pseudomanuscrypt | 412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772 | Triage

Submit
Reports

Overview

overview

Static

static

1

412bb38f79...72.exe

windows7-x64

412bb38f79...72.exe

windows10-2004-x64

Sharing

General

Target

412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772
Size

72KB
Sample

230306-dhpaysad58
MD5

834a79ee7a59547a89ef4f849829b05b
SHA1

28db68cffea38ed08db8fc3ed687a45494c38dcb
SHA256

412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772
SHA512

3adebe76c029607c1630595714b959d0e335b12c5d6d6e444788803bdd9e879aa3ff5b6b5f9370f06e74c50a5a832efb7f7ce24f6fdb51147269ab4a45261774
SSDEEP

1536:3vAkGoo+bH/J027ZKxyafwhHCC/mq1ktG:3vuWbaRgaYtX1ktG

Score

10^/10

pseudomanuscrypt loader

Static task

static1

Behavioral task

behavioral1

Sample

412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe

Resource

win7-20230220-en

pseudomanuscrypt loader

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772.exe

Resource

win10v2004-20230221-en

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Targets

- Target
  
  412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772
- Size
  
  72KB
- MD5
  
  834a79ee7a59547a89ef4f849829b05b
- SHA1
  
  28db68cffea38ed08db8fc3ed687a45494c38dcb
- SHA256
  
  412bb38f795aba08e44a81136b0f12c9a6be6b60db348e230c8bfa2b84eb9772
- SHA512
  
  3adebe76c029607c1630595714b959d0e335b12c5d6d6e444788803bdd9e879aa3ff5b6b5f9370f06e74c50a5a832efb7f7ce24f6fdb51147269ab4a45261774
- SSDEEP
  
  1536:3vAkGoo+bH/J027ZKxyafwhHCC/mq1ktG:3vuWbaRgaYtX1ktG
Score

10^/10

pseudomanuscrypt loader
- Detects PseudoManuscrypt payload
  loader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PseudoManuscrypt
  PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
  loader pseudomanuscrypt
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

pseudomanuscryptloader

behavioral2

© 2018-2024

Terms | Privacy