General

  • Target

    ae6df34a140bf74860ca3165d50d8705.exe

  • Size

    308KB

  • Sample

    230309-e4tcgaae93

  • MD5

    ae6df34a140bf74860ca3165d50d8705

  • SHA1

    ca21f7b3086341f2927f07d7005cce7cf4585c6b

  • SHA256

    1d636ae88bab15613db7d92a33c0bd9d107270d68991faa01c6de1fa06364d92

  • SHA512

    28080dc00054e209739bdbfb64704dae6bd5c82376606ae1fd61c4e0bfc502019e687ceb26b11a066b27f6b9c14dbce382ae3d1097954bc604a40c8ecd2117d6

  • SSDEEP

    6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1AEP3:i814Xn0Ti8tbJyIQdjrfzmEP3

Malware Config

Targets

    • Target

      ae6df34a140bf74860ca3165d50d8705.exe

    • Size

      308KB

    • MD5

      ae6df34a140bf74860ca3165d50d8705

    • SHA1

      ca21f7b3086341f2927f07d7005cce7cf4585c6b

    • SHA256

      1d636ae88bab15613db7d92a33c0bd9d107270d68991faa01c6de1fa06364d92

    • SHA512

      28080dc00054e209739bdbfb64704dae6bd5c82376606ae1fd61c4e0bfc502019e687ceb26b11a066b27f6b9c14dbce382ae3d1097954bc604a40c8ecd2117d6

    • SSDEEP

      6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1AEP3:i814Xn0Ti8tbJyIQdjrfzmEP3

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks