Analysis
-
max time kernel
165s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 11:51
Behavioral task
behavioral1
Sample
1c22d18339f7472d8d1850f4c219e6e6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1c22d18339f7472d8d1850f4c219e6e6.exe
Resource
win10v2004-20231215-en
General
-
Target
1c22d18339f7472d8d1850f4c219e6e6.exe
-
Size
227KB
-
MD5
1c22d18339f7472d8d1850f4c219e6e6
-
SHA1
a3fc89bac4e4c61395a18452f610fb727b00810f
-
SHA256
1583f826540819b2b44e947ba50f55a453ba8e8593d713c123b147a64c5e0f56
-
SHA512
3cfe8029bd3b5aa007285b81472ae7030da6bc0f5a675df742dca69bbd7f3004737b15217b323bc27b8df5df2f21ef316133232deea7e2cc5f6f60426811f053
-
SSDEEP
6144:Od/oKyhlMI4s9hs9gqt8sHE8Ywe3Mox+pqoSSV11:OJhlsnstn+LroSSl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 1c22d18339f7472d8d1850f4c219e6e6.exe -
resource yara_rule behavioral2/memory/2712-0-0x00000000004F0000-0x000000000058E000-memory.dmp upx behavioral2/memory/2712-14-0x00000000004F0000-0x000000000058E000-memory.dmp upx behavioral2/memory/2712-98-0x00000000004F0000-0x000000000058E000-memory.dmp upx behavioral2/memory/2712-99-0x00000000004F0000-0x000000000058E000-memory.dmp upx behavioral2/memory/3572-103-0x00000000004F0000-0x000000000058E000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\PROGRA~2\Zona\utils.jar 1c22d18339f7472d8d1850f4c219e6e6.exe File created C:\PROGRA~2\Zona\License_ru.rtf 1c22d18339f7472d8d1850f4c219e6e6.exe File created C:\PROGRA~2\Zona\License_uk.rtf 1c22d18339f7472d8d1850f4c219e6e6.exe File created C:\PROGRA~2\Zona\License_en.rtf 1c22d18339f7472d8d1850f4c219e6e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2712 wrote to memory of 4044 2712 1c22d18339f7472d8d1850f4c219e6e6.exe 92 PID 2712 wrote to memory of 4044 2712 1c22d18339f7472d8d1850f4c219e6e6.exe 92 PID 2712 wrote to memory of 4044 2712 1c22d18339f7472d8d1850f4c219e6e6.exe 92 PID 2712 wrote to memory of 3572 2712 1c22d18339f7472d8d1850f4c219e6e6.exe 96 PID 2712 wrote to memory of 3572 2712 1c22d18339f7472d8d1850f4c219e6e6.exe 96 PID 2712 wrote to memory of 3572 2712 1c22d18339f7472d8d1850f4c219e6e6.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c22d18339f7472d8d1850f4c219e6e6.exe"C:\Users\Admin\AppData\Local\Temp\1c22d18339f7472d8d1850f4c219e6e6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cscript.execscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs2⤵PID:4044
-
-
C:\Users\Admin\AppData\Local\Temp\1c22d18339f7472d8d1850f4c219e6e6.exe"C:\Users\Admin\AppData\Local\Temp\1c22d18339f7472d8d1850f4c219e6e6.exe" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"2⤵
- Drops file in Program Files directory
PID:3572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5e50a561b26c54fc60fc9cfb87cd979bb
SHA1a102b33a9af7b5db65c40e7e6a0cdf0a667cb5e7
SHA2568e3c7754886fa698c8c5322dde49903ee63f807dda664790ec0cd7ca9daea3ab
SHA5124de1117db60e3006bd49074f984cbf00ed5b963fc6ab450cb50648af20105c99f4436329b8b9f2deab95b831cbe40c1b23396fbd80557647fa5180514a7d3d91
-
Filesize
11KB
MD50468836531ab387992b8fba576d90c65
SHA1edd04461d0c2453b1249e78639c87f76d86ace1c
SHA25606d87b0930216a498b2edac670a90de2419a4205bde48ef97f8fe4ae0ff3ae71
SHA512a1584332089356d94a64e93a0459d71aecb046f04871eb7f0fe044ae7f830898fd9af88bc159f07c13486a09d8fb1a226b76077f405d58069a0eff5e25fb053c
-
Filesize
11KB
MD553534178fb8b9e6b226a038bc319459f
SHA18344b8da9a811bb7d1e87e543e4e899dd0f295c4
SHA256df8c0985b9ccdb4988e12a5cb40fefb878d695db42c91a8391bdd6298845ca5b
SHA51233e907a6e2a859bc89777c3306011ddbda26cb71eb5c236f22725803c0ec4735c4d5f573bc792dfe38743f28e1311dd12099787300fc36682263fa29790d6c6c
-
Filesize
13KB
MD52e581c41a267adcae409fbe5b006f388
SHA1ac4cd740d51b528a39dc555f1928e777cf33ca73
SHA2566966e5f7ba655b65d65750c52ebea8ef10148d9fca442c8912ef0a38a8c45ec9
SHA5127bdee0d66a783ffd51ff038b64013ac7b245df78e85c0410f21c4f886e43c6587905be7036394dfad2ad01db5f7b966a2d9b5b54f359873612a9644eef398d0c
-
Filesize
12KB
MD53540dca0fb4df5055c6da091f3131365
SHA19550c84c2cddcdb89e82f06ee49c5515d01a6d64
SHA256bc466f8daaab7f6e81d745f0d310a1878381fd512c35a6ee37cbd217c07125a4
SHA5128fa0610ee2f6d03537f2e7fc2ec1159f7c0d27823901d588fa3dbb5afbbfd7fbef41cd8bb993517f4abc950d287880a370a1c3efc3b65d1e0c448789acae9822
-
Filesize
14KB
MD5ccf1147fea978210e22c419a909158ba
SHA1d86a2ccb83b3a01cee6f6b349957698bfb1adb3f
SHA2568655c8de97397315b2a92059a4e6dc58317112ba85114f483c122e2ddf2837b9
SHA5129d6578692c2a8de7c9ab57b8499c14004ef4baad8368f0eb2a60016f2efd45e9cda1921ef02ef45612a4d30cc0f7c495312241bc4b09cea96d4ce3028a69f3bf
-
Filesize
15KB
MD569f0228354e90acc413e5ddb3fd41666
SHA12d59c0a30cf011201c97558d67fe05c16491f45d
SHA256367420c1e477a713e807e19d1a2171540cf64a1786f057ca59bd2000326f9063
SHA512decbf72c2c36b2040e63275d2d495be02b344712281520851bc35889986dc420a5c61417a6e8c7b7a43d5fc42df34297c34bd3e2d012c89a73eb42cd9a38aab1
-
Filesize
1KB
MD565fb249128fdb11409efa33c74eae87b
SHA1f1e1b5c0a83aac0bef2166002a9683c6b9bc3a3b
SHA256c7c6be83b04f5cfd45274a51307f079eeb50bf574d61333dbd65978c352bded7
SHA5126a69dd7d644a439f0a77446b39542858bfc30a9ce5a13401103b619d6f570b8fc9cbba31703ad6d25c9fe540a96832372e13638ec3ca94d6a03d4fe69bbc7fe8
-
Filesize
16KB
MD50f2bff8015c36addaee92a5a2594ea36
SHA1ac2085eaba2e9b3cdd1cba3061f454beaf67c439
SHA25642fbc5a99946e97f4743db970461e322b01835b30e0f168bef6fa3df6304b28c
SHA512a6b107fd4bad79ce03cb85a56c316b7c542937836d281e3ec724ec5149d0bdf104e0651c81c0bf5801d34bbf9fcab82da00b70805b7099357f13c2ebe407044e
-
Filesize
5KB
MD5e6cd134fbb26ef738771ca209cf5915c
SHA198e2b033f2262b1d3f6a1c8dfa8a78336f1712ea
SHA2567d5b8195ff96a6630df9f5969e0d171a1355b256e076e3bd3447113e8d5189f8
SHA512a845cfff31b5b390ac8eebf0a997ee4117c5c87bc346088cb90930841b7e6fc55754be53862609461306a32576db6f5b0e5c9fe9e02defcb317d43019bc57758
-
Filesize
5KB
MD542bb71575e060847b12961be886c3014
SHA1c16bfeabd45ae08c9cea9f1e21d76465c5298f46
SHA25698e14fc2c215eeed1a0af8cdc2e3a7a873da1eb3ca426a593a92a34a8c3b32e5
SHA512afdfc6d09aaecc2d259aa11b75f8537ea2f1171c2089b117faa6990b16d543536daab6340b676abeafbd3687be63a45940524742dbaf1160094e9218e3fe7c49
-
Filesize
5KB
MD59f2b63cd9cc0c75de249e76e40b30451
SHA11ff37653abad3d81f478de005881fa00c3a693f7
SHA256e01c6213f4079f994f9350558d64fc9cb837555b52133b50460af2691a28dde8
SHA51223b62eb01f33bfe36ec094a7b5055e6c09eb2e59c799d19f360c0975c7bcae80625ed21197005b6b4f2a819a44246b06f48ec0f38f0511af7bef9589c8e83d9c
-
Filesize
6KB
MD551ab946f817b435234dd23ac1fcc42f5
SHA10ef10a6c3708669506135f7333044c433da26f71
SHA2565fb33b2b14f7d57ca57e801cde5adfe25ce6b2e8003fc9db42570aaf9e8d2500
SHA51272db87f76ac1d0b289db97c35b4fa82ad7bc9bd1fb1dc599bddf45e34560dfd15449121d81ce0183ac80479987114e869471d503535ac394d3043d467f83294c
-
Filesize
7KB
MD5f6afb2179056f998e2160f960f8e9659
SHA1fdc38483377ff2e370bc16e048aa49595080fc1f
SHA256a9072b1331d7888ebd315e0982a59e2dc5df5d4176f712d0ab53917fc753f100
SHA512df606b9b7d64ac06510602584d70ca62fbed7443d46c89d43e0957a6fdddad68607bf73daf0ffccdfef7e9d9c66c49447566bffdd346598de792fe62b52e7f2a
-
Filesize
245B
MD5d8682d715a652f994dca50509fd09669
SHA1bb03cf242964028b5d9183812ed8b04de9d55c6e
SHA2564bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba
SHA512eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca