c12bdfc94c307beed92b1b7c9478b58a8b5c9d8521c028743a6744101215d19f

Resubmissions

21/09/2024, 17:33

240921-v4z31svcqr 6

21/09/2024, 06:34

240921-hb2d6ayhjf 3

08/09/2024, 21:18

240908-z5zwvswarl 3

05/09/2024, 18:48

240905-xfr4lsxcjk 7

Analysis

max time kernel
31s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zoraraa2.2.zip
Size

25.8MB
MD5

60998608c92a3152da8c74799d69f7d9
SHA1

740176948082e70efe2dafd6a92942fbdd6cf766
SHA256

c12bdfc94c307beed92b1b7c9478b58a8b5c9d8521c028743a6744101215d19f
SHA512

87763e7a9e37ae8614e82cda4dccd8dcc58ab49309c07f257967aef40c0faabaad7d1600660fa7b177baa56bb4b2c73ab14cbec6d1f9638368b54f27d6aebbde
SSDEEP

786432:Q9H7en4YGNeLoVv54u7r9HmMXb9teNgZsyWn:WKnd6eLkB4u7r9HmXvyU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
380	ZoraraUI.exe

Loads dropped DLL 9 IoCs

pid	Process
380	ZoraraUI.exe
380	ZoraraUI.exe
380	ZoraraUI.exe
380	ZoraraUI.exe
380	ZoraraUI.exe
380	ZoraraUI.exe
380	ZoraraUI.exe
380	ZoraraUI.exe
380	ZoraraUI.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000700000002359c-513.dat	embeds_openssl

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
380	ZoraraUI.exe
380	ZoraraUI.exe
380	ZoraraUI.exe
380	ZoraraUI.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3220	7zG.exe
Token: 35	3220	7zG.exe
Token: SeSecurityPrivilege	3220	7zG.exe
Token: SeSecurityPrivilege	3220	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3220	7zG.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2.zip
1⤵
PID:2964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2332

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\" -spe -an -ai#7zMap21053:100:7zEvent21739
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3220

C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.exe
"C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
b037ca44fd19b8eedb6d5b9de3e48469

SHA1
1f328389c62cf673b3de97e1869c139d2543494e

SHA256
11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

SHA512
fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
4a292c5c2abf1aab91dee8eecafe0ab6

SHA1
369e788108e5fb0608a803fa2e5a06690b4464b5

SHA256
b628d6133bf57b7482a49aa158e45b078df73ee7d33137ac1336d24ac67ed1b4

SHA512
ca22adfff9789730e4c02343e320d80b8466cfc5a15f662cefe376b7ee29dea571004c1c26cd3f50c0d24e646f2b36b53fa86835678f46f335d65eec52431cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\Zorara.dll

Filesize
14.7MB

MD5
307d88738588c6e92dd314f1def2d948

SHA1
ec91c9edc1fea9fad3a6a07aaab9e1601865674a

SHA256
0b1f2977a3e0d737fd91048379ee2e6277b8b4675091b3f4413dfc2fc9dd8f00

SHA512
f3d020c58fd1b7c8c1c91e59d4699ad05012f5c4ea59cb3c3546aa29e1e90165af13908f6a1461f24c923ff00da15ad26a1c28e6f3c70f24cec71117ebcce67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.deps.json

Filesize
2KB

MD5
64cedc13b91608eeee007f1f281914b7

SHA1
bdfe4ced7641f9013d9236f8e38f6675f53e5ad4

SHA256
3d64b0e4158e3638255f8b26c18236637a2d3e50a66809f766cc0dc052ad70a0

SHA512
575d1523182e7937e90cb61f0c6fb36de456154b5036198eb57503dd67999702e2038cbccdeb0d6f94364f55ee85fbb6a035ac1b7e1ee16dc5f446268bcc1905

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.dll

Filesize
172KB

MD5
d57a28c2ffc3644fd298be1aaea49caf

SHA1
34beb784f098c4c3747bd260b818305665856c86

SHA256
f8bfb11e61e1d8f137a7ec9cc137a73be32d361b0f7f9941d2543a44f1d5c566

SHA512
b396c5f163f21c2d1472622339bdeef706214245c9cce64e2fb6a4ca8b882f6ef16730db0affb9c10a39413c878d39fd048e44d1fc9ea5e840fdd18abacdecc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.exe

Filesize
254KB

MD5
a64cafc6b2f823a091535cd9d31b5184

SHA1
f8e7e04ae3a4280526a72ad81be47c3e1cc11d96

SHA256
e2db764d50b8b1e729e6ecdb3a77d00aab4366d0f9396e85854e72a36a569350

SHA512
c07fa353adf0ce62caa49597cead3ddebc2abafcbb60f595629a2dfbe1c960cb4d9bcc2edaab06b19e0932016c754a006e41c9c85e41b7517a2f029cc63f21cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.exe.WebView2\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.exe.WebView2\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
c2ef1fd40eb8c79d3dfe29b191103845

SHA1
6f651f5b4b7b227420e7ed3dee522f9b33806379

SHA256
ef896d2af018f8b34a50f92a5600a2c7bbe50ee6d1c332729b25bdfbb0c40d5e

SHA512
324a57b35b5f36667784ec0016b06a21d5bc23024664e029e34b8f3228be39611fa30e0750c9edf626418f14ca495c12f848407b6948d0ed32bded24427ed88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.exe.WebView2\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\ZoraraUI.runtimeconfig.json

Filesize
458B

MD5
07b9a30265ca4e69c7016a1b6e3ffc27

SHA1
3a4af82a2695b1423aedd8b60a5c86793c011b02

SHA256
c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782

SHA512
efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\libcrypto-3-x64.dll

Filesize
4.5MB

MD5
a9c1f7ca15c65c139bc9d4bf57df2e1e

SHA1
1b1377139a6b289d43a6b1161cd1089ffc817cf9

SHA256
03ec9292dcdfda520638490e11baeefff5ab1b6eb22feb90a22fc771272ce116

SHA512
97f8745dba6330c196de9b822638bfe7f74a86bdcb6726f4bd1d3d917de54f9abcb05163c42255173eac3bde995f0d611af718dbcc0de432b67666bed0c0b073

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\libssl-3-x64.dll

Filesize
802KB

MD5
51b0d5f42a82f6fa8739b403e9b8b81c

SHA1
75968c157628bb7aca9b5f2331f7a0c9a1d28865

SHA256
0bda7daeb4040c722b8c287dfd2307c9b8228576db1dbbbaac901c35cc8dc62b

SHA512
94fba90ad7bcf190079089dcc3af97c598c016eb359fe4d2ea439b5fbcd4a5489ab4422652223926aae64002beef1368d5b95874f68a2e5bc4971b4f9604d814

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\runtimes\win-x64\native\WebView2Loader.dll

Filesize
161KB

MD5
c5f0c46e91f354c58ecec864614157d7

SHA1
cb6f85c0b716b4fc3810deb3eb9053beb07e803c

SHA256
465a7ddfb3a0da4c3965daf2ad6ac7548513f42329b58aebc337311c10ea0a6f

SHA512
287756078aa08130907bd8601b957e9e006cef9f5c6765df25cfaa64ddd0fff7d92ffa11f10a00a4028687f3220efda8c64008dbcf205bedae5da296e3896e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\workspace\.tests\getcustomasset.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\xxhash.dll

Filesize
46KB

MD5
249a5f6ca047df2a2f802782696c7f80

SHA1
6a1d96be0f497d689fb55de70284af83cac61f52

SHA256
2828e3014c3283caeb1b00d14145a42f4e347e7f547b40634540394892265671

SHA512
d2d0b6ba2ec95c33609d98788e5a4cce382d93721ea5dea61cde3f4c065b06530a0b01ae4909f7883a81d55529a36cb6a5820aa2afc320b5761f6f59a3a45f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zoraraa2.2\zstd.dll

Filesize
638KB

MD5
21dfe873f6ed38f2f713ecd43ad1ba41

SHA1
7648cb043587da0e85743f9da8dca8be621ccdf0

SHA256
2a2d63c48b6b3ac7768231ade30122c94a0a33e62e5d2725e11c95b3194aa997

SHA512
67b4f976f3511387ce2a4743e2281ac88533bd204d4e07a5c6751f0ec30a3463dfabcda18103a632541ec2a8b7b937806121e21e44959411c39106e22b739919

Download Submit
memory/380-522-0x00007FFB7B270000-0x00007FFB7B272000-memory.dmp

Filesize
8KB

Download
memory/380-523-0x00007FFB7B280000-0x00007FFB7B282000-memory.dmp

Filesize
8KB

Download
memory/380-524-0x00007FFB7B290000-0x00007FFB7B292000-memory.dmp

Filesize
8KB

Download
memory/380-525-0x00007FFB7AA10000-0x00007FFB7AA12000-memory.dmp

Filesize
8KB

Download
memory/380-526-0x00007FFB7AA20000-0x00007FFB7AA22000-memory.dmp

Filesize
8KB

Download
memory/380-527-0x00007FFB78C00000-0x00007FFB78C02000-memory.dmp

Filesize
8KB

Download
memory/380-528-0x00007FFB78C10000-0x00007FFB78C12000-memory.dmp

Filesize
8KB

Download
memory/380-529-0x00007FFB523F0000-0x00007FFB53C83000-memory.dmp

Filesize
24.6MB

Download