General

  • Target

    b5e1e946ebad560b876703e9675ca326.exe

  • Size

    308KB

  • Sample

    230309-cneg9sab77

  • MD5

    b5e1e946ebad560b876703e9675ca326

  • SHA1

    c0e2e24a911a4d8e9cbc5a483ef8876fbabfa772

  • SHA256

    c33ecac87bf07fc75b6768b76622daac389e05ef718c457e0393238d646bb130

  • SHA512

    8ee9e9af2731eb83af3f17aa19b9a74547429f026882fb6d592d74d97ed958f990f46c5be5371e06360503672e9f8ca00ccf9d64ed59d11475c86a6f35ac1ff5

  • SSDEEP

    6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1gEP3:i814Xn0Ti8tbJyIQdjrfzWEP3

Malware Config

Targets

    • Target

      b5e1e946ebad560b876703e9675ca326.exe

    • Size

      308KB

    • MD5

      b5e1e946ebad560b876703e9675ca326

    • SHA1

      c0e2e24a911a4d8e9cbc5a483ef8876fbabfa772

    • SHA256

      c33ecac87bf07fc75b6768b76622daac389e05ef718c457e0393238d646bb130

    • SHA512

      8ee9e9af2731eb83af3f17aa19b9a74547429f026882fb6d592d74d97ed958f990f46c5be5371e06360503672e9f8ca00ccf9d64ed59d11475c86a6f35ac1ff5

    • SSDEEP

      6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1gEP3:i814Xn0Ti8tbJyIQdjrfzWEP3

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks