General
-
Target
sample
-
Size
18KB
-
Sample
240423-zhwkxsbg42
-
MD5
99f0b83d632890fba4b98eaefbf5b3b6
-
SHA1
e901c8e60c64bc37c41e18331b6feba9f27f953e
-
SHA256
e6ed52f8af20e62a45ad5ef04c62adc3126952f0f9ee422663e50c1e6cd56af3
-
SHA512
f61affae346dbb0867c8935f521c2d9d2e07a67edeffa24f00a36fb0fca4419d14ff735f2f5c5c137e01d5d93f3f74e654d4865061b31171e6eba87fe2a350bf
-
SSDEEP
384:rkyEYDpmReVoOs4Mi9ylKeGMQU8HhhbQYe7/QZS2LjFrScLI+YVJCBXQL:rkaBVoOs4MmyI1M6Bhbpw/QhFrScLaJf
Static task
static1
Malware Config
Targets
-
-
Target
sample
-
Size
18KB
-
MD5
99f0b83d632890fba4b98eaefbf5b3b6
-
SHA1
e901c8e60c64bc37c41e18331b6feba9f27f953e
-
SHA256
e6ed52f8af20e62a45ad5ef04c62adc3126952f0f9ee422663e50c1e6cd56af3
-
SHA512
f61affae346dbb0867c8935f521c2d9d2e07a67edeffa24f00a36fb0fca4419d14ff735f2f5c5c137e01d5d93f3f74e654d4865061b31171e6eba87fe2a350bf
-
SSDEEP
384:rkyEYDpmReVoOs4Mi9ylKeGMQU8HhhbQYe7/QZS2LjFrScLI+YVJCBXQL:rkaBVoOs4MmyI1M6Bhbpw/QhFrScLaJf
-
Detect ZGRat V1
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Modifies Installed Components in the registry
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies boot configuration data using bcdedit
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Modifies termsrv.dll
Commonly used to allow simultaneous RDP sessions.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Event Triggered Execution
1Change Default File Association
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Event Triggered Execution
1Change Default File Association
1