Overview

overview

10

Static

static

10

Project-ALM.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    71s
  • max time network
    60s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-05-2024 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Project-ALM.exe

  • Size

    5.4MB

  • MD5

    404b5f5ddc06a5221ec2af9a05731a40

  • SHA1

    c981ceba9a5b29b1009af554d12a7817cee802db

  • SHA256

    e0b43431908bdaa74ee3df9b069951a2e237336fa42cb71ef5da2de6b15b7435

  • SHA512

    5381607ce49f093a58e23f09d1307506a63d90030bf95d975670870b3d44257330527b8dfbaee53eeea4960f275e3205f802420e88053ff8fd2bcf8e7283c358

  • SSDEEP

    98304:qYiM41pHpp9Zd1exMKE2q4+prBzkqXf0FJ7WLYWk4/hwftm6Tx:qYiMcpHpp9Zd1eNBYlzkSIJ74YWk4mVV

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Drops file in Windows directory 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Project-ALM.exe
    "C:\Users\Admin\AppData\Local\Temp\Project-ALM.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1980
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
    1⤵
      PID:4844
    • C:\Users\Admin\AppData\Local\Temp\Project-ALM.exe
      "C:\Users\Admin\AppData\Local\Temp\Project-ALM.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2956
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1464
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:1056
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3488
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4184
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:1392
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2980
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:4960
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3540
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      PID:4360

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Insanux\ProjectALM\config.cfg
      Filesize

      576B

      MD5

      a78fc0417076b521be811780549a3b96

      SHA1

      e24b8e51fcca383ea52f7679cce938783c69104c

      SHA256

      b48aeb2d9c0ef2443f0ebeb92e969ce35df421c60e0e755dffe809657e2c416a

      SHA512

      ec8fd6a7840d69e45501956bffdc4ee42ecb59ca872ae4181a68d82491e53f2b564d5f0b838f3f2ea4381cea746865385c78f915fc41e06c4938f9f06f9462f7

      Download Submit
    • C:\Users\Admin\AppData\Local\Insanux\ProjectALM\config.cfg
      Filesize

      575B

      MD5

      cc82a533f42b895853e7e1e313c2a0e7

      SHA1

      9799e20a51b5b2acd10335b3f85814344ce432fc

      SHA256

      3124a3c5dc4b72e8f258f646417c85335b889c95c875ed398d99feda43ad5f59

      SHA512

      800ba96dc65806ee9f7504ece0ab9f0e92017e48c1445e12a504bbfea8e1c59b1de986a66dc0f552f081794bdab747d19f52be5c526fb86bf8c160a7438dc0a2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Project-ALM.exe.log
      Filesize

      2KB

      MD5

      c2d9a71e254c064c3f169aec667c843a

      SHA1

      a2f0e6e4d51a0762dd33e4887b267e6897683538

      SHA256

      db8553d65c93fa8105affd5f7b56dcb97e16f9dcd3b363bb9f6eb66329c3d14e

      SHA512

      539f47bc4f893caf82717e2f953e6fa70066934388abc7103fb6ecfb0d2b075f35c7d7c9f50ba1e216af9896522566ee615a0f1fef985e4f5cc98d7c04e7dc91

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\0Y3JY0Z6\favicon[1].ico
      Filesize

      5KB

      MD5

      f3418a443e7d841097c714d69ec4bcb8

      SHA1

      49263695f6b0cdd72f45cf1b775e660fdc36c606

      SHA256

      6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

      SHA512

      82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
      Filesize

      512KB

      MD5

      462a2dfab55aa6d5d1cbe73725c5aebd

      SHA1

      964d1102c3ebbb0e958dc59efd3f791a97defccf

      SHA256

      1e49f0b0159f95590ca51a68e062a8026b4d4aa807c499c42060a3b85f5b9153

      SHA512

      4e11a21bdf51624a70daef01ba7813a10808140a2f60272a1a357b4d2ae4f0a495b4ed46bf6caa1e91ada096a5964eace845ad896bd43b781d7b7267a89c7b55

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF6469E543DDD714CC.TMP
      Filesize

      16KB

      MD5

      c5dfdcbb0b214f6f22845aee027a3981

      SHA1

      c87740b14157d3de4e0831fabf074e63c4422de9

      SHA256

      78bc4647f26647a6aff3a96b252539fab203603fa876594b17c26d0f0745c022

      SHA512

      5c368d5ea24a9396821917f00c25a353c85ae3a64525daf28ae9a53adcfa67ea375dd6ffdc6ddbc3e1caa2c65208b5fa07f7d7df4f21907dcbf2ea01b9b040e6

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
      Filesize

      512KB

      MD5

      82220e28e514f4f1bcb10c121f1c3a68

      SHA1

      4f73273cc53520e9be7ac28340ff36155a818885

      SHA256

      ade7185513c28ac32211d9c9ed828dbdb84fd7e42c7b08fbd033f89dd5ee9e1f

      SHA512

      345dd0387daae20543e6c34cb19714c248798134929d689a799bf5aeba579c87a43977e1a8ab1f8668aa0f310b5637bb6b5f739d0bce2cbacb3fb3e1d64d0ee3

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
      Filesize

      8KB

      MD5

      5ce9de1182bd2015b3d08803c9f46d7c

      SHA1

      f228c9e2e33ef1a63039fad1f1ad1263ef423754

      SHA256

      9f4aef1a69b87eb89936cfbcb95fdb3acd0cd0be5317cacc2c2c02b6a9a30aaa

      SHA512

      cfab3731df0471e25aed7779fe836cef9c0e70adbf2d765f39e9812ee4aaa42649d303202963df44e271abc15a4485deb19040d83fa4c899a0e8478c326ea69a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
      Filesize

      2.0MB

      MD5

      722e00f21143d2b34d483f929e2dfe01

      SHA1

      6c367d9d60647ada51a283a85a4f0afe7a850c80

      SHA256

      86dacba0c2ff67d83e78ec15314dc8885d6aee9a319d7fddc9c2fce78fed6009

      SHA512

      15ab809f99c543e4a2b5ec9d91a4cfb50e62193f697bfd556a11aed2fea618c77732af56c774bda3713957c42c66c215f450d3b31e590d9787d5b1607b12c537

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
      Filesize

      16KB

      MD5

      4eafa65ea60e7ea69af24b41858032bb

      SHA1

      0c53913ef475a8ac239d0ac0d553d7ece02b3886

      SHA256

      c0bb84fa14d8f5e1221eae84271bddae56244155847f0dfda7c8a070d2b6bae7

      SHA512

      9eec5cc737c1918a6c373e1dcc46f9e6da3015bf82688c2f43b4b410aec55613ab6f0f452c8374fed5ab006efaa907b04dedbf8e9a51caccbe4106b955c84d25

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\ynrqu0v\imagestore.dat
      Filesize

      5KB

      MD5

      1f8e6ebb30a5082b079205de058c383a

      SHA1

      b01e8122c0191e81e1fc8305490cfaaf4ac4e874

      SHA256

      40fceedeb7e6163efaae08e7e77776ddcce8e0489c5d16d1581dcc3c72323880

      SHA512

      f7756d96dbf6885965f26edc102c54c8337d7d9f2c1d4a8d9195bdaf16d04c55d9983f88640656e2b44c58e00fc9d20eb7963981ac65480fadcc617297ae1a6b

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{29FE3809-3EB3-4664-8335-257C0579A457}.dat
      Filesize

      5KB

      MD5

      dbb54cae123082b88ae8617dd7956de3

      SHA1

      f6fda5f03c9eb962cff7ad85623e397f1c3781ab

      SHA256

      2cf90b81402eda2cc4cd88322c088ef8b8f22534584ce71fa132292b16050c7a

      SHA512

      992b0f12795c4b00b94b9fe1dcf02f649818c0fcf8008137c353e85c04583ed87084c79371463400129e26a1b8ff53683490beae8370e11e13fe3c12bdd636b2

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{2016F796-03F2-45B1-8ADA-F18A29FFCE90}.dat
      Filesize

      7KB

      MD5

      373576683cce510e2e899d52680dfae3

      SHA1

      bd664766b9bfb6bb309e34b2329834204fe2d7c1

      SHA256

      aa4d8c1e300f18b6c132d87ae5219e6ca955cdff4981dde82ec2d4613a5a140f

      SHA512

      fb91802121333ebf734f28769c0aef13a3c05e1b4c0f44d3aa849cca71770d262d24e9d352b743975c4123ae2f52fa1aa0ab708d975eac5a8bc20a780793d78c

      Download Submit
    • memory/1392-98-0x000002807FDC0000-0x000002807FDC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1392-106-0x00000278000B0000-0x00000278000B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1392-96-0x000002807FDA0000-0x000002807FDA2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1392-89-0x000002807FD30000-0x000002807FD32000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1392-88-0x000002806CB00000-0x000002806CC00000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1392-92-0x000002807FD60000-0x000002807FD62000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1392-94-0x000002807FD80000-0x000002807FD82000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1392-100-0x000002807FDE0000-0x000002807FDE2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1464-156-0x000001DD539F0000-0x000001DD539F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1464-40-0x000001DD56820000-0x000001DD56830000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1464-59-0x000001DD53D90000-0x000001DD53D92000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1464-152-0x000001DD53DE0000-0x000001DD53DE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1464-149-0x000001DD5AA30000-0x000001DD5AA32000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1464-24-0x000001DD56720000-0x000001DD56730000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1464-122-0x000001DD5CE40000-0x000001DD5CE41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1464-121-0x000001DD5CE30000-0x000001DD5CE31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1980-12-0x0000000073280000-0x000000007396E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1980-10-0x000000007328E000-0x000000007328F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1980-1-0x00000000005E0000-0x0000000000B54000-memory.dmp
      Filesize

      5.5MB

      Download
    • memory/1980-2-0x0000000005A10000-0x0000000005F0E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1980-3-0x00000000053F0000-0x0000000005482000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1980-4-0x00000000053B0000-0x00000000053BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1980-16-0x0000000073280000-0x000000007396E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1980-5-0x0000000073280000-0x000000007396E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1980-6-0x00000000056C0000-0x0000000005780000-memory.dmp
      Filesize

      768KB

      Download
    • memory/1980-0-0x000000007328E000-0x000000007328F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1980-11-0x0000000073280000-0x000000007396E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1980-7-0x0000000073280000-0x000000007396E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1980-9-0x0000000073280000-0x000000007396E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1980-164-0x0000000073280000-0x000000007396E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1980-8-0x00000000089A0000-0x0000000008A52000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2956-13-0x0000000009810000-0x0000000009832000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2956-14-0x000000000B2A0000-0x000000000B5F0000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2956-17-0x000000000AD60000-0x000000000ADD4000-memory.dmp
      Filesize

      464KB

      Download
    • memory/2956-18-0x000000000F4B0000-0x000000000F546000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2956-19-0x0000000004DE0000-0x0000000004E02000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4184-67-0x000001EC1D500000-0x000001EC1D600000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/4184-66-0x000001EC1D500000-0x000001EC1D600000-memory.dmp
      Filesize

      1024KB

      Download