Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/11/2024, 21:03

General

  • Target

    Zorara.zip

  • Size

    16.5MB

  • MD5

    4973d273fcbbdbd2fc55a6a88446870b

  • SHA1

    dae039628972670c02a44ee78f096f7e7d8eff36

  • SHA256

    4bafb0b0d4e309b3402fdd68ebbb385ce111798566b658de5c4542205661ca00

  • SHA512

    b8b2e63c0bb0fad671e2291cb55cb82b3dc93c0c57824a1dc8b0635b461daa7a1f001f27ce2229e40223367ed5028cc43c9400b0a6378f5e167ffa9ead59ce81

  • SSDEEP

    393216:M+Fw1giC8hSm/SiCBQE+Xdyy+eICj9syG5aCvVH:Hw1gifSmaiCKdyRLO0H

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Zorara.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Users\Admin\AppData\Local\Temp\7zO02128738\ZoraraUI.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02128738\ZoraraUI.exe"
      2⤵
      • Executes dropped EXE
      PID:3128
    • C:\Users\Admin\AppData\Local\Temp\7zO021E6D48\ZoraraUI.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO021E6D48\ZoraraUI.exe"
      2⤵
      • Executes dropped EXE
      PID:568
    • C:\Users\Admin\AppData\Local\Temp\7zO021FC358\ZoraraUI.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO021FC358\ZoraraUI.exe"
      2⤵
      • Executes dropped EXE
      PID:4368
    • C:\Users\Admin\AppData\Local\Temp\7zO02189E29\ZoraraUI.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02189E29\ZoraraUI.exe"
      2⤵
      • Executes dropped EXE
      PID:1408
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:3328
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4960
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2512

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\811737ac-1172-486f-b007-f644d053488d.down_data

            Filesize

            555KB

            MD5

            5683c0028832cae4ef93ca39c8ac5029

            SHA1

            248755e4e1db552e0b6f8651b04ca6d1b31a86fb

            SHA256

            855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

            SHA512

            aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

            Filesize

            10KB

            MD5

            ad7a569bafd3a938fe348f531b8ef332

            SHA1

            7fdd2f52d07640047bb62e0f3d3c946ddd85c227

            SHA256

            f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309

            SHA512

            b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423

          • C:\Users\Admin\AppData\Local\Temp\7zO02128738\ZoraraUI.exe

            Filesize

            254KB

            MD5

            aeb703ddf25377135af6e4675793a1c9

            SHA1

            e9f43283ba04a9c30d045ca064d2935d053114ba

            SHA256

            6b9da80d8877b04e5aa3a04790d3cbed8cf47cad2871997755f198ba674aa026

            SHA512

            191de5176cf7efbc0a8cf1b0f79c49754874ce48d7415615d484e9c7ba26d3184580309afd013cc437b239885f2c2a758846e27bec2d59a542a9647bcd7cd739