File name:	Zorara.bat
Full analysis:	https://app.any.run/tasks/8e808f89-329a-449a-a8d3-67d4f8d63206
Verdict:	Malicious activity
Analysis date:	September 29, 2024, 13:17:26
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, ASCII text, with very long lines (5301), with CRLF line terminators
MD5:	17B570A066BA88619EF905131B559ECC
SHA1:	CE3440420DD11CC75ADD03BA905B92EDCF281D1A
SHA256:	A7FBED6192500F710458888C61CB3477A32B9988785001CF36CFB089E968EB55
SSDEEP:	49152:nK8NMkb0IMUx4p5SMfxul5QW63x7B94O/EEUnaqpMKPrZtMIMIGd48KrXV:f


(PID) Process:	(5184) dllhost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(5136) WerFault.exe	Key:	\REGISTRY\A\{7b8616e2-cffd-f37f-de09-387f6875c659}\Root\InventoryApplicationFile
Operation:	write	Name:	WritePermissionsCheck
Value: 1
(PID) Process:	(5136) WerFault.exe	Key:	\REGISTRY\A\{7b8616e2-cffd-f37f-de09-387f6875c659}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5136) WerFault.exe	Key:	\REGISTRY\A\{7b8616e2-cffd-f37f-de09-387f6875c659}\Root\InventoryApplicationFile\powershell.exe\|bdbb2c1d41b249e7
Operation:	write	Name:	ProgramId
Value: 0000f519feec486de87ed73cb92d3cac802400000000
(PID) Process:	(5136) WerFault.exe	Key:	\REGISTRY\A\{7b8616e2-cffd-f37f-de09-387f6875c659}\Root\InventoryApplicationFile\powershell.exe\|bdbb2c1d41b249e7
Operation:	write	Name:	FileId
Value: 0000bc8d22b16e9ab2045c3acfb8ff1c0ce97bd9936a
(PID) Process:	(5136) WerFault.exe	Key:	\REGISTRY\A\{7b8616e2-cffd-f37f-de09-387f6875c659}\Root\InventoryApplicationFile\powershell.exe\|bdbb2c1d41b249e7
Operation:	write	Name:	LowerCaseLongPath
Value: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
(PID) Process:	(5136) WerFault.exe	Key:	\REGISTRY\A\{7b8616e2-cffd-f37f-de09-387f6875c659}\Root\InventoryApplicationFile\powershell.exe\|bdbb2c1d41b249e7
Operation:	write	Name:	LongPathHash
Value: powershell.exe\|bdbb2c1d41b249e7
(PID) Process:	(5136) WerFault.exe	Key:	\REGISTRY\A\{7b8616e2-cffd-f37f-de09-387f6875c659}\Root\InventoryApplicationFile\powershell.exe\|bdbb2c1d41b249e7
Operation:	write	Name:	Name
Value: powershell.exe
(PID) Process:	(5136) WerFault.exe	Key:	\REGISTRY\A\{7b8616e2-cffd-f37f-de09-387f6875c659}\Root\InventoryApplicationFile\powershell.exe\|bdbb2c1d41b249e7
Operation:	write	Name:	OriginalFileName
Value: powershell.exe
(PID) Process:	(5136) WerFault.exe	Key:	\REGISTRY\A\{7b8616e2-cffd-f37f-de09-387f6875c659}\Root\InventoryApplicationFile\powershell.exe\|bdbb2c1d41b249e7
Operation:	write	Name:	Publisher
Value: microsoft corporation

PID	Process	Filename		Type
4560	powershell.exe	C:\Windows\$rbx-onimai2\$rbx-CO2.bat		—
		MD5:—	SHA256:—
5136	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_bd393534-0d5b-4054-a260-8afd97499cca\Report.wer		—
		MD5:—	SHA256:—
3256	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_26db83c0-cd14-46e2-9f55-80755b2dfb28\Report.wer		—
		MD5:—	SHA256:—
6040	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_62e9cdd3-82e3-405a-89ea-65909d030fef\Report.wer		—
		MD5:—	SHA256:—
5136	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER820B.tmp.WERInternalMetadata.xml		xml
		MD5:12A560504F73D88BA1E90DF5B00976E3	SHA256:BF2BE637FAE1606E956CBB1F3A7C33999038B6C04EC1AC815E1AFE9A87DA3DDD
5032	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive		binary
		MD5:8C57CFE20AF62E958973402E44108F27	SHA256:6D611EB44062F33CCA7C36EBDF578F4F3EBE60DA4E8D1AE07CC434EE41379260
7052	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lb5zhgaq.wa4.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2936	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_281f1d31-0096-4c08-80d0-e8d8e971a6f2\Report.wer		—
		MD5:—	SHA256:—
3256	WerFault.exe	C:\Windows\appcompat\Programs\Amcache.hve		binary
		MD5:836A5F3A40DC61D1F72F8A14871E0AAB	SHA256:AB37611B591482CAE98A6EC3A96982716E515147B91CDEAA8E51F534DBE38A72
2352	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yox3bldb.qbn.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2120	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6588	svchost.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6588	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6588	svchost.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6588	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
google.com	216.58.206.78	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
watson.events.data.microsoft.com	20.189.173.21 20.42.65.92 13.89.179.12	whitelisted

General Info

Zorara.bat

17B570A066BA88619EF905131B559ECC

CE3440420DD11CC75ADD03BA905B92EDCF281D1A

A7FBED6192500F710458888C61CB3477A32B9988785001CF36CFB089E968EB55

49152:nK8NMkb0IMUx4p5SMfxul5QW63x7B94O/EEUnaqpMKPrZtMIMIGd48KrXV:f

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Known privilege escalation attack

SUSPICIOUS

Using 'findstr.exe' to search for text patterns in files and output

Cryptography encrypted command line is found

Starts CMD.EXE for commands execution

Uses WMIC.EXE to obtain physical disk drive information

Executing commands from a ".bat" file

Application launched itself

Starts POWERSHELL.EXE for commands execution

Executes application which crashes

Deletes scheduled task without confirmation

Connects to unusual port

INFO

Manual execution by a user

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings