Overview

overview

10

Static

static

10

PatchGadar.exe

windows10-1703-x64

10

PatchGadar.exe

windows7-x64

10

PatchGadar.exe

windows10-2004-x64

10

PatchGadar.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PatchGadar.exe

  • Size

    293KB

  • MD5

    edcfedc1c217b5907f6b69272e5ca98f

  • SHA1

    e4bb7f3226e809c7ad1e12193ee26048cfc58790

  • SHA256

    114ad98c82f045d81f4b456900e650ea316e7dda7a1d8c5396e585488986d6fe

  • SHA512

    c1a9d970e7690f60eb1ad0ea85a57c942b31006db8dbbfcc46e1d0e1036ee2957f67ce205eba93b426d78dd6eb8bcf23fb713b3442ae1ab91f59a24ed6e4e626

  • SSDEEP

    3072:e3MK0Jc5YQoIpwg9iO2OaiS40eBwYG3zRrYp2OplMGc8A6uHPMG7CUqkZFI0CADL:u2c5YQoI2gzai9kjJkhpuJvYuH

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PatchGadar.exe
    "C:\Users\Admin\AppData\Local\Temp\PatchGadar.exe"
    1⤵
      PID:4780
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4508
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /7
        1⤵
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4576
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4788
        • C:\Windows\System32\_iyiwy.exe
          "C:\Windows\System32\_iyiwy.exe"
          1⤵
            PID:1344

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4576-20-0x00000272709A0000-0x00000272709A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4576-16-0x00000272709A0000-0x00000272709A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4576-10-0x00000272709A0000-0x00000272709A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4576-9-0x00000272709A0000-0x00000272709A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4576-15-0x00000272709A0000-0x00000272709A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4576-14-0x00000272709A0000-0x00000272709A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4576-17-0x00000272709A0000-0x00000272709A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4576-18-0x00000272709A0000-0x00000272709A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4576-19-0x00000272709A0000-0x00000272709A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4576-8-0x00000272709A0000-0x00000272709A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4780-5-0x00000000056F0000-0x00000000056FA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4780-22-0x0000000074FE0000-0x0000000075790000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4780-0-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4780-2-0x0000000074FE0000-0x0000000075790000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4780-7-0x0000000074FE0000-0x0000000075790000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4780-6-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4780-1-0x0000000000C30000-0x0000000000C80000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4780-4-0x0000000005790000-0x0000000005822000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4780-3-0x0000000005E90000-0x0000000006434000-memory.dmp

            Filesize

            5.6MB

            Download