2464b2d8679a90b4f7c0cfeb4aaf8a919672e4a940c8f349fa0c1530e8a0fb05

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

187c57ffdb6f77a10519b50cc1f8d582.exe
Size

227KB
MD5

187c57ffdb6f77a10519b50cc1f8d582
SHA1

086f11b56dc0299ab134141d4264b395ef91abd5
SHA256

2464b2d8679a90b4f7c0cfeb4aaf8a919672e4a940c8f349fa0c1530e8a0fb05
SHA512

393219761d49bfd32d143d804787d7205e338243f0d6a38f90d82f40c9040dfa6a432f4b724ec7f8b24380dc4c12e8983acd9a3ebb02b46c05a990f80323f406
SSDEEP

6144:Rp4wdZ3t4A6M2kwp+E4tEZw7BkJgSoS3VZf:Rp4wj3t9B7wp+1+w7NSoS3f

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	187c57ffdb6f77a10519b50cc1f8d582.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4148-0-0x0000000000FE0000-0x000000000107E000-memory.dmp	upx
behavioral2/memory/4148-101-0x0000000000FE0000-0x000000000107E000-memory.dmp	upx
behavioral2/memory/4980-107-0x0000000000FE0000-0x000000000107E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_ru.rtf	187C57~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	187C57~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	187C57~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	187C57~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 2072	4148	187c57ffdb6f77a10519b50cc1f8d582.exe	88
PID 4148 wrote to memory of 2072	4148	187c57ffdb6f77a10519b50cc1f8d582.exe	88
PID 4148 wrote to memory of 2072	4148	187c57ffdb6f77a10519b50cc1f8d582.exe	88
PID 4148 wrote to memory of 4980	4148	187c57ffdb6f77a10519b50cc1f8d582.exe	93
PID 4148 wrote to memory of 4980	4148	187c57ffdb6f77a10519b50cc1f8d582.exe	93
PID 4148 wrote to memory of 4980	4148	187c57ffdb6f77a10519b50cc1f8d582.exe	93

C:\Users\Admin\AppData\Local\Temp\187c57ffdb6f77a10519b50cc1f8d582.exe
"C:\Users\Admin\AppData\Local\Temp\187c57ffdb6f77a10519b50cc1f8d582.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\187C57~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\187C57~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
d3bf9865943b9300e25738e0233bfa1c

SHA1
f042ad4c43579b9b2b1150208f627656f1e5375b

SHA256
afbbcac91adbf4e1da61a9d5eec37c4d36bfab9b37a9e9bc5459f0b322b4e796

SHA512
434be25267c1df77c5359f47e9bb0ea73f5816db8fe63f9fe78fc2442c3c696917153dad6b10f9492f8e867e5326dc9ad38fe59dd0341b5d354d03f4bc88b2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
aee1e13e3717f927ea8dc071e01e6a98

SHA1
fa8cd928cf449f2c944d595f01754bfe8967cfdd

SHA256
6b9cca3e6d468c1afcd068dcda99c0b1e38e7aa652d0c7a4e5d78d59deb1be7c

SHA512
fb9b5250cace3bf2851723ab1abb24ab024e1ae2dd426be0dd6e3c1bce4d1ae6b446f4582c3d0556a01c4ecb59915bf2bbce1818a374562156a9151821af3b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
a2383d5f00b2e11de8f2d438926d37a2

SHA1
bb1e54375e073164c3913dd4fd24674e9c300a63

SHA256
e28037c1058f384dad4f14eb2ec9edcbee936ab2df1ffb88e578481e8af943e6

SHA512
25a057e532c73da855533f0d77b530d9c3c0fabe504682c26a9de245ce4907ab9a666efba8234d7adf507cfbf131f47107264c80fa8173afd405423f473ca83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
587b585ab87db69265139c9b9eabba19

SHA1
17d99c712c341807c4350ea2a38fdee9bf8e653f

SHA256
9487cd06471665a17d5272fa375aec0192e01446aa9dc65c65c35d2e9c2c11ce

SHA512
668919f7893ceb82507f36adb678d7d642b137000aa92ee2b8bee9f70c972fcb34ad9ad5c45d8e49f6577ee028c0b6dd99857e179f378546000d2c9e5e9a2a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
c641416d30edf792cfcf06d5f5be3a4c

SHA1
49622c9e3068d53880055676408cbb6553da2648

SHA256
a706c988e597998a81a4f2bb2f968940392350361fd6cd568d5d2dd672ddd112

SHA512
a45a4f051e4a34e7c42c23ea83ed7430c7e5e5e327fa519bdd1d4973ae2e5068772ea58f8eed54407771ad36717024a2fee1e074074ffcf0064427e64a2d20bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
14KB

MD5
40c51eca54ae34f72a62df199c994212

SHA1
271ef58c5b8c8d619cccc0158b5b2e1e08e66d39

SHA256
30008837b02b906dcd76068d48e23e3f4b2439c0d752cc8545061c579ced60c3

SHA512
7c9f348eb36cd9b5ed18ee9dd27f4e54c934a2a49c1d4bb0a7996d6b1ebab6d4d9ecc6e81697cef21557ce494a751a2157f64dca2096d0820f34488da36d83eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
17KB

MD5
5279b3c55294bc03a5af90d0cdcc5fc8

SHA1
10f7682b32173e22f6f731ffe02a8e2038569398

SHA256
21c05a9d7802548ded07c16b8e2768df122b9e17abab60adfb48648d497e6f93

SHA512
c4b3cf72a2a315161d94cc4949666a8b9bac99bb8b5451281530563d33c6e017365c2048e26a5223e4287777bdc58594b908c07d47cbe77f01d67962c52c6e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
17KB

MD5
fd34ab73eb185e51714d2eda3c778c8a

SHA1
bc0b2019e4d93d61deed900645b908e86f3c5ac7

SHA256
5d65e8207cd545900ad3c168ae0f3e554172c54810976031a22729419ea265b1

SHA512
66377d26110a6ff41f311689674c0ee64d6b8af61c096c1769c9b944bd0d1b9984100a28a0381b560129622356472e798b2f54e3f0c866e8a7b7a6a8b34c52f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
70a6c2580ec811c95c158ab41f51f533

SHA1
4d096e18fb38f76c472455f50cb9ecaac89948fb

SHA256
3bac2de40da4d06f84c0fd5fb73531aa25e3a7f7bc5de98cc17e07e6ff617718

SHA512
f04522ab04d4f36893b35ad98182eccfef3ab68717601e1ee3af35bf11a7d36dbcfb27b3e2cb7a75279d2ab5514030989a83db97c6de8ce3d73c53d9aadc7566

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
1d321cf62d972eb897c91ab3ed2f3bed

SHA1
e42cd16b269bf7e7d929f7b6c7538f6bd623011d

SHA256
a1c34175b0c4a0323360e638dc57ca11c722f6151fa818aa96e85b348f461086

SHA512
d3a3d1daf56309ff0b44c275b89d1dbce4a208977df9f003561088ce7f94b253b7a59155accf26b7fb8690d3d548cb448361cd4c240debf843c211e796edb1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
8c3fa40248236e0562b15b1585660792

SHA1
3f1c8a4127fabfec99e10e4776cc6c2f36f7f630

SHA256
ffb6bc6a4c72281187ac7ef07576e33a301927162a41701332a1039626d36d60

SHA512
19a54002bcc6ba5637ce9304ea1ff4aa98f3363d5c9760db8ed1786349952aaec4816e2b1f095361e13a17e9a03f0c04ac05ba48371ae0910f6976463a14f341

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
614f0759ed2d48a85774a6b63eb38423

SHA1
400588a323f6f6bc4800407c62f2cbb5137e2dc8

SHA256
31f5a601434f830b9a56e205bc91df6270f879d4dfa3a91bc14df572509bb011

SHA512
5217c106dfa39e402b39a9cff90cce930408e18aae7e6b9b74a2c0d6e6b509fbb52f355234d7b09643c838244ceaa65918c18dfde30c21c2b5ec7c26cc612cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
memory/4148-101-0x0000000000FE0000-0x000000000107E000-memory.dmp

Filesize
632KB

Download
memory/4148-0-0x0000000000FE0000-0x000000000107E000-memory.dmp

Filesize
632KB

Download
memory/4980-107-0x0000000000FE0000-0x000000000107E000-memory.dmp

Filesize
632KB

Download