20d227686e6e4f6e20f2df558d5f51d895ac13e47ed48b5714aa6055e8650fad

Analysis

max time kernel
205s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e8d0734c8fddd6a8062134ffcf75adf.exe
Size

227KB
MD5

0e8d0734c8fddd6a8062134ffcf75adf
SHA1

dfd4fb1e2b8a677e1a9c383dcbd773b088cdd15a
SHA256

20d227686e6e4f6e20f2df558d5f51d895ac13e47ed48b5714aa6055e8650fad
SHA512

9c7d59c3e5147d1c0a9f1889d8e97b47b0e1e41961a463ef64fe97d46db0b2c2e3d185eff4dc3f5baa8442deef56b3b460d99da2271554731986c03fc250a75f
SSDEEP

6144:xp4wdZ3t4A6M2kwp+E4tEZw7BkJgSoS3Vea:xp4wj3t9B7wp+1+w7NSoS3L

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	0e8d0734c8fddd6a8062134ffcf75adf.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2688-0-0x00000000007A0000-0x000000000083E000-memory.dmp	upx
behavioral2/memory/2688-43-0x00000000007A0000-0x000000000083E000-memory.dmp	upx
behavioral2/memory/704-60-0x00000000007A0000-0x000000000083E000-memory.dmp	upx
behavioral2/memory/2688-105-0x00000000007A0000-0x000000000083E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_en.rtf	0E8D07~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	0E8D07~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	0E8D07~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	0E8D07~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 4432	2688	0e8d0734c8fddd6a8062134ffcf75adf.exe	93
PID 2688 wrote to memory of 4432	2688	0e8d0734c8fddd6a8062134ffcf75adf.exe	93
PID 2688 wrote to memory of 4432	2688	0e8d0734c8fddd6a8062134ffcf75adf.exe	93
PID 2688 wrote to memory of 704	2688	0e8d0734c8fddd6a8062134ffcf75adf.exe	95
PID 2688 wrote to memory of 704	2688	0e8d0734c8fddd6a8062134ffcf75adf.exe	95
PID 2688 wrote to memory of 704	2688	0e8d0734c8fddd6a8062134ffcf75adf.exe	95

C:\Users\Admin\AppData\Local\Temp\0e8d0734c8fddd6a8062134ffcf75adf.exe
"C:\Users\Admin\AppData\Local\Temp\0e8d0734c8fddd6a8062134ffcf75adf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\0E8D07~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\0E8D07~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
652322a7f50b03b04fe52fdfceb54f1c

SHA1
c2ad5a585dc50da19c8aaaf9d5e62b9d239998d0

SHA256
3b080a687e92851057afae1ac7e68814a190d350db56823ebce3e3f97b604072

SHA512
d5364747c5961762e8ae176d13b2eb70428a8ec62f2f4f7cc690c7410dfcc03360588fab7d0f1b34ee56ab9c8dad9381777c69d29c03f6ebdaef872cf10ec310

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
ac0f5ec907a31134ccca37f3b358d8b9

SHA1
a61468ef6afc7962d4c64253d23033f6a6db057b

SHA256
c67312e397f198d301908d44eed083e119dbafd084e626e9e87b14c05f3d9b75

SHA512
3b3c4f791e014d8b208e9e27824053ac1ff2c805479c4de0361e45cdc38f25e4fb7485802d7300a03d653bbee9dea9b804b2e7a990863b949a0adc436f371d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
9b48316a96d2f25abce85aea2cb8894d

SHA1
ca5d25d82a1c8952b2bc5af90ffbb10140739e0a

SHA256
bd736053caab3843c9f85515e1acfde71a177fab4f5395024305ceaf3e099aa1

SHA512
fdab047edbd131c07c0e15c481430216b7fef0ec6f26a18553c4f4dba74e0d1bfa015fef88869a087a94e09bf9aa992da5ee3ea6a57338a2eb1164ed6f801170

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
b87fc83336f6032ecec28785cb85f4cf

SHA1
557014fe33e5afed37999696ffaa4fbdc10c288a

SHA256
d7304838b775650bfad200cef895d75f8557c887d373cf83df4812e412336827

SHA512
cd461c8e6d3c5ed74cbaac2f265a03239d3ddb90299b21411bdc5c1aa2166dd9400d574ba1913b16a7daef2039888db2683ba6cfcd1eb6707b2894596c05a930

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
c9259aeba22acc16496aa5c217dd816c

SHA1
5d557ef83ace7b81ee093b81b2cec9636a5e384f

SHA256
5f3d68e5800aff54334123b9e8cbea02cac7235603906b39785d08c520fd047a

SHA512
803aa137eaaba62f55c0e00a96c2f5d0c6a556dc4ef531fb82f32b502b8f5b57516217bf65f35639d87982786ea6bb0ccb729c79e4dcc57220b81ef165c8ecc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
1f92f4199910009384f61940b482c026

SHA1
296abd3a3785533dabc6b91850c86be0a79b0b6a

SHA256
de4c034e5c61881adaa79ff87ff3b5503089132c3799751c22c65f3275c73b3a

SHA512
9e99fc4b1ce28e3cec244b4decdf8374287a38da1e298da0b21ef1527fa136da8475cad723c36f3b9a1dd6135002a0d9b4aacf3b96295102b60d59c748b1d6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
a4571706fe59f25d3002d9ef7adf2496

SHA1
cee0d7a24fa050fd7234c0cb1fe7f436a975533b

SHA256
14d9e84debe671495f3699831b0a621157c1114e49b7de45e35f2db37977e608

SHA512
5b59b970c88c698bd9b482856b5c77a422695b9ab9078e1358d174ba9fe16f29da1b537d76c9a53d6f3e135c373724478c1bb36ce9b89b7721122e574cb53679

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
6081701aaf99556080962342e3b044fe

SHA1
230406e5111dd48223b4d583b825da6e09c5e75a

SHA256
c95a8c7bf5ddab83afdcba3abe271851296ccfd26c23731c98774006027c8ef9

SHA512
1ec9e746aad9bd54567d8d4da0a1f5b84985e43361b4407d37d5af0f5ad6b0a12da258d49d507afca2a79a43221ae922fd5dc157eb73ad5a4ca6df56018e209b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
cfc17776cd66d45fd02f358519a5d4b7

SHA1
c62bdf300df1e39b3e6755227b41e0565a338f35

SHA256
0f15ddcc109cf8f1e647a0793e7b78547e1b8a4a63ed9b75b600dde568b70f09

SHA512
ef2d79f0e43aa51a4f80f26a578671ff8762ec81d5adfdd35932d02b3657e4b14b327001adadc2274d8249053c6a1664c3de678c9f097b98359525247ca1c537

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
0aa0706bc9f2bc6a9d2cabf79de98228

SHA1
bf0d59f29f2463f946ff9cd806980f44464f7e9c

SHA256
0290f5ff3dbc7a4873285eeeea469ed6daa9f466c991352efe9df3f2b9ff959e

SHA512
254d066680e301d3af9fc7fac88daf52050427c26e90ae86b0ee761c7ab00ffc27c88c50b42ecea01cbce3f41721cc824955acdc7b95b95181e685934cf00a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
018644a5fea898f0b8d3934c53873800

SHA1
6b23a8039bad3b78e87fe1543e2fe48744567f6d

SHA256
f3f40c586ee5b1abea76bb569da870acdcb7c90acdc583aa9b6ef9573a223d5d

SHA512
beb3a29a1f586e7ca8c516705935e61af31f11e32eb7cc97802673f715a0e956b0b3c738985d719f8bfeb66299fa48a6c98b9d6c51351aad654bb3cfee3f59e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
4005534035fad1c20e47a48058c11b03

SHA1
c01c0d8e9db7b40fb998bfc8c4ff48f440a004d9

SHA256
59aa2da696b68e157e51fbdcee54568cf72a3c072ca31e1a37d3330e6338f7d4

SHA512
702219ddd61d38e6530740860d5e6a57a802a0bb64e1001b07a2d9bb6ddfc6ced884fe3e02a90185a4d579bf133e033bf55deb44e624aa051a37c4212e6fcf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
602B

MD5
934e481c1a9205e626a5eb2bd52fef1a

SHA1
286dd887f9780ed4e55f26e220300d62d043776d

SHA256
c8228bdc90e2740a51f4f710f0e552e93d4ad7d038eca13af52e898e92791811

SHA512
c01ffd49e549d78c9e219eb00438567522ba4ca7a80b4f0eecf62fbafee9bb3e92485659a951bd05c90e8636086834b775ef7251f7114f270173e58b8725d7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
6b24dadf986dedda249b3a79db017f07

SHA1
c87dea6b064ae7a876de4621a680d0618f6e0333

SHA256
1e56f7528fa4ce163dbcf1d1b178c3fa3b406b7f152e7de80abd9bbd8694e58e

SHA512
e6c3c96d4c6dd4c14407155b444ce6dd6e32f07d9170663d970352700028b9ce6e56d328976b98cfbd2332c372ea766130f0882004edff1638ca19cc898967bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133481552077090160javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/704-60-0x00000000007A0000-0x000000000083E000-memory.dmp

Filesize
632KB

Download
memory/2688-0-0x00000000007A0000-0x000000000083E000-memory.dmp

Filesize
632KB

Download
memory/2688-105-0x00000000007A0000-0x000000000083E000-memory.dmp

Filesize
632KB

Download
memory/2688-43-0x00000000007A0000-0x000000000083E000-memory.dmp

Filesize
632KB

Download