Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    39s
  • max time network
    20s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/05/2024, 03:20

General

  • Target

    PatchGadar.exe

  • Size

    293KB

  • MD5

    edcfedc1c217b5907f6b69272e5ca98f

  • SHA1

    e4bb7f3226e809c7ad1e12193ee26048cfc58790

  • SHA256

    114ad98c82f045d81f4b456900e650ea316e7dda7a1d8c5396e585488986d6fe

  • SHA512

    c1a9d970e7690f60eb1ad0ea85a57c942b31006db8dbbfcc46e1d0e1036ee2957f67ce205eba93b426d78dd6eb8bcf23fb713b3442ae1ab91f59a24ed6e4e626

  • SSDEEP

    3072:e3MK0Jc5YQoIpwg9iO2OaiS40eBwYG3zRrYp2OplMGc8A6uHPMG7CUqkZFI0CADL:u2c5YQoI2gzai9kjJkhpuJvYuH

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Modifies Windows Firewall 2 TTPs 63 IoCs
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PatchGadar.exe
    "C:\Users\Admin\AppData\Local\Temp\PatchGadar.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 107.186.1.15" dir=out action=block remoteip=107.186.1.15
      2⤵
      • Modifies Windows Firewall
      PID:3520
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 107.186.10.31" dir=out action=block remoteip=107.186.10.31
      2⤵
      • Modifies Windows Firewall
      PID:3264
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 107.186.31.222" dir=out action=block remoteip=107.186.31.222
      2⤵
      • Modifies Windows Firewall
      PID:2344
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 23.226.21.91" dir=out action=block remoteip=23.226.21.91
      2⤵
      • Modifies Windows Firewall
      PID:4992
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.26.2.120" dir=out action=block remoteip=104.26.2.120
      2⤵
      • Modifies Windows Firewall
      PID:4380
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.26.3.120" dir=out action=block remoteip=104.26.3.120
      2⤵
      • Modifies Windows Firewall
      PID:4464
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 172.67.75.3" dir=out action=block remoteip=172.67.75.3
      2⤵
      • Modifies Windows Firewall
      PID:4840
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 172.67.192.231" dir=out action=block remoteip=172.67.192.231
      2⤵
      • Modifies Windows Firewall
      PID:1928
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.21.20.129" dir=out action=block remoteip=104.21.20.129
      2⤵
      • Modifies Windows Firewall
      PID:1940
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.134
      2⤵
      • Modifies Windows Firewall
      PID:1240
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.86
      2⤵
      • Modifies Windows Firewall
      PID:2144
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.134
      2⤵
      • Modifies Windows Firewall
      PID:3088
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 191.101.51.84" dir=out action=block remoteip=191.101.51.84
      2⤵
      • Modifies Windows Firewall
      PID:5032
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.134
      2⤵
      • Modifies Windows Firewall
      PID:3644
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.86
      2⤵
      • Modifies Windows Firewall
      PID:428
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.134
      2⤵
      • Modifies Windows Firewall
      PID:4292
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 107.186.1.15" dir=out action=block remoteip=107.186.1.15
      2⤵
      • Modifies Windows Firewall
      PID:484
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 107.186.10.31" dir=out action=block remoteip=107.186.10.31
      2⤵
      • Modifies Windows Firewall
      PID:4004
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 107.186.31.222" dir=out action=block remoteip=107.186.31.222
      2⤵
      • Modifies Windows Firewall
      PID:4120
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 138.201.80.108" dir=out action=block remoteip=138.201.80.108
      2⤵
      • Modifies Windows Firewall
      PID:1732
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.26.0.11" dir=out action=block remoteip=104.26.0.11
      2⤵
      • Modifies Windows Firewall
      PID:5024
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.26.1.11" dir=out action=block remoteip=104.26.1.11
      2⤵
      • Modifies Windows Firewall
      PID:4116
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 23.226.21.91" dir=out action=block remoteip=23.226.21.91
      2⤵
      • Modifies Windows Firewall
      PID:1064
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.26.2.120" dir=out action=block remoteip=104.26.2.120
      2⤵
      • Modifies Windows Firewall
      PID:2852
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 104.26.3.120" dir=out action=block remoteip=104.26.3.120
      2⤵
      • Modifies Windows Firewall
      PID:2580
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 172.67.72.29" dir=out action=block remoteip=172.67.72.29
      2⤵
      • Modifies Windows Firewall
      PID:3992
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 172.67.75.3" dir=out action=block remoteip=172.67.75.3
      2⤵
      • Modifies Windows Firewall
      PID:4584
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" advfirewall firewall add rule name="BlockIP 172.67.192.231" dir=out action=block remoteip=172.67.192.231
      2⤵
      • Modifies Windows Firewall
      PID:752
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C netsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=29842
      2⤵
        PID:3388
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=29842
          3⤵
          • Modifies Windows Firewall
          PID:3476
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 104.21.20.129" dir=out action=block remoteip=104.21.20.129
        2⤵
        • Modifies Windows Firewall
        PID:1552
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.134
        2⤵
        • Modifies Windows Firewall
        PID:4576
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.86
        2⤵
        • Modifies Windows Firewall
        PID:3928
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.134
        2⤵
        • Modifies Windows Firewall
        PID:3264
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 191.101.51.84" dir=out action=block remoteip=191.101.51.84
        2⤵
        • Modifies Windows Firewall
        PID:4916
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.134
        2⤵
        • Modifies Windows Firewall
        PID:4964
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.86
        2⤵
        • Modifies Windows Firewall
        PID:1180
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.134
        2⤵
        • Modifies Windows Firewall
        PID:1540
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 138.201.80.108" dir=out action=block remoteip=138.201.80.108
        2⤵
        • Modifies Windows Firewall
        PID:776
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 104.26.0.11" dir=out action=block remoteip=104.26.0.11
        2⤵
        • Modifies Windows Firewall
        PID:3584
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 104.26.1.11" dir=out action=block remoteip=104.26.1.11
        2⤵
        • Modifies Windows Firewall
        PID:2328
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" advfirewall firewall add rule name="BlockIP 172.67.72.29" dir=out action=block remoteip=172.67.72.29
        2⤵
        • Modifies Windows Firewall
        PID:1356
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C netsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=29842
        2⤵
          PID:696
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=29842
            3⤵
            • Modifies Windows Firewall
            PID:656
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 107.186.1.15"
          2⤵
          • Modifies Windows Firewall
          PID:4944
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 107.186.10.31"
          2⤵
          • Modifies Windows Firewall
          PID:4536
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 107.186.31.222"
          2⤵
          • Modifies Windows Firewall
          PID:2824
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 23.226.21.91"
          2⤵
          • Modifies Windows Firewall
          PID:2152
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 104.26.2.120"
          2⤵
          • Modifies Windows Firewall
          PID:2236
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 104.26.3.120"
          2⤵
          • Modifies Windows Firewall
          PID:4204
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 172.67.75.3"
          2⤵
          • Modifies Windows Firewall
          PID:4564
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 172.67.192.231"
          2⤵
          • Modifies Windows Firewall
          PID:4392
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 104.21.20.129"
          2⤵
          • Modifies Windows Firewall
          PID:4456
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 104.22.43.134"
          2⤵
          • Modifies Windows Firewall
          PID:5116
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 172.67.37.86"
          2⤵
          • Modifies Windows Firewall
          PID:4952
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 104.22.42.134"
          2⤵
          • Modifies Windows Firewall
          PID:4888
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 191.101.51.84"
          2⤵
          • Modifies Windows Firewall
          PID:4120
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 104.22.42.134"
          2⤵
          • Modifies Windows Firewall
          PID:2432
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 172.67.37.86"
          2⤵
          • Modifies Windows Firewall
          PID:4836
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 104.22.43.134"
          2⤵
          • Modifies Windows Firewall
          PID:4380
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 138.201.80.108"
          2⤵
          • Modifies Windows Firewall
          PID:2392
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 104.26.0.11"
          2⤵
          • Modifies Windows Firewall
          PID:500
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 104.26.1.11"
          2⤵
          • Modifies Windows Firewall
          PID:3100
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall delete rule name="BlockIP 172.67.72.29"
          2⤵
          • Modifies Windows Firewall
          PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C netsh advfirewall firewall delete rule name="BlockPort29842"
          2⤵
            PID:4648
            • C:\Windows\SysWOW64\netsh.exe
              netsh advfirewall firewall delete rule name="BlockPort29842"
              3⤵
              • Modifies Windows Firewall
              PID:864

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2428-0-0x00000000735AE000-0x00000000735AF000-memory.dmp

          Filesize

          4KB

        • memory/2428-1-0x00000000004D0000-0x0000000000520000-memory.dmp

          Filesize

          320KB

        • memory/2428-2-0x00000000735A0000-0x0000000073C8E000-memory.dmp

          Filesize

          6.9MB

        • memory/2428-3-0x00000000054E0000-0x00000000059DE000-memory.dmp

          Filesize

          5.0MB

        • memory/2428-4-0x0000000004E30000-0x0000000004EC2000-memory.dmp

          Filesize

          584KB

        • memory/2428-5-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

          Filesize

          40KB

        • memory/2428-6-0x00000000735AE000-0x00000000735AF000-memory.dmp

          Filesize

          4KB

        • memory/2428-7-0x00000000735A0000-0x0000000073C8E000-memory.dmp

          Filesize

          6.9MB

        • memory/2428-9-0x00000000735A0000-0x0000000073C8E000-memory.dmp

          Filesize

          6.9MB