2818fc8ec4e02a4db34dea39348baa20a1e01cb6f29013ee993596ecb452fa74

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 15:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

03773f3a02ddaf0236cbb189f0f58f2c.exe
Size

227KB
MD5

03773f3a02ddaf0236cbb189f0f58f2c
SHA1

dc8744101ac3ab1a50bbe7490d56f44b70c80281
SHA256

2818fc8ec4e02a4db34dea39348baa20a1e01cb6f29013ee993596ecb452fa74
SHA512

73f0fc2b1b6e75d83662e88cf8df7389f51b037f458bdb7a2c1d132db812da73f85b7d302b08ae1bfa464ee2343867c9ad94f4e380f5b5f099f74863e02b7ac0
SSDEEP

6144:yifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVNc/:lfk6kDqHw2hmxlrz2HoSR8/

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	03773f3a02ddaf0236cbb189f0f58f2c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4508-0-0x0000000000910000-0x00000000009AE000-memory.dmp	upx
behavioral2/memory/4508-159-0x0000000000910000-0x00000000009AE000-memory.dmp	upx
behavioral2/memory/608-164-0x0000000000910000-0x00000000009AE000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_en.rtf	03773F~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	03773F~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	03773F~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	03773F~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3984	4508	03773f3a02ddaf0236cbb189f0f58f2c.exe	22
PID 4508 wrote to memory of 3984	4508	03773f3a02ddaf0236cbb189f0f58f2c.exe	22
PID 4508 wrote to memory of 3984	4508	03773f3a02ddaf0236cbb189f0f58f2c.exe	22
PID 4508 wrote to memory of 608	4508	03773f3a02ddaf0236cbb189f0f58f2c.exe	57
PID 4508 wrote to memory of 608	4508	03773f3a02ddaf0236cbb189f0f58f2c.exe	57
PID 4508 wrote to memory of 608	4508	03773f3a02ddaf0236cbb189f0f58f2c.exe	57

C:\Users\Admin\AppData\Local\Temp\03773f3a02ddaf0236cbb189f0f58f2c.exe
"C:\Users\Admin\AppData\Local\Temp\03773f3a02ddaf0236cbb189f0f58f2c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:3984
- C:\Users\Admin\AppData\Local\Temp\03773F~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\03773F~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
084730a204d3c606ab4e5b18bd8f5b45

SHA1
310a27d0f513a161648d62d84fb8ba9805031739

SHA256
dbc1d7552e900ceddffd2073ca76e4e436811a902a553f08c36759c299b08ed4

SHA512
72376814b73676eb3bdb74d7fb4371c79975d570ff2be98b4168352b6597b8d5e9c5a5a04ba961ecd32a8d7d6a576671251019d5592c3070752d3c3c6037d177

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
c199219a346ad915bfd802a2adb7bffc

SHA1
ce2515a8b87e2fe785b005056b95ff16a7c134be

SHA256
c9a7a54fae8444c3f3a746ee69c045db2d12dcd794e6c815805a3698c116cc02

SHA512
6a7ec6e0c5ce21fc0f4d6ad41d16e06186fdd2b79f1fb680c1870a79f299b3e9406fd2a45369da2398c080ad36492151b0b54f1625fddfa0d7690fd453aca150

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
06749c959594462f111ffb81f52ff5fc

SHA1
28b1403e150c5cc68983097416a485524a69208e

SHA256
246a7120eb0bb0922743eab38e1a7a71c6afea5a85e3c2c59977f48e6d519e3e

SHA512
ae6b935f9b20994f1b5e5b633aa0620bcf9f099bb99a8e050c1966478f9a2eebace157be157556821b7677972a430f0eb23c878b0f0c885d3da290a43a7d1e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
72ce1a51cdc2934dabb9694251c1e530

SHA1
21738249d79d86cca8cb15c252089db948352a82

SHA256
f7fe868080e56fbd5679f86e2edb6e60e0ca6f25f22be4c9449e0a1bddf37d35

SHA512
a183de54bbc5d6df207f5d9ebbab1ca2cd855b183a0ca2bea12992c52bb75cd232118ce2c607d6f6b9f0a5481d70a45b3fd0a0b26bbf359fd8b5f8c49c6d3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
38a31ef0fcc0d0dab9cb56dceabb9211

SHA1
1b81ea583133d63c560d437bfa9a5d02e78e5b56

SHA256
d6d4c449ba9169a49757a26c62b457d7d763c9660e73a4e7b2f27eeaa8c6d821

SHA512
d0bf1ebcf31934bedc3c577967a88ad2fbd4ad59c4562f8f36d2300df5d759322c1fd75b9e005a7963efc96ec43767e2be99dcf3b0642349c20a6c6ce966b5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
f9c4f75b445cbf523625c6b3cbfbd743

SHA1
0b4b0d83f2e2ab33ada7e65a77027d0a8272cf3f

SHA256
055e451bdf337bd5a97a2f72626762caf4398f4114c9f67aebd5fc66302ca66f

SHA512
7a04e9bec8c7dc2eab8b8d7299682e8144c73753831845935e8bc960eb20957fb59bd5cbfecb6eea1967de8036a2cb563f44d9c4bc6ca2862b6e1faf8f645ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
cd1c4104c986f5ee667b8abcbc0292e7

SHA1
5976b2a16c8f306bc17dde7fefad2f5819bc3434

SHA256
c4ab481302f026c96f1dea62af6be863bc503293ae6d4c38c28f4858f9966626

SHA512
7dc4bd59eb329f3178c7b2a446182f87db48c78ea70a48b4eb24491074e926ddd94adf0a9959e104ad5f61c345dc8a3bc38fae25176142f44ab6de7ca04fa004

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
75d32194b1ee1be4bb007447bd440e88

SHA1
07a682a60ebbb8db7ed98add728c327dee93de23

SHA256
7bd3dcc6b258b3747e45965ca6111dab98ab9413793b9ea89c5c70486ad9267b

SHA512
ae7255c36d5736973f43ea649c2af5a4e368aae96adeb43c87f990a2b7dcfa0dcecb9e2e5cd209b3d6531dc603d78820c4902ed8ffc65bae4340942546b673fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
b176bc677fa940aaa7531557280482b4

SHA1
e7f8f0883626b9352857917c3098beab3a4377bb

SHA256
1f5ca3ce0c94cce8734697fadc01154d1232b9a24f3f2fea449d6c0c8cd8d5a2

SHA512
7caa9faa866e7c7c2e133dc10ee055a3c9531e35f7a918d19668aed6ab605e5819f5e71af0802ccf2187d567a53e9eeda1199ba2af5e811bc2cdfc56d6cbac92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
7b3b0727a4911fed1a1be588359ecae9

SHA1
9783886252ffc10cdf93a379077de809d3122a1b

SHA256
9593171c20fd4efa90a42f8b65fce7a13aa527ca4eeaf331377456849ee9cb0e

SHA512
d3bbc9358c41040b48a68656cc31035c8a71b459e20a27aa2e5da8f2df2065e9857dcf89833f433c25bec67267daec3bdb50a784b70f093b47c530e77096fca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
48ea484ffc385e41fd5399a368695d75

SHA1
8c05d782cf84b2b5730e2fae548abbfaacbbe6fd

SHA256
e0f2053bb406be7c9a7d7c6bad5014a657d49a31b707b56b12ade51cf4cdcd10

SHA512
12ca6d595d40145c119522be43b58bf035f5cc7a1681975598d1abf06d6b2c88865c0d78e27f201e62a152dee705f8499d79079b95281e7470225a4e93ea3bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
7ed336229a49ab31822d6246911f8f39

SHA1
67613f61ac64e9b69ccda347190e5e506de9d81c

SHA256
4e92a8b612ae93338346149b58138faea90801b34d34acca67c0e5b8322658c6

SHA512
2a336ad95fd210c644df1dec991ead59f08b794918144010c3661d076a5333ef9f9fd3b7971c43e08f21be96552dfdc2abbefc291de0c84ab0bb3942d23f717c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
db41c31214d0f0e7cf889d3edf60c2c3

SHA1
e2d3c0a269ebfa9c932ba5e18ef4a11dd26f2c33

SHA256
38b59980ec83e7a463e51ce133e128469410c5b3d835db5f27ce866c4041b25d

SHA512
47e2fc69829a304a88bdf6ddb699032f52533e727f00a5a311501f18f2bbe01c878bc5c297208f1b21bfeeb975b8e9a0e77470ff2ea4831ce68dec82e44c6a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
e25c3b92351b4365ad968b2c796c1640

SHA1
f9fde64f056862d9d9709147898113cd51bb06ff

SHA256
5120154e94f21d4ab82e0d9cf43a12f12253303bec12bc3cfdeb4fe1132261d8

SHA512
ae2ee35744fe42894a562f00d85b761f48dee34682578077d44846c0e98ac68b08f67a920563a0a7946f720290fed5a546cec382e9301d83255475a8ee1448f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133479096660030315javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/608-164-0x0000000000910000-0x00000000009AE000-memory.dmp

Filesize
632KB

Download
memory/4508-159-0x0000000000910000-0x00000000009AE000-memory.dmp

Filesize
632KB

Download
memory/4508-0-0x0000000000910000-0x00000000009AE000-memory.dmp

Filesize
632KB

Download