Overview
overview
3Static
static
3Zorara2.5(WaveUI).zip
windows7-x64
1Zorara2.5(WaveUI).zip
windows10-2004-x64
1ZoraraUI.deps.json
windows7-x64
3ZoraraUI.deps.json
windows10-2004-x64
3ZoraraUI.e...rprint
windows7-x64
3ZoraraUI.e...rprint
windows10-2004-x64
3ZoraraUI.e...t.json
windows7-x64
3ZoraraUI.e...t.json
windows10-2004-x64
3ZoraraUI.e...s.json
windows7-x64
3ZoraraUI.e...s.json
windows10-2004-x64
3ZoraraUI.e...rl-set
windows7-x64
1ZoraraUI.e...rl-set
windows10-2004-x64
1ZoraraUI.e...rprint
windows7-x64
3ZoraraUI.e...rprint
windows10-2004-x64
3ZoraraUI.e...t.json
windows7-x64
3ZoraraUI.e...t.json
windows10-2004-x64
3ZoraraUI.e...gs.dat
windows7-x64
3ZoraraUI.e...gs.dat
windows10-2004-x64
3ZoraraUI.e...re.dat
windows7-x64
3ZoraraUI.e...re.dat
windows10-2004-x64
3ZoraraUI.e...data_0
windows7-x64
1ZoraraUI.e...data_0
windows10-2004-x64
1ZoraraUI.e...data_1
windows7-x64
1ZoraraUI.e...data_1
windows10-2004-x64
1ZoraraUI.e...data_2
windows7-x64
1ZoraraUI.e...data_2
windows10-2004-x64
1ZoraraUI.e...data_3
windows7-x64
1ZoraraUI.e...data_3
windows10-2004-x64
1ZoraraUI.e...001.gz
windows7-x64
3ZoraraUI.e...001.gz
windows10-2004-x64
3ZoraraUI.e.../index
windows7-x64
1ZoraraUI.e.../index
windows10-2004-x64
1Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
Zorara2.5(WaveUI).zip
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
Zorara2.5(WaveUI).zip
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ZoraraUI.deps.json
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
ZoraraUI.deps.json
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ZoraraUI.exe.WebView2/EBWebView/AutoLaunchProtocolsComponent/1.0.0.8/manifest.fingerprint
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
ZoraraUI.exe.WebView2/EBWebView/AutoLaunchProtocolsComponent/1.0.0.8/manifest.fingerprint
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ZoraraUI.exe.WebView2/EBWebView/AutoLaunchProtocolsComponent/1.0.0.8/manifest.json
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
ZoraraUI.exe.WebView2/EBWebView/AutoLaunchProtocolsComponent/1.0.0.8/manifest.json
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ZoraraUI.exe.WebView2/EBWebView/AutoLaunchProtocolsComponent/1.0.0.8/protocols.json
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
ZoraraUI.exe.WebView2/EBWebView/AutoLaunchProtocolsComponent/1.0.0.8/protocols.json
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ZoraraUI.exe.WebView2/EBWebView/CertificateRevocation/6498.2023.8.1/crl-set
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
ZoraraUI.exe.WebView2/EBWebView/CertificateRevocation/6498.2023.8.1/crl-set
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ZoraraUI.exe.WebView2/EBWebView/CertificateRevocation/6498.2023.8.1/manifest.fingerprint
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
ZoraraUI.exe.WebView2/EBWebView/CertificateRevocation/6498.2023.8.1/manifest.fingerprint
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ZoraraUI.exe.WebView2/EBWebView/CertificateRevocation/6498.2023.8.1/manifest.json
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
ZoraraUI.exe.WebView2/EBWebView/CertificateRevocation/6498.2023.8.1/manifest.json
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ZoraraUI.exe.WebView2/EBWebView/Crashpad/settings.dat
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
ZoraraUI.exe.WebView2/EBWebView/Crashpad/settings.dat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ZoraraUI.exe.WebView2/EBWebView/Crashpad/throttle_store.dat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
ZoraraUI.exe.WebView2/EBWebView/Crashpad/throttle_store.dat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/data_0
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/data_0
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/data_1
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/data_1
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/data_2
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/data_2
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/data_3
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/data_3
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/f_000001.gz
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/f_000001.gz
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/index
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
ZoraraUI.exe.WebView2/EBWebView/Default/Cache/Cache_Data/index
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
ZoraraUI.exe.WebView2/EBWebView/Crashpad/settings.dat
-
Size
280B
-
MD5
9d5f8caa5eda8d19c034e6a2cec20330
-
SHA1
baa86494a4214f42e516d12b83c3a84762e55775
-
SHA256
3b9d63bf80317c1b210ac199e609b345f5442666bfcb624b6aa8bf37e84cd6f4
-
SHA512
01e26fd31833b488225c061d4297d04501479f5ace8e6978fabd9850963661d828a3f85a8b4b0db4e09fbc01ba28eef33c7291792f6f1491dc033bf7bb648301
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\dat_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\dat_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.dat OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.dat\ = "dat_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\dat_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\dat_auto_file\shell\open OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\dat_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\dat_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\dat_auto_file\shell\edit\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\dat_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2672 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1404 OpenWith.exe -
Suspicious use of SetWindowsHookEx 35 IoCs
pid Process 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe 1404 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1404 wrote to memory of 2672 1404 OpenWith.exe 93 PID 1404 wrote to memory of 2672 1404 OpenWith.exe 93
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ZoraraUI.exe.WebView2\EBWebView\Crashpad\settings.dat1⤵
- Modifies registry class
PID:4024
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ZoraraUI.exe.WebView2\EBWebView\Crashpad\settings.dat2⤵
- Opens file in notepad (likely ransom note)
PID:2672
-