42b20fdce052f2a7d95df1bd8f344dec26d0caea679289bce70b80e1e2190d6c

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f011cab6fe29c299d6e45fc128e9bd6.exe
Size

104KB
MD5

3f011cab6fe29c299d6e45fc128e9bd6
SHA1

86b2cae2ddac6744a030b7a91e6743c27b07b439
SHA256

42b20fdce052f2a7d95df1bd8f344dec26d0caea679289bce70b80e1e2190d6c
SHA512

aefa1f3bdd5d92f158cdd076ae5b639b5906484ab76beed73a4ae44baf89951fbaf571fb4ae9a6fe22aa937e3202490eb15c6b235bb2ae8838027c5d06b3d991
SSDEEP

3072:I15T3Ncy/RpISCs2EWFrphy2G5mZ5E+HIbZoutlO:I15T9cy/RpIvuWXhy2v5abZoSlO

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	3f011cab6fe29c299d6e45fc128e9bd6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2804-0-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/2804-41-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/3588-42-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/2804-69-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Zona\utils.jar	3f011cab6fe29c299d6e45fc128e9bd6.exe
File created	C:\Program Files (x86)\Zona\License_ru.rtf	3f011cab6fe29c299d6e45fc128e9bd6.exe
File created	C:\Program Files (x86)\Zona\License_uk.rtf	3f011cab6fe29c299d6e45fc128e9bd6.exe
File created	C:\Program Files (x86)\Zona\License_en.rtf	3f011cab6fe29c299d6e45fc128e9bd6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 3588	2804	3f011cab6fe29c299d6e45fc128e9bd6.exe	90
PID 2804 wrote to memory of 3588	2804	3f011cab6fe29c299d6e45fc128e9bd6.exe	90
PID 2804 wrote to memory of 3588	2804	3f011cab6fe29c299d6e45fc128e9bd6.exe	90
PID 2804 wrote to memory of 1796	2804	3f011cab6fe29c299d6e45fc128e9bd6.exe	95
PID 2804 wrote to memory of 1796	2804	3f011cab6fe29c299d6e45fc128e9bd6.exe	95
PID 2804 wrote to memory of 1796	2804	3f011cab6fe29c299d6e45fc128e9bd6.exe	95

C:\Users\Admin\AppData\Local\Temp\3f011cab6fe29c299d6e45fc128e9bd6.exe
"C:\Users\Admin\AppData\Local\Temp\3f011cab6fe29c299d6e45fc128e9bd6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\3f011cab6fe29c299d6e45fc128e9bd6.exe
  "C:\Users\Admin\AppData\Local\Temp\3f011cab6fe29c299d6e45fc128e9bd6.exe" /asService
  2⤵
  - Drops file in Program Files directory
  PID:3588
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
1KB

MD5
c9c71f80f4c61e8109a9afde0fce197b

SHA1
ea9e9345e387606579ba11a3da7c4f71dbb462a2

SHA256
ed7fa5ed7aa6e1742703d17fd7070417a929ffad80fcf0f040fb2338283a9576

SHA512
c8d7ce58803eabc5a8d9baedffef51afc0f4868cb8874debfce89bd7f6329655fb5b2e191dbca793d2311207b16e5c0a13aa0780288911c322f44773cf15b388

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
1KB

MD5
3905abefb79a454ea4af7828809e9a94

SHA1
b49aa6987d3f988dc1f3bac262d308c5495d7c0f

SHA256
84bd613a3b1211ee43025b040f73972b163c0a638180faacac8dc238e50319b7

SHA512
816e59b5fb9734aea3e1780cdd25ffea2e30af201bcff35ef2e2b48b20025e0431e4b27894cdf677bddd8e33f205df21e8f73c7816fb524a20dac094cdccbd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\init.xml

Filesize
214B

MD5
758b075a09774272c72ec87da581a2f0

SHA1
4f195274d115b4ad33702ececf0bcbd5211a0633

SHA256
694ea318a3b3a052c17800dc2ed45641638bb0bec3d026b263a07d6d0a27bcf7

SHA512
120e9dc1dd00dcb4091897b1d0626362709e79ea1ce2ec61d2b9c4d7cea31c92f3fa79ff76e2c107c9352d892f879d68c5da2e8c48f6f616ef28b714b8ebb557

Download Submit
memory/2804-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2804-41-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2804-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3588-42-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download