General

  • Target

    tmp

  • Size

    328KB

  • Sample

    230316-l9b4psad23

  • MD5

    0b39012e51e6d52ddc49dd9676ba9920

  • SHA1

    7e329120d82c58a5f2ccae98eb78d749f1095ff4

  • SHA256

    6aea187ca91ea68222b4e650e2b4baa46ba11252f74763a2d2edec2924a98f10

  • SHA512

    8d13528c02f727d6c15257050657f702622fdbc7836f0b01eda8f48edbe2aa2bb4f8dceb3652f9adead9774f3387a6bba20f95b988dd9fee642ddba5bd457a0c

  • SSDEEP

    6144:evSBanJK/5kPas8N0HEAAf1vbViarAWbd33uEPT:evjas8uHEAAtvBpkLEPT

Malware Config

Targets

    • Target

      tmp

    • Size

      328KB

    • MD5

      0b39012e51e6d52ddc49dd9676ba9920

    • SHA1

      7e329120d82c58a5f2ccae98eb78d749f1095ff4

    • SHA256

      6aea187ca91ea68222b4e650e2b4baa46ba11252f74763a2d2edec2924a98f10

    • SHA512

      8d13528c02f727d6c15257050657f702622fdbc7836f0b01eda8f48edbe2aa2bb4f8dceb3652f9adead9774f3387a6bba20f95b988dd9fee642ddba5bd457a0c

    • SSDEEP

      6144:evSBanJK/5kPas8N0HEAAf1vbViarAWbd33uEPT:evjas8uHEAAtvBpkLEPT

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks