General
-
Target
Zyron.exe
-
Size
20.1MB
-
Sample
240531-vtcvqsfg83
-
MD5
c93e65b8b3bdf4651aa5f33fbaf6487d
-
SHA1
fa44cc02066d7e384224ce22ea2c7e37604e6d17
-
SHA256
a8474496d6a2d25d7e3c34cb41e22417b59ca58f7c94b514492a85bbcb969f30
-
SHA512
2ab77d13631d77774bafbc9ad70854fd1c31c3ade62e11ec872b6dd05baa9996c5408ddbe822a714f25ba893bc34839d23cc6cb41394d02bfa38f422c06076cd
-
SSDEEP
196608:Jri7DEziLjv+bhqNVoB8Ck5c7GpNlpq41J29bk9qtlDfqWf:YTL+9qz88Ck+7q3p91JBqfqWf
Behavioral task
behavioral1
Sample
Zyron.exe
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
Zyron.exe
-
Size
20.1MB
-
MD5
c93e65b8b3bdf4651aa5f33fbaf6487d
-
SHA1
fa44cc02066d7e384224ce22ea2c7e37604e6d17
-
SHA256
a8474496d6a2d25d7e3c34cb41e22417b59ca58f7c94b514492a85bbcb969f30
-
SHA512
2ab77d13631d77774bafbc9ad70854fd1c31c3ade62e11ec872b6dd05baa9996c5408ddbe822a714f25ba893bc34839d23cc6cb41394d02bfa38f422c06076cd
-
SSDEEP
196608:Jri7DEziLjv+bhqNVoB8Ck5c7GpNlpq41J29bk9qtlDfqWf:YTL+9qz88Ck+7q3p91JBqfqWf
-
Modifies visiblity of hidden/system files in Explorer
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2