232c571f63f3d5f912d4b826b950090d11df00f85d97393d623bc80552645e49

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14154a5fc3b7019dd3ef06c003d4d7b3.exe
Size

227KB
MD5

14154a5fc3b7019dd3ef06c003d4d7b3
SHA1

92b3749ba47c497055ca5243814d4a05eb5b9dac
SHA256

232c571f63f3d5f912d4b826b950090d11df00f85d97393d623bc80552645e49
SHA512

a0bc1da22ee0be292ba9a47bd5ae7f0374f00d9ee2884de061c08525bc4003361ee5197ca69c851cdce24457ba4ee94477e1fbe0507cfd4ba2fc263a3d1bee3c
SSDEEP

6144:kp4wdZ3t4A6M2kwp+E4tEZw7BkJgSoS3VFd:kp4wj3t9B7wp+1+w7NSoS3t

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	14154a5fc3b7019dd3ef06c003d4d7b3.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2588-0-0x0000000000180000-0x000000000021E000-memory.dmp	upx
behavioral2/memory/2588-105-0x0000000000180000-0x000000000021E000-memory.dmp	upx
behavioral2/memory/2140-112-0x0000000000180000-0x000000000021E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\utils.jar	14154A~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	14154A~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	14154A~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	14154A~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1740	2588	14154a5fc3b7019dd3ef06c003d4d7b3.exe	93
PID 2588 wrote to memory of 1740	2588	14154a5fc3b7019dd3ef06c003d4d7b3.exe	93
PID 2588 wrote to memory of 1740	2588	14154a5fc3b7019dd3ef06c003d4d7b3.exe	93
PID 2588 wrote to memory of 2140	2588	14154a5fc3b7019dd3ef06c003d4d7b3.exe	96
PID 2588 wrote to memory of 2140	2588	14154a5fc3b7019dd3ef06c003d4d7b3.exe	96
PID 2588 wrote to memory of 2140	2588	14154a5fc3b7019dd3ef06c003d4d7b3.exe	96

C:\Users\Admin\AppData\Local\Temp\14154a5fc3b7019dd3ef06c003d4d7b3.exe
"C:\Users\Admin\AppData\Local\Temp\14154a5fc3b7019dd3ef06c003d4d7b3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\14154A~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\14154A~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
72240d64dd50b1136312c16454844575

SHA1
0d9756c4cdd65ba2036c119e0b7fd4053db06d40

SHA256
a8456f207aecb1746f0a89e8d7182d1df673b5e42321192794cffb372fea30e5

SHA512
2b96107b9c80b17c31f07fc0313d81d04ee6932c5d821e343e130023dbe0bf366379e40273cc60bab13d34e4e5558285af61924e38a0ae76c25d3ebb9136ccf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
131f0149694ccdf95ea053eacccbb652

SHA1
b62dd22fc2196a791546acdc37e62e9eda0b70cf

SHA256
0425d8ae3b0898b0d8c6d7057aaea423fc0ccf4b6e83561b9f959ab4e5420b85

SHA512
0c14bd39ef665cf095e6ef3e9b3a79a1fed91c8987a6276c084855a7156cf8a98de7e09cc0f10f9bf8680a2555ac0f87bc2cad9f1117eff4489574b8d52d2c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
04bac92392cc52d2e461b13553b5f5c6

SHA1
afce90b7143c3763bc99137866760071ad8dee59

SHA256
27c6b7d832f6d5fa309517fa07fb7c2c41365880de3928c0622d72b1202f03d4

SHA512
15ae3c0d920ee3aea06e42a8a4453e844b70b5948c7defbf30ec7599645fa0b61467d2f1e90c3977becb95349fee8eb9b2a9493f6754f799f00ea1499d87738d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
b8edc3d1356d8c40b6f9349e00242894

SHA1
eb9638b0680ae74541dad14543305259a1c4dbe9

SHA256
58618f580cd4b970b75d5019c2f044ca07d2e83019b4dce0bea9a00821eac0a0

SHA512
c532894041883567b971e0091a0e0290c2c79a37b0a7d2328fdaf44e1b433ec51d991b16b23cf82f2bd73c83add044a969b9f11240fca5dfacd7cb2249f842ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
9334d434e48d2839547f850a42ad520b

SHA1
68afb5f23ee9229f6bac7b7a64c53a00e60d53ea

SHA256
a52ee4711140b853301d566da2abc23d1eed475ad55f979ee62b64925a6ba83e

SHA512
d47e99f9fe39dadde5f686ccae4f6457bb77e62ed03058fcf1f9b97056a6e7b52c66a493ece69ecd9ab184b3076a95c11db8be6e081ac4f6daca525ab0bd724d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
1KB

MD5
f3e8e6fc9ac2eb4c0ed1f99577350178

SHA1
0ce533930c007ef141bd781dd6a09447bd6192f0

SHA256
94613dde511951c89fb06361fee3638fcb35ef3a8883a6bb99c04871919dc5c5

SHA512
41280940601aeb8904312866e12c9b2ef16625602583083a799eadb5564a3d9a1c859fb91639f1c37b404b128e698fe635f2b4958503e1d431ce7f429fae2426

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
94e23dcb6f3a52c6a7b4ff6871a774e1

SHA1
0efc6725fd763e242b02d72f90faff9ca9bf1d3e

SHA256
fc1cf2dd6772189fe5cc3f817965205403faed744fafe4da202210c5339950f2

SHA512
89ab051a5aebb5e09f296034c09e86ed3829ba666b1f2b51f486bfac0ee169b9381aec41469de4c154e770bd07ddb7dedb45291ed0206b172d92a4a1d212bb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
14KB

MD5
3a1dc490376257bcbc0a74a80af6ebeb

SHA1
15a60c29098f2e817d03f2925a77ff42ce1181d8

SHA256
8594c90baadb6ea845ccee7f8bfa9c0eb3838dcdeaac6d4b26831280b553e1d2

SHA512
0061c094162251f1622d12982d5c04646390442d7f128c87bd079fd1650a5d0b3f224b0d7f28b0e5f70bd45b24382cb02950261bf6df34082d48ead1b654bc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
e7a0ed14764f0108237aec9d57fd6f0f

SHA1
d874c7fcccfdd1d93c0656520af56691c010152b

SHA256
e831a0b8a8adb205982d3d0b637b59c1203abf02a6b20a1b6a2cbf855a0bc68c

SHA512
9c2a6f97eb46a339e62eb49b1d55943e712e770ac84cebf9e25b3670e38d2819507131d0cbc8a40818870180d8f64a10fab45071c5cbbd5f4c344cd1e2d36cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
88642ed86bb57db31b00dfcd01d7607a

SHA1
c09dc8363ecbce09ebfb3941875fde7542a1e372

SHA256
9c595af3714331ca92680b68ba7f8ff457d14b2b32d061c2b13227f2d40fd023

SHA512
4d12538c4b42985daa7441db2caf7419b72b2223709a03cc9a1726af4f3af400367563fd3c6a7689bd2ba86a82e620781afc58b2839e020a3ca85d054842dc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
62189e6fa0aacd34d42adcb08df33624

SHA1
930b9d302823469bc3be1bc1f8376662bed55a30

SHA256
4d585cb47824ca0dd7a272c3ce0c0163f3bfef137c369f87cbfd67808b4dc5f1

SHA512
c49a850c3276b39e55524c22ad760850a71ea9f7fa7a93d041db37ac5a86ea570677e2c5812daf1c7c2b32c6475a78ca06074ce24e89c12b04b7db7172e38323

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
610B

MD5
42cea7a7da96eaaf68e324c7f1e9e548

SHA1
fdc9431131fb2ac6bfdcdfc670cfaaeb027e68fe

SHA256
637a22c4d0481966d3bc0463fd330bb49eb27fc3ac1e2799e180fe11c9942448

SHA512
aef25e422bc6d5a201b1fe9fc6797a9c224a93c37cff941bf8bb2abbf8815409f138ab396af65082c061ad7b51f9dafeeed54c7d7edbf913fa97b5efa0e1d3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
d6feb564e991b12ec658df881f2aefe1

SHA1
2ff5942f59f7ac0f7c482c7f1e1456ec21d62cb5

SHA256
2f3aa7761719f03015281c5b9bf8b15222408ab971e27bb1ae6d0b91300338e6

SHA512
9aad2211cea1d10b26084b7b73b4fbf996bb0ffa0d9831fb25c04219dea8041b7d95c68901580673f662238c58475cf59dbeb4deebbf5ca844931f769d102b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zon782E.tmp

Filesize
12KB

MD5
cdedfa2739174ecbe1d917cccd39a997

SHA1
5692f9c2e13c4218661eb90ddfaec0ced6c15a79

SHA256
f1021db34e41f7a1749672945dd2b77235bd04184376f8ccfff07e613a53685d

SHA512
9ac63c2f46ae781c33ef188a6c2837e452a2d008028eaedd17199748e3c079df45efe4a6ac1e631769b60582d50bf34b993cdcf3607157ec64ab35afedf1570a

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133480096094313473javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/2140-112-0x0000000000180000-0x000000000021E000-memory.dmp

Filesize
632KB

Download
memory/2588-105-0x0000000000180000-0x000000000021E000-memory.dmp

Filesize
632KB

Download
memory/2588-0-0x0000000000180000-0x000000000021E000-memory.dmp

Filesize
632KB

Download