Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
20s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12/05/2024, 03:20
Behavioral task
behavioral1
Sample
PatchGadar.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
PatchGadar.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
PatchGadar.exe
Resource
win10v2004-20240226-en
General
-
Target
PatchGadar.exe
-
Size
293KB
-
MD5
edcfedc1c217b5907f6b69272e5ca98f
-
SHA1
e4bb7f3226e809c7ad1e12193ee26048cfc58790
-
SHA256
114ad98c82f045d81f4b456900e650ea316e7dda7a1d8c5396e585488986d6fe
-
SHA512
c1a9d970e7690f60eb1ad0ea85a57c942b31006db8dbbfcc46e1d0e1036ee2957f67ce205eba93b426d78dd6eb8bcf23fb713b3442ae1ab91f59a24ed6e4e626
-
SSDEEP
3072:e3MK0Jc5YQoIpwg9iO2OaiS40eBwYG3zRrYp2OplMGc8A6uHPMG7CUqkZFI0CADL:u2c5YQoI2gzai9kjJkhpuJvYuH
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2428-1-0x00000000004D0000-0x0000000000520000-memory.dmp family_zgrat_v1 -
Modifies Windows Firewall 2 TTPs 63 IoCs
pid Process 2328 netsh.exe 4456 netsh.exe 776 netsh.exe 2852 netsh.exe 4004 netsh.exe 3100 netsh.exe 1064 netsh.exe 3476 netsh.exe 1540 netsh.exe 752 netsh.exe 3928 netsh.exe 4944 netsh.exe 4836 netsh.exe 3992 netsh.exe 3088 netsh.exe 4120 netsh.exe 4116 netsh.exe 2580 netsh.exe 3584 netsh.exe 4992 netsh.exe 1940 netsh.exe 5024 netsh.exe 4120 netsh.exe 2344 netsh.exe 4888 netsh.exe 4380 netsh.exe 500 netsh.exe 2824 netsh.exe 4292 netsh.exe 1180 netsh.exe 3644 netsh.exe 4964 netsh.exe 1356 netsh.exe 2152 netsh.exe 2392 netsh.exe 4464 netsh.exe 5032 netsh.exe 1732 netsh.exe 2236 netsh.exe 4204 netsh.exe 4840 netsh.exe 4380 netsh.exe 4576 netsh.exe 2432 netsh.exe 2388 netsh.exe 3264 netsh.exe 428 netsh.exe 4584 netsh.exe 3264 netsh.exe 4392 netsh.exe 5116 netsh.exe 2144 netsh.exe 1240 netsh.exe 484 netsh.exe 4916 netsh.exe 656 netsh.exe 4564 netsh.exe 1928 netsh.exe 4952 netsh.exe 864 netsh.exe 1552 netsh.exe 4536 netsh.exe 3520 netsh.exe -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/2428-1-0x00000000004D0000-0x0000000000520000-memory.dmp net_reactor -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 raw.githubusercontent.com 2 raw.githubusercontent.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2428 PatchGadar.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 3520 2428 PatchGadar.exe 75 PID 2428 wrote to memory of 3520 2428 PatchGadar.exe 75 PID 2428 wrote to memory of 3520 2428 PatchGadar.exe 75 PID 2428 wrote to memory of 3264 2428 PatchGadar.exe 77 PID 2428 wrote to memory of 3264 2428 PatchGadar.exe 77 PID 2428 wrote to memory of 3264 2428 PatchGadar.exe 77 PID 2428 wrote to memory of 2344 2428 PatchGadar.exe 79 PID 2428 wrote to memory of 2344 2428 PatchGadar.exe 79 PID 2428 wrote to memory of 2344 2428 PatchGadar.exe 79 PID 2428 wrote to memory of 4992 2428 PatchGadar.exe 81 PID 2428 wrote to memory of 4992 2428 PatchGadar.exe 81 PID 2428 wrote to memory of 4992 2428 PatchGadar.exe 81 PID 2428 wrote to memory of 4380 2428 PatchGadar.exe 83 PID 2428 wrote to memory of 4380 2428 PatchGadar.exe 83 PID 2428 wrote to memory of 4380 2428 PatchGadar.exe 83 PID 2428 wrote to memory of 4464 2428 PatchGadar.exe 85 PID 2428 wrote to memory of 4464 2428 PatchGadar.exe 85 PID 2428 wrote to memory of 4464 2428 PatchGadar.exe 85 PID 2428 wrote to memory of 4840 2428 PatchGadar.exe 87 PID 2428 wrote to memory of 4840 2428 PatchGadar.exe 87 PID 2428 wrote to memory of 4840 2428 PatchGadar.exe 87 PID 2428 wrote to memory of 1928 2428 PatchGadar.exe 89 PID 2428 wrote to memory of 1928 2428 PatchGadar.exe 89 PID 2428 wrote to memory of 1928 2428 PatchGadar.exe 89 PID 2428 wrote to memory of 1940 2428 PatchGadar.exe 91 PID 2428 wrote to memory of 1940 2428 PatchGadar.exe 91 PID 2428 wrote to memory of 1940 2428 PatchGadar.exe 91 PID 2428 wrote to memory of 1240 2428 PatchGadar.exe 93 PID 2428 wrote to memory of 1240 2428 PatchGadar.exe 93 PID 2428 wrote to memory of 1240 2428 PatchGadar.exe 93 PID 2428 wrote to memory of 2144 2428 PatchGadar.exe 95 PID 2428 wrote to memory of 2144 2428 PatchGadar.exe 95 PID 2428 wrote to memory of 2144 2428 PatchGadar.exe 95 PID 2428 wrote to memory of 3088 2428 PatchGadar.exe 97 PID 2428 wrote to memory of 3088 2428 PatchGadar.exe 97 PID 2428 wrote to memory of 3088 2428 PatchGadar.exe 97 PID 2428 wrote to memory of 5032 2428 PatchGadar.exe 99 PID 2428 wrote to memory of 5032 2428 PatchGadar.exe 99 PID 2428 wrote to memory of 5032 2428 PatchGadar.exe 99 PID 2428 wrote to memory of 3644 2428 PatchGadar.exe 101 PID 2428 wrote to memory of 3644 2428 PatchGadar.exe 101 PID 2428 wrote to memory of 3644 2428 PatchGadar.exe 101 PID 2428 wrote to memory of 428 2428 PatchGadar.exe 103 PID 2428 wrote to memory of 428 2428 PatchGadar.exe 103 PID 2428 wrote to memory of 428 2428 PatchGadar.exe 103 PID 2428 wrote to memory of 4292 2428 PatchGadar.exe 105 PID 2428 wrote to memory of 4292 2428 PatchGadar.exe 105 PID 2428 wrote to memory of 4292 2428 PatchGadar.exe 105 PID 2428 wrote to memory of 484 2428 PatchGadar.exe 107 PID 2428 wrote to memory of 484 2428 PatchGadar.exe 107 PID 2428 wrote to memory of 484 2428 PatchGadar.exe 107 PID 2428 wrote to memory of 4004 2428 PatchGadar.exe 109 PID 2428 wrote to memory of 4004 2428 PatchGadar.exe 109 PID 2428 wrote to memory of 4004 2428 PatchGadar.exe 109 PID 2428 wrote to memory of 4120 2428 PatchGadar.exe 111 PID 2428 wrote to memory of 4120 2428 PatchGadar.exe 111 PID 2428 wrote to memory of 4120 2428 PatchGadar.exe 111 PID 2428 wrote to memory of 1732 2428 PatchGadar.exe 113 PID 2428 wrote to memory of 1732 2428 PatchGadar.exe 113 PID 2428 wrote to memory of 1732 2428 PatchGadar.exe 113 PID 2428 wrote to memory of 5024 2428 PatchGadar.exe 115 PID 2428 wrote to memory of 5024 2428 PatchGadar.exe 115 PID 2428 wrote to memory of 5024 2428 PatchGadar.exe 115 PID 2428 wrote to memory of 4116 2428 PatchGadar.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\PatchGadar.exe"C:\Users\Admin\AppData\Local\Temp\PatchGadar.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 107.186.1.15" dir=out action=block remoteip=107.186.1.152⤵
- Modifies Windows Firewall
PID:3520
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 107.186.10.31" dir=out action=block remoteip=107.186.10.312⤵
- Modifies Windows Firewall
PID:3264
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 107.186.31.222" dir=out action=block remoteip=107.186.31.2222⤵
- Modifies Windows Firewall
PID:2344
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 23.226.21.91" dir=out action=block remoteip=23.226.21.912⤵
- Modifies Windows Firewall
PID:4992
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.26.2.120" dir=out action=block remoteip=104.26.2.1202⤵
- Modifies Windows Firewall
PID:4380
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.26.3.120" dir=out action=block remoteip=104.26.3.1202⤵
- Modifies Windows Firewall
PID:4464
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 172.67.75.3" dir=out action=block remoteip=172.67.75.32⤵
- Modifies Windows Firewall
PID:4840
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 172.67.192.231" dir=out action=block remoteip=172.67.192.2312⤵
- Modifies Windows Firewall
PID:1928
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.21.20.129" dir=out action=block remoteip=104.21.20.1292⤵
- Modifies Windows Firewall
PID:1940
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.1342⤵
- Modifies Windows Firewall
PID:1240
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.862⤵
- Modifies Windows Firewall
PID:2144
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.1342⤵
- Modifies Windows Firewall
PID:3088
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 191.101.51.84" dir=out action=block remoteip=191.101.51.842⤵
- Modifies Windows Firewall
PID:5032
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.1342⤵
- Modifies Windows Firewall
PID:3644
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.862⤵
- Modifies Windows Firewall
PID:428
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.1342⤵
- Modifies Windows Firewall
PID:4292
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 107.186.1.15" dir=out action=block remoteip=107.186.1.152⤵
- Modifies Windows Firewall
PID:484
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 107.186.10.31" dir=out action=block remoteip=107.186.10.312⤵
- Modifies Windows Firewall
PID:4004
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 107.186.31.222" dir=out action=block remoteip=107.186.31.2222⤵
- Modifies Windows Firewall
PID:4120
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 138.201.80.108" dir=out action=block remoteip=138.201.80.1082⤵
- Modifies Windows Firewall
PID:1732
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.26.0.11" dir=out action=block remoteip=104.26.0.112⤵
- Modifies Windows Firewall
PID:5024
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.26.1.11" dir=out action=block remoteip=104.26.1.112⤵
- Modifies Windows Firewall
PID:4116
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 23.226.21.91" dir=out action=block remoteip=23.226.21.912⤵
- Modifies Windows Firewall
PID:1064
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.26.2.120" dir=out action=block remoteip=104.26.2.1202⤵
- Modifies Windows Firewall
PID:2852
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.26.3.120" dir=out action=block remoteip=104.26.3.1202⤵
- Modifies Windows Firewall
PID:2580
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 172.67.72.29" dir=out action=block remoteip=172.67.72.292⤵
- Modifies Windows Firewall
PID:3992
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 172.67.75.3" dir=out action=block remoteip=172.67.75.32⤵
- Modifies Windows Firewall
PID:4584
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 172.67.192.231" dir=out action=block remoteip=172.67.192.2312⤵
- Modifies Windows Firewall
PID:752
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C netsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=298422⤵PID:3388
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=298423⤵
- Modifies Windows Firewall
PID:3476
-
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.21.20.129" dir=out action=block remoteip=104.21.20.1292⤵
- Modifies Windows Firewall
PID:1552
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.1342⤵
- Modifies Windows Firewall
PID:4576
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.862⤵
- Modifies Windows Firewall
PID:3928
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.1342⤵
- Modifies Windows Firewall
PID:3264
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 191.101.51.84" dir=out action=block remoteip=191.101.51.842⤵
- Modifies Windows Firewall
PID:4916
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.1342⤵
- Modifies Windows Firewall
PID:4964
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.862⤵
- Modifies Windows Firewall
PID:1180
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.1342⤵
- Modifies Windows Firewall
PID:1540
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 138.201.80.108" dir=out action=block remoteip=138.201.80.1082⤵
- Modifies Windows Firewall
PID:776
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.26.0.11" dir=out action=block remoteip=104.26.0.112⤵
- Modifies Windows Firewall
PID:3584
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 104.26.1.11" dir=out action=block remoteip=104.26.1.112⤵
- Modifies Windows Firewall
PID:2328
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall add rule name="BlockIP 172.67.72.29" dir=out action=block remoteip=172.67.72.292⤵
- Modifies Windows Firewall
PID:1356
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C netsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=298422⤵PID:696
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=298423⤵
- Modifies Windows Firewall
PID:656
-
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 107.186.1.15"2⤵
- Modifies Windows Firewall
PID:4944
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 107.186.10.31"2⤵
- Modifies Windows Firewall
PID:4536
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 107.186.31.222"2⤵
- Modifies Windows Firewall
PID:2824
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 23.226.21.91"2⤵
- Modifies Windows Firewall
PID:2152
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 104.26.2.120"2⤵
- Modifies Windows Firewall
PID:2236
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 104.26.3.120"2⤵
- Modifies Windows Firewall
PID:4204
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 172.67.75.3"2⤵
- Modifies Windows Firewall
PID:4564
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 172.67.192.231"2⤵
- Modifies Windows Firewall
PID:4392
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 104.21.20.129"2⤵
- Modifies Windows Firewall
PID:4456
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 104.22.43.134"2⤵
- Modifies Windows Firewall
PID:5116
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 172.67.37.86"2⤵
- Modifies Windows Firewall
PID:4952
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 104.22.42.134"2⤵
- Modifies Windows Firewall
PID:4888
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 191.101.51.84"2⤵
- Modifies Windows Firewall
PID:4120
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 104.22.42.134"2⤵
- Modifies Windows Firewall
PID:2432
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 172.67.37.86"2⤵
- Modifies Windows Firewall
PID:4836
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 104.22.43.134"2⤵
- Modifies Windows Firewall
PID:4380
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 138.201.80.108"2⤵
- Modifies Windows Firewall
PID:2392
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 104.26.0.11"2⤵
- Modifies Windows Firewall
PID:500
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 104.26.1.11"2⤵
- Modifies Windows Firewall
PID:3100
-
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall delete rule name="BlockIP 172.67.72.29"2⤵
- Modifies Windows Firewall
PID:2388
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C netsh advfirewall firewall delete rule name="BlockPort29842"2⤵PID:4648
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="BlockPort29842"3⤵
- Modifies Windows Firewall
PID:864
-
-