pseudomanuscrypt | d75bdc11107b27e7602f31a93896dbc589dbd313cbb5e76a00d695208218e92a | Triage

Submit
Reports

Overview

overview

Static

static

1

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

308KB
Sample

230307-rg86maac68
MD5

75de993ffc429a40b338f5ab5f42f51d
SHA1

d6ccae60897a050b2aa9ecbdf553bc8da116be7e
SHA256

d75bdc11107b27e7602f31a93896dbc589dbd313cbb5e76a00d695208218e92a
SHA512

5c249827b118c7a26776110405f4c83540c1fe01d394860320d9a1e2010248cb9cd4958dc9246589d845d61ed47b523cc931e32a269e47c5ba734601963bf7ec
SSDEEP

6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1iEP3:i814Xn0Ti8tbJyIQdjrfzMEP3

Score

10^/10

pseudomanuscrypt loader

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20230220-en

pseudomanuscrypt loader

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20230220-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  file.exe
- Size
  
  308KB
- MD5
  
  75de993ffc429a40b338f5ab5f42f51d
- SHA1
  
  d6ccae60897a050b2aa9ecbdf553bc8da116be7e
- SHA256
  
  d75bdc11107b27e7602f31a93896dbc589dbd313cbb5e76a00d695208218e92a
- SHA512
  
  5c249827b118c7a26776110405f4c83540c1fe01d394860320d9a1e2010248cb9cd4958dc9246589d845d61ed47b523cc931e32a269e47c5ba734601963bf7ec
- SSDEEP
  
  6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1iEP3:i814Xn0Ti8tbJyIQdjrfzMEP3
Score

10^/10

pseudomanuscrypt loader
- Detects PseudoManuscrypt payload
  loader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PseudoManuscrypt
  PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
  loader pseudomanuscrypt
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

pseudomanuscryptloader

behavioral2

© 2018-2024

Terms | Privacy