Overview

overview

8

Static

static

1

FACT_MGY1.exe

windows7-x64

8

FACT_MGY1.exe

windows10-2004-x64

8

~.exe

windows7-x64

8

~.exe

windows10-2004-x64

8

Resubmissions

30-03-2023 14:20

230330-rnhl9ada54 8

30-03-2023 13:20

230330-qk2qaacg74 8

24-03-2023 22:33

230324-2gz8tshg59 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FACT_MGY1.zip

  • Size

    235KB

  • Sample

    230330-qk2qaacg74

  • MD5

    986a4e73c25dbcd8fdb6ab3a0eabcc69

  • SHA1

    29e0325860532734ce9bf210636f42b1aedce10a

  • SHA256

    254a0dce7cfe5fb0d58821c965fa7e9a9ef9df0c4339a5d3689793c7343b4936

  • SHA512

    a2e3d952dfe5e9d70ec8fba2133b45823ec0e470fe36915fd129d0f6e7f633aed90a4630aa43d5863d50a8667b16dc65083c834bb88304874677fa7fc8c39f28

  • SSDEEP

    6144:kk7jmfnAvMwVea9EMxfXzflE9Z121GntHRFFcMfYAxCkufpfi:kk7en8MSEuJm1jl/FcMgMCJg

Score
8/10
bootkitdiscoveryevasionpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      FACT_MGY1.exe

    • Size

      526KB

    • MD5

      f90662a63fcd773144ef809e09930b3f

    • SHA1

      5196017f8f8127398c4fd4a0424a0871f20b4c89

    • SHA256

      011c6518502cc9aec7dca14a808b1afa546233d528bd2ebf6485296e3dbd2541

    • SHA512

      4cc4c3551e61a5228623d69167abe27a511cce6188294b374e71069a3ac7ece0d077801cfce32a936d1583941b71ce3ec64e086d6eea3b9b98c5c18616a10364

    • SSDEEP

      3072:lV/611KEEbL6ETLPWkddkaW9N73oxiZOhAnGVRfN2Zndp9fN+3:IrKxTbfdkpIHVRf4nBfN+3

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      ~

    • Size

      256KB

    • MD5

      56354f6191810e362bf2ae7b3f6e82b4

    • SHA1

      98260eb9dbec4ef777939937b4ca797ac336e3ff

    • SHA256

      95c16c2f74bfe9878117d341d4b259c5327f87fc10e8407b27e9a905aff0ac11

    • SHA512

      fb40abe4838e4026a4b1c826566454ff181e68bf7f7929777f2ea63e55a8242c65f12dffb274e8c46f5f1bcb7f42661c41e7b2a62ed39050814a45de54ab8b30

    • SSDEEP

      6144:bCfHrZae3GFqRQcMeh4WpywpjchNCPnAeb:bCfLZadcM24fRNXe

    Score
    8/10
    bootkitdiscoverypersistencespywarestealerevasiontrojan

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

2
T1130

Modify Registry

6
T1112

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

6
T1012

System Information Discovery

5
T1082

Security Software Discovery

1
T1063

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks