Overview

overview

10

Static

static

10

PatchGadar.exe

windows10-1703-x64

10

PatchGadar.exe

windows7-x64

10

PatchGadar.exe

windows10-2004-x64

10

PatchGadar.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    129s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-05-2024 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PatchGadar.exe

  • Size

    293KB

  • MD5

    edcfedc1c217b5907f6b69272e5ca98f

  • SHA1

    e4bb7f3226e809c7ad1e12193ee26048cfc58790

  • SHA256

    114ad98c82f045d81f4b456900e650ea316e7dda7a1d8c5396e585488986d6fe

  • SHA512

    c1a9d970e7690f60eb1ad0ea85a57c942b31006db8dbbfcc46e1d0e1036ee2957f67ce205eba93b426d78dd6eb8bcf23fb713b3442ae1ab91f59a24ed6e4e626

  • SSDEEP

    3072:e3MK0Jc5YQoIpwg9iO2OaiS40eBwYG3zRrYp2OplMGc8A6uHPMG7CUqkZFI0CADL:u2c5YQoI2gzai9kjJkhpuJvYuH

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PatchGadar.exe
    "C:\Users\Admin\AppData\Local\Temp\PatchGadar.exe"
    1⤵
      PID:1376
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:888
    • C:\Windows\System32\Taskmgr.exe
      "C:\Windows\System32\Taskmgr.exe"
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4760
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4932
      • C:\Windows\System32\pbpbks.exe
        "C:\Windows\System32\pbpbks.exe"
        1⤵
          PID:4736

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
          Filesize

          10KB

          MD5

          394f971f95da279c2ebf1a4113ce8426

          SHA1

          74f73a16920c5919ccb7788e3c2429c291da34d3

          SHA256

          5555d03ce11acdeae26b199b7bdf7220be2f8a4668800c29644740857576659f

          SHA512

          1ea93d43096e70a182b4a5011b20b2a0c3558b907039c8ead7c3f89cc360b8ee635789b15398ef42f6a0c74a98d9f070290d5e98f786017e4d6bc3e25a042f33

          Download Submit

        • memory/1376-4-0x00000000059A0000-0x0000000005A32000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1376-3-0x0000000006050000-0x00000000065F6000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1376-0-0x000000007434E000-0x000000007434F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1376-2-0x0000000074340000-0x0000000074AF1000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1376-5-0x0000000005A50000-0x0000000005A5A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1376-6-0x000000007434E000-0x000000007434F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1376-7-0x0000000074340000-0x0000000074AF1000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1376-1-0x0000000000E70000-0x0000000000EC0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4760-14-0x00000184C31C0000-0x00000184C31C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4760-24-0x00000184C31C0000-0x00000184C31C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4760-26-0x00000184C31C0000-0x00000184C31C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4760-23-0x00000184C31C0000-0x00000184C31C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4760-22-0x00000184C31C0000-0x00000184C31C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4760-21-0x00000184C31C0000-0x00000184C31C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4760-20-0x00000184C31C0000-0x00000184C31C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4760-15-0x00000184C31C0000-0x00000184C31C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4760-16-0x00000184C31C0000-0x00000184C31C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4760-25-0x00000184C31C0000-0x00000184C31C1000-memory.dmp

          Filesize

          4KB

          Download