Overview

overview

8

Static

static

1

FACT_RY65855PAT0.zip

windows7-x64

1

FACT_RY65855PAT0.zip

windows10-2004-x64

1

FACT_RY65855PAT0.exe

windows7-x64

8

FACT_RY65855PAT0.exe

windows10-2004-x64

8

~.exe

windows7-x64

8

~.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FACT_RY65855PAT0.zip

  • Size

    1.6MB

  • Sample

    230331-y5dsysdb53

  • MD5

    a4521647084440145b327fc74a5b7922

  • SHA1

    ac66a8615c9dba87b048c3853487a6cc92eac067

  • SHA256

    c3b6ff8f7c6b617152a1c42612d4de0dc179ea007bd83ef9ecf28b623798d734

  • SHA512

    d3241d10501441d4e4f11a270e59882a971ff589e53b0f52617a197be32530c902f91ea813608875ccc8691f981e2337c0131413cc8dec34265403819e54be7a

  • SSDEEP

    49152:S/cvzKc9OLA1kFhayM4H9cAFi1u1aKAI3mQDV:SULP9H1kyylHziI17A8mQB

Score
8/10
bootkitpersistence

Malware Config

Targets

    • Target

      FACT_RY65855PAT0.zip

    • Size

      1.6MB

    • MD5

      a4521647084440145b327fc74a5b7922

    • SHA1

      ac66a8615c9dba87b048c3853487a6cc92eac067

    • SHA256

      c3b6ff8f7c6b617152a1c42612d4de0dc179ea007bd83ef9ecf28b623798d734

    • SHA512

      d3241d10501441d4e4f11a270e59882a971ff589e53b0f52617a197be32530c902f91ea813608875ccc8691f981e2337c0131413cc8dec34265403819e54be7a

    • SSDEEP

      49152:S/cvzKc9OLA1kFhayM4H9cAFi1u1aKAI3mQDV:SULP9H1kyylHziI17A8mQB

    Score
    1/10
    behavioral1behavioral2

    • Target

      FACT_RY65855PAT0.exe

    • Size

      1.8MB

    • MD5

      3d6b870b71fe64e9fab41314f4ff75cf

    • SHA1

      45e91fc8eb9cace7143d06a39166108b5531607a

    • SHA256

      1eeb7c8ef775f5bf2f0e19d3fccc2df475aadb65a039fbdc0593ed48d6ed24ae

    • SHA512

      d093533ca4ca8e82029ef47c4135e15c99494e25d9db3ce49d06fb89cce44ee934288e98b15561b95911522a3f1b5e49f23a853b68389e53caebd7c88194c5d9

    • SSDEEP

      49152:eGj78kv0nmHkhPk0+mzTcg/S1OJqqA0ieped:ZXrv/Hky0RzPSMJ9AQod

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral3behavioral4

    • Target

      ~

    • Size

      256KB

    • MD5

      56354f6191810e362bf2ae7b3f6e82b4

    • SHA1

      98260eb9dbec4ef777939937b4ca797ac336e3ff

    • SHA256

      95c16c2f74bfe9878117d341d4b259c5327f87fc10e8407b27e9a905aff0ac11

    • SHA512

      fb40abe4838e4026a4b1c826566454ff181e68bf7f7929777f2ea63e55a8242c65f12dffb274e8c46f5f1bcb7f42661c41e7b2a62ed39050814a45de54ab8b30

    • SSDEEP

      6144:bCfHrZae3GFqRQcMeh4WpywpjchNCPnAeb:bCfLZadcM24fRNXe

    Score
    8/10
    bootkitpersistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks for any installed AV software in registry

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

2
T1130

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Security Software Discovery

1
T1063

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks