16af201a435b9ba5ae5d3ff1269656fb9123dc5f2d6c86523e27cda74762428e

Analysis

max time kernel
145s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 12:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1edb82d304b2560a3a6e3ab1091cc7a1.exe
Size

227KB
MD5

1edb82d304b2560a3a6e3ab1091cc7a1
SHA1

66e852665c03c8cde840439f74f6532e91ef7368
SHA256

16af201a435b9ba5ae5d3ff1269656fb9123dc5f2d6c86523e27cda74762428e
SHA512

a474d6e889729a0227eabe087c9c48be6c9dcf944c29bfe27acb74fef5fdcf58a430b8cb76432115d9562db7cff77fecd0d5da9a6355263d4316f1dcd16123e2
SSDEEP

6144:SifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVxh:Ffk6kDqHw2hmxlrz2HoSRZ

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1936-0-0x0000000001330000-0x00000000013CE000-memory.dmp	upx
behavioral1/memory/2568-44-0x0000000001330000-0x00000000013CE000-memory.dmp	upx
behavioral1/memory/1936-100-0x0000000001330000-0x00000000013CE000-memory.dmp	upx
behavioral1/memory/2568-104-0x0000000001330000-0x00000000013CE000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\utils.jar	1EDB82~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	1EDB82~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	1EDB82~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	1EDB82~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2776	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	28
PID 1936 wrote to memory of 2776	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	28
PID 1936 wrote to memory of 2776	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	28
PID 1936 wrote to memory of 2776	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	28
PID 1936 wrote to memory of 2568	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	31
PID 1936 wrote to memory of 2568	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	31
PID 1936 wrote to memory of 2568	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	31
PID 1936 wrote to memory of 2568	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	31
PID 1936 wrote to memory of 2568	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	31
PID 1936 wrote to memory of 2568	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	31
PID 1936 wrote to memory of 2568	1936	1edb82d304b2560a3a6e3ab1091cc7a1.exe	31

C:\Users\Admin\AppData\Local\Temp\1edb82d304b2560a3a6e3ab1091cc7a1.exe
"C:\Users\Admin\AppData\Local\Temp\1edb82d304b2560a3a6e3ab1091cc7a1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\1EDB82~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\1EDB82~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
c549229673d6035d2ee6661460e14139

SHA1
bfb95eb08bf2d421d55ff2d0fbe6a5d349e97301

SHA256
d946e36832062c47ca001e1b8b2a512c37de94576fecc0c48ddfba104de068c2

SHA512
5308971dea56958887ee9108dcfcb9c020e4e22d9d50e7bc98e00cc4d451935770c6fce6c8933c197138e5f3ee5955bba4de887d18487c449c9ca648fe931467

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
e666c3dd3c30fcebe75a528a2d2df581

SHA1
b99beb36e19d45c1ed640225a39ae091a0ed7346

SHA256
e13cd29e5d13ca93a8a111b247151d796850e3c4306844802da310903d392299

SHA512
d006c55ae1d569afb72932b3698cf1e24f7217d25ba7db0966cb87152a1bcc609607c8fc16753a8f9e2f09a8f2d104f9c0d15f2ad85af30153334c46d326ae95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
94a286eabb44c730a82a7e7f92f99fe0

SHA1
9dd601955aea984d5603d060df700aac54d2e760

SHA256
1da34da5d6b6d26c1410273651a2f92baf5e6bcdc5a224f7a24f7eb7bd179521

SHA512
d501d43cc68f53083fa420fe5f9a853c446700290e1aea9e2ab981c9b25b85e50160ca7b105ac1d3e271d12cf7684b76f401c8f6d44767cf11159cb53b7135f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
e260672928a1e2c02fe1afef9d665bcf

SHA1
34dda83bba0366dd7ae94cbd67519a0ee8d4099d

SHA256
f612e3f796d5e2bbf1b759b1857f1c84d60bb0404574b049a337aafa3019b35d

SHA512
ea349d9e92659ff91215137ad698ecbe9ee7968af0eebd63a9cef472d00b3fc63b1e99e89d5c1d267f8872adf230e806e11e9a7fab406c3ecb361b9277de3c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
bbdfb7e30e02f79488f751a1ef7aedce

SHA1
3a4745dd0c5e0545e83fedf7e92996fb58cdfcea

SHA256
84b4f9f0c7cfac3616856341dd8fa56af111d15926c8ebc382dd1970e39f1995

SHA512
8aa320d4c4d9e9e2dfb05b53f655f36c990499c1a55dde0eceacfa9f77a7e3deb4b94192875f766e3d1296d8b0ca4e4e56f8df9b44ccdede22122aa6b491d834

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
f175a51ad1bfeb576bdf735751552c38

SHA1
b303ba00b6e5007ebfa6a0013d5a0c8e25634f9c

SHA256
4679bd8c51d5969e2d4aec7a1f3fedf0e51c06eadac5161891139ca5eabd1cf1

SHA512
24d8771deed0dfe49f09a335061c26e8f9ddad881e930023f9594a7ce27e390f8ad36c7a37e1ca8fd46e4c906ad4d774fc75da664aa2faafeec395ee0de9cfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
8ef9cbef668a0171a7e89b47c61755e6

SHA1
8b8882186b2d5a6ea856a5adeb3ca5eae6d3a065

SHA256
c1276fed96e39ffe9f25248a638bd9b76ea37c271382fcf95c069988df98443f

SHA512
27881d20e02329e7234806c01567530adb29399c5bb26acd872b81698f4bd7f781f042c4e093f0958f5be666af6244939cd7ba064b77692513fb48be67140ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
d728259ee61e312d58243afa7cfad09a

SHA1
c2c9f115297e48ee34f3a8b4b404b4c434cec65c

SHA256
a72741d398d3275b51399eee7dc75614e7eff9d09ec3e606eab20a313b0e5909

SHA512
7f4a8b2b751e782a5440659172d1acdd244022acb2697bf40213c69f631a1168312725d25a0c632d2d9aebb908b99e0277dbd02a6f558314032b003a752f5337

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
ba6e68e8764be3ed0fdc9f54d220cbdf

SHA1
01661e7332060b1e098c070cfca55a79dcca4930

SHA256
15451f463ef2ac27fe3004d47dc444637f5f72a3d87399f2b30c091eb7294d60

SHA512
a439486645876ebd650e07093d44e8a4d5c2ff9468a671175076a1ff6fe9ce49620b272973bbff4911092e23d20355fee812738ec4e399b2e374aa487d412f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
5340aa0ab4cbf9c0813b1ecb8023f85e

SHA1
dcc514ba5f4572680f9a71bda32cb668b224f408

SHA256
6c6ac3550ad0428923453723db9ae20775cb54ca4b30fc716145c1a601d2e356

SHA512
54891afcef5ea14bda39af095a624c78047421d2a9183467ab28ddab7b19b4299af3a7cf79f6ef1d155518d00b2d79d69422a53a93a558581d1d5e0836e9c12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
dcdc748c943dc85ba0ed89ba5a60b8a5

SHA1
f2a4f592a2f29261bd0e61d17c98c1466166f4d6

SHA256
2c35764b128b93f254b3151f97881915ffeff25b53e5b905025e879e1badfc8c

SHA512
8a7ab42dfab8bb32db5fb51cbbf5e941147eb4097ceae6171f7ca81652c892a6ab0b4189f3f473580a8bb404daab17838447f65337cb56de4efd500520fc258b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
c78c6f6d3c660589299327fc6d22b1dd

SHA1
73c45127eeed6c4b2d85cfe5d14cf1015bdf65c2

SHA256
90a2c94e80c077740e64ea433b3166c999e6175efb90e60e1cb180375a9429e6

SHA512
8a1df0e4b2afc5dbed04131426be6358ff10cc948c857deede6e871c47b5f4aac7d031afb083d9a6360f9c6ae6b52957d97ea4a75864e6574dd388c9ebb9bdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
a4f399cac8752f8a4ebf3158dcdce2a4

SHA1
b9ed3c2398abf721bd6fa6802a0b6b3fc50a2c85

SHA256
799c0cfb2f1509c16afba2d29b6579fd21ca18ba9df2031edaa05861c57d41ac

SHA512
1253f247f25e1df6baaea38717c3f30ee36273a8d7a6f69241ffa6dc6d03eaee8dcbe14cfb95e771aa9ccc9971f89f0485628965010f5970a960dd4a75fd3037

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133480390984410000jre_packed.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/1936-183-0x0000000003410000-0x00000000034AE000-memory.dmp

Filesize
632KB

Download
memory/1936-43-0x0000000003410000-0x00000000034AE000-memory.dmp

Filesize
632KB

Download
memory/1936-0-0x0000000001330000-0x00000000013CE000-memory.dmp

Filesize
632KB

Download
memory/1936-184-0x0000000003410000-0x00000000034AE000-memory.dmp

Filesize
632KB

Download
memory/1936-100-0x0000000001330000-0x00000000013CE000-memory.dmp

Filesize
632KB

Download
memory/2568-44-0x0000000001330000-0x00000000013CE000-memory.dmp

Filesize
632KB

Download
memory/2568-104-0x0000000001330000-0x00000000013CE000-memory.dmp

Filesize
632KB

Download