0x00000000008C0000-0x000000000090D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/840-74-0x00000000012A0000-0x0000000001312000-memory.dmp

      Filesize

      456KB

      Download

    • memory/840-65-0x00000000008C0000-0x000000000090D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/840-82-0x00000000008C0000-0x000000000090D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/840-63-0x00000000012A0000-0x0000000001312000-memory.dmp

      Filesize

      456KB

      Download

    • memory/840-62-0x00000000008C0000-0x000000000090D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1916-75-0x0000000000280000-0x00000000002F2000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1916-90-0x0000000002A10000-0x0000000002B1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1916-91-0x0000000000320000-0x0000000000340000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1916-92-0x0000000000280000-0x00000000002F2000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1916-93-0x0000000001C60000-0x0000000001C7B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1916-89-0x0000000000300000-0x000000000031B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1916-84-0x0000000000280000-0x00000000002F2000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1916-83-0x0000000000280000-0x00000000002F2000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1916-72-0x0000000000280000-0x00000000002F2000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1916-67-0x0000000000280000-0x00000000002F2000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1916-66-0x0000000000060000-0x00000000000AD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1916-249-0x0000000000300000-0x000000000031B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1916-250-0x0000000002A10000-0x0000000002B1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1916-251-0x0000000000320000-0x0000000000340000-memory.dmp

      Filesize

      128KB

      Download