General

  • Target

    6bbbf2b1e89ed9d3b1bba44fc9acec53.exe

  • Size

    308KB

  • Sample

    230309-ceefxaab52

  • MD5

    6bbbf2b1e89ed9d3b1bba44fc9acec53

  • SHA1

    bb6b962ba30a55a9cbb87030bdd282223e42a48d

  • SHA256

    ad716b9b395d65dca7a31117215c2adedf392162eab7beee500f8061db4785c0

  • SHA512

    a7651ba72b4b45f3f4a7901412d1d3b41f8847fd59b15b9a61092cb9a2c4bc38aa1a2d274b549e49608e70b4ff1f4ab120a814e1fd5cffe7dd8d1a644aa737a0

  • SSDEEP

    6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1sEP3:i814Xn0Ti8tbJyIQdjrfzCEP3

Malware Config

Targets

    • Target

      6bbbf2b1e89ed9d3b1bba44fc9acec53.exe

    • Size

      308KB

    • MD5

      6bbbf2b1e89ed9d3b1bba44fc9acec53

    • SHA1

      bb6b962ba30a55a9cbb87030bdd282223e42a48d

    • SHA256

      ad716b9b395d65dca7a31117215c2adedf392162eab7beee500f8061db4785c0

    • SHA512

      a7651ba72b4b45f3f4a7901412d1d3b41f8847fd59b15b9a61092cb9a2c4bc38aa1a2d274b549e49608e70b4ff1f4ab120a814e1fd5cffe7dd8d1a644aa737a0

    • SSDEEP

      6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1sEP3:i814Xn0Ti8tbJyIQdjrfzCEP3

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks