245fd3e7b1ed14b2c4f080fa2fb810c1765c45fe7b4303ab4ab7b01297a1f12d

Analysis

max time kernel
141s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1398fb28b681af9e33d811fc71378e0b.exe
Size

227KB
MD5

1398fb28b681af9e33d811fc71378e0b
SHA1

e4a63204e5785df530d1d523ddf0dc36bf01f0d8
SHA256

245fd3e7b1ed14b2c4f080fa2fb810c1765c45fe7b4303ab4ab7b01297a1f12d
SHA512

8864dfb1a26037190c5194a2615db29f54628989c5f2c462f5c9ef0e4343dade19281fe05eee38ca7cabea40d5e2d036bdce85bad72fea5c0d1fa7b520a44879
SSDEEP

6144:BifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVmo:8fk6kDqHw2hmxlrz2HoSRJ

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	1398fb28b681af9e33d811fc71378e0b.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4488-0-0x0000000000020000-0x00000000000BE000-memory.dmp	upx
behavioral2/memory/4304-41-0x0000000000020000-0x00000000000BE000-memory.dmp	upx
behavioral2/memory/4304-174-0x0000000000020000-0x00000000000BE000-memory.dmp	upx
behavioral2/memory/4488-173-0x0000000000020000-0x00000000000BE000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_uk.rtf	1398FB~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	1398FB~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	1398FB~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	1398FB~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 548	4488	1398fb28b681af9e33d811fc71378e0b.exe	21
PID 4488 wrote to memory of 548	4488	1398fb28b681af9e33d811fc71378e0b.exe	21
PID 4488 wrote to memory of 548	4488	1398fb28b681af9e33d811fc71378e0b.exe	21
PID 4488 wrote to memory of 4304	4488	1398fb28b681af9e33d811fc71378e0b.exe	44
PID 4488 wrote to memory of 4304	4488	1398fb28b681af9e33d811fc71378e0b.exe	44
PID 4488 wrote to memory of 4304	4488	1398fb28b681af9e33d811fc71378e0b.exe	44

C:\Users\Admin\AppData\Local\Temp\1398fb28b681af9e33d811fc71378e0b.exe
"C:\Users\Admin\AppData\Local\Temp\1398fb28b681af9e33d811fc71378e0b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:548
- C:\Users\Admin\AppData\Local\Temp\1398FB~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\1398FB~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
75b31372c6f62c5df975f1820907845f

SHA1
4697c172ba8403d623a33622b98777cef6b3c7cb

SHA256
304b0390f2c7a10c6a37abb6326f2b8bb07d9888360594769a68afd8fe459bff

SHA512
3b367b5d65e2128de920781936b472f6c2365158ace7b54792d1e21ac3ff1481937218d7b97762ff44fe183f776e3b56ecff6e4cbe4bcdcf1f42112a82777d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
5dac848ab7d75ed886006f8e86f45316

SHA1
4a6fe7bdc22360b7eb07251d49a53f5b7abd38c6

SHA256
f5f4f6a20b578feef460feb414ffc8c407e1750c1fef3b543c92817d0a4c7e87

SHA512
677d7ac180d55d03a01388ef3d2e44a4657ba773c6ad5dd4bb07d946ab916accd01972fd5d859b0a1828201a9d78dfbc02b703aafb39f340ce2164fb78082737

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
aea692102c7d0c98354a5e134cb49646

SHA1
1f4182cc25a33bf1a698b6d4581eb4e53107f224

SHA256
2d5fdb3df24b760d6b60da81f25b5653bed762be7044ccd28e4155704feb9629

SHA512
10fd72e8f570e372af52cc94813da574ef79a644c2cc15cdd09675a286985149ae7893008caeed1461c2860b3b351943598b35d605b476fb78498ece2b5eb85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
eeef586627049f8686662115e3babdc9

SHA1
d40fbd984ec9d70c380bc2ddc3bbc03b8fc44ab5

SHA256
8007d5a6263755f71e871b50f9466c4a4d65a1f60d850464cda4c55e20248027

SHA512
218df68771dca4746a02c6bd1e6b721819439be57e555d5f3587550aea9262234601083e28bcc4dc093419371fb10a6e8df3486ed0a3160fadcb20860caa407f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
7a50e423dfa0f35a7917a317e134e9b3

SHA1
bb249a02cf64ed5c4d6bf8aa2b1b10dd90d62f05

SHA256
851d8530faaf4ae991bb461e53a8b20b5400c736df18e2a96ce25f83f2d486f6

SHA512
45f8e7bba20eddb24127b4658f2144fe647be156ba3ed75b26f613df51f6d08e4b9bfaafc370abcb0975a0e6b0d9564bd55af9db2cb1d2bd4555a436a3f9ba42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
c5ee06b9183f995cd9799a40e97cb153

SHA1
e02e52056d791c1684a5caac606ab4d275cea7eb

SHA256
efd1be2adbe4368cb9770d5db1c59c2c866a3f17ded854e3f7e07bf17e9b1dab

SHA512
8003fce42a3449d2b857877b3df375be38bfce84cc91000eef96720095d597fb816f1f7cb38e110a16eb5f4714abdafe2059963cb9a13614e119893c8654e310

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
1KB

MD5
925d07cf4a7eb321cd1532f59d5d444d

SHA1
56574dbf0f19515d9adeac395e4a4954d8984d09

SHA256
56c723aa4111a57fa5d2c1b7d7b9040869363bd4a7fcfac65e5d30eaae7b7c12

SHA512
6c143602d620f8c60d9b2fb3b450848ba0f0668b07587ac67487a357783522bc6b02fa7b69a34c702234ef6fe9475cd7386dd4d275f266415c3fa904e20bf043

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
f69efd4b5c1ac0ef859efa8a8ee29a8a

SHA1
c6bc9433a80d3f2b21e453714aebbb07398aa6fa

SHA256
e1156f590e457593147609cd873987174b0d5dd5e850023769998e16af4ca7d7

SHA512
35fd802c24af2c096779c371cd537c547169a503b29676c573c874df09d0026d71ea8d0700b2b7fa7ad4d4121e54752cf7a19ece7f484ab7097314f0949a1a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
f04cae11a56e23ad5317c956ed71db70

SHA1
90828ca3b9014be45c01e169f8dab432db7f9f16

SHA256
cc184f0d84a060624acb4d95af108bf684d5f7b3a6a4d6afab35ee5c52bcd3e8

SHA512
54024697e833987cc6cd9cdb6c906a0ecbddb34457e566c7eb36968ff93ff9d93046be4dbac5d2a6f3338f4d84762d9820d4b33e8bdf6ceb154e24f0812c23a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
9381c49dc5139226b7da619003f18fa8

SHA1
fb4e5aeba1d08ec4297ab1e8b5a137cf0b6bb95f

SHA256
575a11e3e7f9ce407d44d12044ce1d8e8a0b9af79dd903982c8a1611a49efb3d

SHA512
da04dcf7b6bd8ecb061acd7c0f2ecbb7b7aa17e4a0c3b51ce2a4eb5da9cd173dd3aee66ab7c5481dcfe1dd985318c4ee6fc1d1da9d04641a6e58acada2015c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
8adca6a8ae77805a75190e99cb2e871d

SHA1
7a0c066eab3a2075107486149c2caf5038363626

SHA256
5963625ea22646abd756a288ed5e772bd04800a3cf327b55c74f098570c114f7

SHA512
2d8ae86ea12ebda08c278880fa6eef8bb846eb0f6d6739541037a4a9a709e5ce70c529a9aed1d330455863de899cbe65e20a239240cabbe31f7a3e0123d1bfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
37c859b04786453aa630e287bd5325e8

SHA1
9dce39a633dd9ea2f2a7d96d09757101dff9ee8d

SHA256
b5f586c45757f1822e704e353ced122027f7b99046b393a077f7c4e5c9b41d14

SHA512
db8f14cf9d502d761a04b554deaae6025aa03fd227a1315317900e9fe0c0b0d9ff436260286a8e168f47465748808b53a6a7d1f12631fd4e458d998646601674

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
9cdf5ef22686f5de3820b835b7ad1ba3

SHA1
96b3c70d35d738c34f6cbd0560e23974c20cc66d

SHA256
34e4d2d897dc8f19b00efc5dc07658e11d4560fa4086eefb291f0697a2011530

SHA512
3bab376bc5498f9106686b6ab888f06b92e4dbca8a5004a4290d1da419c497ff842dd137ac88e4779f9f6b2f4f4285c6e71a5f293f6587e90f7d4eb6ebe5c81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133479475318754713javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/4304-174-0x0000000000020000-0x00000000000BE000-memory.dmp

Filesize
632KB

Download
memory/4304-41-0x0000000000020000-0x00000000000BE000-memory.dmp

Filesize
632KB

Download
memory/4488-0-0x0000000000020000-0x00000000000BE000-memory.dmp

Filesize
632KB

Download
memory/4488-173-0x0000000000020000-0x00000000000BE000-memory.dmp

Filesize
632KB

Download