pseudomanuscrypt | ad716b9b395d65dca7a31117215c2adedf392162eab7beee500f8061db4785c0 | Triage

Submit
Reports

Overview

overview

Static

static

1

6bbbf2b1e8...53.exe

windows7-x64

6bbbf2b1e8...53.exe

windows10-2004-x64

Sharing

General

Target

6bbbf2b1e89ed9d3b1bba44fc9acec53.exe
Size

308KB
Sample

230309-ceefxaab52
MD5

6bbbf2b1e89ed9d3b1bba44fc9acec53
SHA1

bb6b962ba30a55a9cbb87030bdd282223e42a48d
SHA256

ad716b9b395d65dca7a31117215c2adedf392162eab7beee500f8061db4785c0
SHA512

a7651ba72b4b45f3f4a7901412d1d3b41f8847fd59b15b9a61092cb9a2c4bc38aa1a2d274b549e49608e70b4ff1f4ab120a814e1fd5cffe7dd8d1a644aa737a0
SSDEEP

6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1sEP3:i814Xn0Ti8tbJyIQdjrfzCEP3

Score

10^/10

pseudomanuscrypt loader

Static task

static1

Behavioral task

behavioral1

Sample

6bbbf2b1e89ed9d3b1bba44fc9acec53.exe

Resource

win7-20230220-en

pseudomanuscrypt loader

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

6bbbf2b1e89ed9d3b1bba44fc9acec53.exe

Resource

win10v2004-20230220-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  6bbbf2b1e89ed9d3b1bba44fc9acec53.exe
- Size
  
  308KB
- MD5
  
  6bbbf2b1e89ed9d3b1bba44fc9acec53
- SHA1
  
  bb6b962ba30a55a9cbb87030bdd282223e42a48d
- SHA256
  
  ad716b9b395d65dca7a31117215c2adedf392162eab7beee500f8061db4785c0
- SHA512
  
  a7651ba72b4b45f3f4a7901412d1d3b41f8847fd59b15b9a61092cb9a2c4bc38aa1a2d274b549e49608e70b4ff1f4ab120a814e1fd5cffe7dd8d1a644aa737a0
- SSDEEP
  
  6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1sEP3:i814Xn0Ti8tbJyIQdjrfzCEP3
Score

10^/10

pseudomanuscrypt loader
- Detects PseudoManuscrypt payload
  loader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PseudoManuscrypt
  PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
  loader pseudomanuscrypt
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

pseudomanuscryptloader

behavioral2

© 2018-2024

Terms | Privacy