General

  • Target

    file.exe

  • Size

    312KB

  • Sample

    230223-qy4f2ahg9x

  • MD5

    b7f3bbe2d4281867faafbf082b126334

  • SHA1

    ffc748cf49fbc9fcd8fb9ba42ffd11839bcb9e4a

  • SHA256

    0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584

  • SHA512

    3aa22851b4ded467b8bf8c830afa16fe9b55f5655d429b67d42ec50fab3e88898489670329cb36c5b859dd3767809fdf976a152900832ba3bd67ed50aeb966a3

  • SSDEEP

    6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQsfEPn:6aeqeO0UQB8KFHqAYfEPn

Malware Config

Targets

    • Target

      file.exe

    • Size

      312KB

    • MD5

      b7f3bbe2d4281867faafbf082b126334

    • SHA1

      ffc748cf49fbc9fcd8fb9ba42ffd11839bcb9e4a

    • SHA256

      0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584

    • SHA512

      3aa22851b4ded467b8bf8c830afa16fe9b55f5655d429b67d42ec50fab3e88898489670329cb36c5b859dd3767809fdf976a152900832ba3bd67ed50aeb966a3

    • SSDEEP

      6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQsfEPn:6aeqeO0UQB8KFHqAYfEPn

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks