General
-
Target
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
-
Size
1.8MB
-
Sample
240514-r4y9yabf44
-
MD5
437a180db44c659505d08da56b1c5344
-
SHA1
63dcc88fc8ca4dc2c25028695b72fc48f9978df2
-
SHA256
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644
-
SHA512
fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a
-
SSDEEP
24576:cr3h9VUoVO3iealWdJarwRH7Vq5nTwJfrOTSxiRuxC7HtTlu6uFGBrkSVYNntYrl:cZbnV4koqTCxytBurGBwSVYNWZc7G8p
Behavioral task
behavioral1
Sample
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Resource
win10v2004-20240226-en
Malware Config
Targets
-
-
Target
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
-
Size
1.8MB
-
MD5
437a180db44c659505d08da56b1c5344
-
SHA1
63dcc88fc8ca4dc2c25028695b72fc48f9978df2
-
SHA256
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644
-
SHA512
fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a
-
SSDEEP
24576:cr3h9VUoVO3iealWdJarwRH7Vq5nTwJfrOTSxiRuxC7HtTlu6uFGBrkSVYNntYrl:cZbnV4koqTCxytBurGBwSVYNWZc7G8p
Score10/10-
Detect ZGRat V1
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1