f3aa2b23a67f4dbcce9fff7bb084e70127e3e0c4f2ab0f605487c570a7408960

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe
Size

6.3MB
MD5

0e4a9a7f552ee8b6f3b47b82e70df7ff
SHA1

8a90ff94fd3be60c05ad054bde587cf10673bab1
SHA256

6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05
SHA512

ea9cf61d684f6903bbdd15c5e15a5b8f2ee9271cf8f1dfc993f6d276f7e9167b076dcaca46b265eadfc0575e650b76442b665998ba41556c76d9579946c39621
SSDEEP

98304:J10zXFg9bxfI3oZvBNHf72B6Rwxk7WN3Oo7Yb0QjY2ye8i2ylpPxh:kzXS9RI3cNHaB6X7S7bwHydev

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2668	ZoraraB.exe
2320	7281074781.exe
2624	ZoraraB.exe

Loads dropped DLL 4 IoCs

pid	Process
1740	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe
2964	Process not Found
2668	ZoraraB.exe
2624	ZoraraB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7281074781.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2668	1740	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	31
PID 1740 wrote to memory of 2668	1740	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	31
PID 1740 wrote to memory of 2668	1740	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	31
PID 1740 wrote to memory of 2320	1740	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	33
PID 1740 wrote to memory of 2320	1740	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	33
PID 1740 wrote to memory of 2320	1740	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	33
PID 1740 wrote to memory of 2320	1740	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	33
PID 2668 wrote to memory of 2624	2668	ZoraraB.exe	34
PID 2668 wrote to memory of 2624	2668	ZoraraB.exe	34
PID 2668 wrote to memory of 2624	2668	ZoraraB.exe	34

C:\Users\Admin\AppData\Local\Temp\6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe
"C:\Users\Admin\AppData\Local\Temp\6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\ZoraraB.exe
  "C:\Users\Admin\AppData\Local\Temp\ZoraraB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\onefile_2668_133870980753158000\ZoraraB.exe
    C:\Users\Admin\AppData\Local\Temp\ZoraraB.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2624
- C:\Users\Admin\AppData\Local\Temp\7281074781.exe
  "C:\Users\Admin\AppData\Local\Temp\7281074781.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7281074781.exe

Filesize
68KB

MD5
674ef5ff59091fe0c6b97660a118df3f

SHA1
cfa1b9f7389d24b097c30cb6d08628a2b2c3a4e4

SHA256
458737d49b9ef981e035cbdee6dbe81b143a9134b628af901b59caf2fbb82054

SHA512
5f16f074d649e2ab35a1980660ff65a47b202f2e35ae24286fe4b23a538c6eac947cbcc3eadeab010d3094b510b389cbaf3c8241c09e7f418af20528fb4dde12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZoraraB.exe

Filesize
6.4MB

MD5
884c97680495567e6bca7be899567062

SHA1
7e7026f24fb04ae6830391e1c9ac702df4213199

SHA256
f518d247cc80f0b26dc462c3d31fe5533701429310386c9f1f27ec7eb54afe97

SHA512
ce5b9775ff85905563a3bbefa307ec8de7c02b38fedb09a8c68f428f67df75b7228a16a178637d0b87372096c96ca70fefeeb4ba74f85f641ce5f240973fa3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2668_133870980753158000\ZoraraB.exe

Filesize
7.8MB

MD5
a5dd2c9b93007d30e8f0df8e81d2d5c8

SHA1
3910e827e31ca413b4842d7643e0cca2a973dbcb

SHA256
b6c23eb719766ee1df6b2438b90751a24c105dc67fa3168f4b97c131c528b7f6

SHA512
9f62ccb3c308f401e9d5fd4c767694a1240902d31e8bd048298133ee28bf034ed76e79b4872a109b448b201f593041afd702881e3a6d67e94ebca31360a16c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2668_133870980753158000\python39.dll

Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
memory/1740-0-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x0000000000950000-0x0000000000FA4000-memory.dmp

Filesize
6.3MB

Download
memory/1740-8-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-14-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2320-63-0x0000000000A70000-0x0000000000A8F000-memory.dmp

Filesize
124KB

Download
memory/2320-64-0x0000000000A70000-0x0000000000A8F000-memory.dmp

Filesize
124KB

Download