Overview

overview

10

Static

static

1

4ca6df7500...22.exe

windows7-x64

10

4ca6df7500...22.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eb7d2add3fe15ee8524a07c2c75bedb9.bin

  • Size

    156KB

  • Sample

    230224-ckw8xabh2v

  • MD5

    7ee4a60edc8f2bfa71d4de51df3b5988

  • SHA1

    126c5d81061ad944ea2ab1749db1ec7bc2966ee4

  • SHA256

    8b4a7e1f12426b5c7a58b38fbc4d27ff13037e2e03aed72144f8763c246ec5c8

  • SHA512

    f4a0be230ffc33947c515f9b7e06c22eb4823dea7694b73ca83864685a19b7b97582e8063511cebacd9fece554646d29c63b40fb8a5f797570a0a0770bf7caa8

  • SSDEEP

    3072:I3dvqLn9urfsnv9qrodL/JQEAuAaLSy2rkCUUDx3NyBhp13PsWA8jC1j:IBqDIrfsvgwLxZLT2y4IPhbEX1j

Score
10/10
pseudomanuscryptloader

Malware Config

Targets

    • Target

      4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822.exe

    • Size

      312KB

    • MD5

      eb7d2add3fe15ee8524a07c2c75bedb9

    • SHA1

      d13c52cd6709f416aefe338922c77bae33a85f31

    • SHA256

      4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822

    • SHA512

      484f1172d1c0c240a8b3cb7412f41cafc25a6473256d96da4a2ed7657a7606e1a2ae202b4db43e5db180dc3325c3211b524f2d52389bd52452c5f09e2d194701

    • SSDEEP

      6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQshEPn:6aeqeO0UQB8KFHqAYhEPn

    Score
    10/10
    pseudomanuscryptloader

    • Detects PseudoManuscrypt payload

      loader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

      loaderpseudomanuscrypt

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks