pseudomanuscrypt | acfaacc207ef938fa1e2d19e108c109fbceeee5ad3b715bf9a24c96dfd9e9e92 | Triage

Submit
Reports

Overview

overview

Static

static

1

1d636ae88b...92.exe

windows7-x64

1d636ae88b...92.exe

windows10-2004-x64

Sharing

General

Target

1d636ae88bab15613db7d92a33c0bd9d107270d68991faa01c6de1fa06364d92.zip
Size

154KB
Sample

230321-r1j1vabc56
MD5

6b7ad4c999562df54422b5e7ef7a88f7
SHA1

f0c6530d29b878c0004e5ee261e3fefaddf4d471
SHA256

acfaacc207ef938fa1e2d19e108c109fbceeee5ad3b715bf9a24c96dfd9e9e92
SHA512

508f4afa7fb0f273efcc8550f9f9f7bb88dfe6f380bd226a3758de737b94c26ef5a6e8ffc3fc76002c9b6e8b4cb83eb08a8c57cfa9f18462928e17674aa11deb
SSDEEP

3072:qbeMcHiBbeHIhwh9mP7uk9s0oBcvnDcf/CLj9MkDDZ7:y5VbSXmjtOmjr

Score

10^/10

pseudomanuscrypt loader

Static task

static1

Behavioral task

behavioral1

Sample

1d636ae88bab15613db7d92a33c0bd9d107270d68991faa01c6de1fa06364d92.exe

Resource

win7-20230220-en

pseudomanuscrypt loader

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

1d636ae88bab15613db7d92a33c0bd9d107270d68991faa01c6de1fa06364d92.exe

Resource

win10v2004-20230220-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  1d636ae88bab15613db7d92a33c0bd9d107270d68991faa01c6de1fa06364d92.exe
- Size
  
  308KB
- MD5
  
  ae6df34a140bf74860ca3165d50d8705
- SHA1
  
  ca21f7b3086341f2927f07d7005cce7cf4585c6b
- SHA256
  
  1d636ae88bab15613db7d92a33c0bd9d107270d68991faa01c6de1fa06364d92
- SHA512
  
  28080dc00054e209739bdbfb64704dae6bd5c82376606ae1fd61c4e0bfc502019e687ceb26b11a066b27f6b9c14dbce382ae3d1097954bc604a40c8ecd2117d6
- SSDEEP
  
  6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1AEP3:i814Xn0Ti8tbJyIQdjrfzmEP3
Score

10^/10

pseudomanuscrypt loader
- Detects PseudoManuscrypt payload
  loader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- PseudoManuscrypt
  PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
  loader pseudomanuscrypt
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

pseudomanuscryptloader

behavioral2

© 2018-2024

Terms | Privacy