04c3898dc63436dea13fa53ee1cc531e69b058f1f9491f8b31cc4e0e0534d461

Analysis

max time kernel
167s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

323e950022afd32a64deaf08fb8e2519.exe
Size

227KB
MD5

323e950022afd32a64deaf08fb8e2519
SHA1

f6b997073727285240a236cb055caef848f99d6f
SHA256

04c3898dc63436dea13fa53ee1cc531e69b058f1f9491f8b31cc4e0e0534d461
SHA512

f70d3ac45f839800b58126f3ba7c4c75f5c29040b0f5fd17a7abf27a7abc17713382ef3030539415c3be617c55a5562d737efee33f730f99780252405ee8c91d
SSDEEP

6144:7ifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVqF:ufk6kDqHw2hmxlrz2HoSRA

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	323e950022afd32a64deaf08fb8e2519.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3660-0-0x0000000001000000-0x000000000109E000-memory.dmp	upx
behavioral2/memory/3660-26-0x0000000001000000-0x000000000109E000-memory.dmp	upx
behavioral2/memory/3660-91-0x0000000001000000-0x000000000109E000-memory.dmp	upx
behavioral2/memory/3752-93-0x0000000001000000-0x000000000109E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\utils.jar	323E95~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	323E95~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	323E95~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	323E95~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 5044	3660	323e950022afd32a64deaf08fb8e2519.exe	91
PID 3660 wrote to memory of 5044	3660	323e950022afd32a64deaf08fb8e2519.exe	91
PID 3660 wrote to memory of 5044	3660	323e950022afd32a64deaf08fb8e2519.exe	91
PID 3660 wrote to memory of 3752	3660	323e950022afd32a64deaf08fb8e2519.exe	95
PID 3660 wrote to memory of 3752	3660	323e950022afd32a64deaf08fb8e2519.exe	95
PID 3660 wrote to memory of 3752	3660	323e950022afd32a64deaf08fb8e2519.exe	95

C:\Users\Admin\AppData\Local\Temp\323e950022afd32a64deaf08fb8e2519.exe
"C:\Users\Admin\AppData\Local\Temp\323e950022afd32a64deaf08fb8e2519.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\323E95~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\323E95~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
75bbb9d94f7a86d6dedf9902f6b30634

SHA1
714ea84a5531085c5c2e0ff7f5cf5904da68a1c4

SHA256
08235dac76bd6686ab221dc0b13984e01697a9e31ea3318a4a6da81e1faeacaf

SHA512
117c088656e4cc4d83a764b1b66a9c376ee066de79e19e221ac4fe22d11f689513c73f5c804c560d403b31bc2f471e8e2d6f951a8350518274b90302f500920b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
ff08a556d13c94768ae84231cc4acec2

SHA1
2c27a1194e618359efe2ec726cb4a2dbc6f32414

SHA256
2a2d80cee720001c2fd57e310aeabed453471e4ee9e94d66de4b610199e032d5

SHA512
d16fe9b610f176648b63164031350ac2f9cfeae0d7502a3c9a1059a371d9bd4872c3148e9f883bc51b84a4d615d50b45464193d971680bab0cf95366cecfdf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
48e63298ce7966e5ad31cb485ee2f61f

SHA1
7e3383020b0497d4019035828746607f100fbab9

SHA256
350d9bbbe8d9210dbfe18f4dc543d8200798f8895e935c8908dc2ca29af3128c

SHA512
7fb8611aaf0bfa954cc102ca4624472dbe73d929bbab1ee597645058e5fa06e8142277a5f138dc771ba4ebb78f0f36cbc51f722c892a6c20b24a55c427d85522

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
2257e09480179263ed79aeb810452fbf

SHA1
1feaa5acc82b9473bdb112f368f39eb0394e1908

SHA256
9a5a5abe3953318a9c8c0f198443a369f03e5554a27f0be95dec2442e1534e2e

SHA512
cfa25c12d78af0132df50533bdff02622e2a2276869c38f567a2491c97a12c272e4f40668991aabf091e8417fe297062402b8c03bb1d61d73ce305c6c7db5653

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
d32a8d59269d72d547fb45c2a91524c8

SHA1
7039921841364d1c8ed5fee3c65b2027863fbbec

SHA256
673f1633939272b50c7d64df2f244be08564422b713081d0a062a227c01f044a

SHA512
dd74885d71968e2f81ca4b1446201e3606ee85811be9699176c24144f8969836652a8dc11a231c0fbd56c1faf0104e8c6d6cf23eea5716db90de9a9caf797d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
268314b41a66eb19555f42fdb9fc4767

SHA1
299845f1edd48f36bc5acdd33ec08d40efc6a447

SHA256
ba083569b690da2047e7c6a6a8bf38e22ef27cf4664b75758f9733816ea7bc88

SHA512
fb2e730b4a10e8c8816b736bb6ff3ce5489b91e2744add0cdc566f892e4a7c71998c422fb5419ab76cfa5bb3f0992327eb0b6093443ab96d2711875bd2c66152

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
1KB

MD5
f6f2fbc15700fdb4fa52bcf8fcccd7f3

SHA1
6f6d054a933bdeb4775bcb01f4e9656dc6f91f80

SHA256
a9e37303e5921db8a017b023b43fa5ff326535212f149419bbbe9a094cc25179

SHA512
267af9ef8dabb7d2cfb777db6543332dc64ae6653bc78d15ceec316813be4e8a4f78ca00b992f1796457d5d83b932b1f39175e187dc9606731d8ccb3a158d9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
3KB

MD5
2d27dd6f158b4b29a60bd61630a57baf

SHA1
4295e7a4e4baaf45a931cb5ece2121e70206c161

SHA256
a86c875d9bcded806b97a55240a075c4ccbe6509c45a0bf40e767eff1f136d0e

SHA512
3961d1e0c49c1b3c22e130b639e9ebce1ddbb86c21a1bc86a59fe8e6cf4086dc86765c0e211eb754495def6377864bc9fb2948585e9269d5ecff4f82c11bb95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
0920c41bed8e2dbc43bd42e319f4f2cf

SHA1
31bcedf7eb92b020c6ffa80986b9261ebe879c09

SHA256
f953599999960dccbaedd8364945ff48cb014b70662b0239f3a1acf097a881bb

SHA512
db8d7dace9caf71cc5f3653f13506192eaaea8c013e8ca9bd1d4ff775a1ec9d51ef56ba45bef1cc841bdb1d49dcd8568f6650824aa39e09ac9e65ef76fb332a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
cfa2c11e3bb08a785fb9f85e88d82e6f

SHA1
f3f02b212c929d096bc9bd369be1bea081d99710

SHA256
e154b74b679598f0c07251de9a546297ae4edc3544c093fa1afe431ee3883110

SHA512
77df6d3a4c1e8b24afd131bc13f4e6dba7eae0c3c7f4d4a8cf0e5a1b498cb7a2331e1a220e4bc3d9c0212671f55908c6291d58415d8305c8418306d5df794693

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
a9ffd39f0c0d1d07d78d3404bd18d303

SHA1
52b8cc32b5f46bcac90688a58c5cdc99b517da69

SHA256
d1ed3f2297e6b7d996b57601b8523279e15095f5d513b15a82eaf5137baf6612

SHA512
13c0a2a4972e8669fef15922ad87c2add13eae4f1614d50e59ed9efa287cd54d78c50a8d2bfa5c6f23be44728a842d1cb71d68b58efe7b58d02691c90fca02bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
9721387339fe925cbaa8a5a277051173

SHA1
45e41279cfa47bb9f484139c74b80ddf7b6a41ac

SHA256
318d610307f7a68eb073438595be927d63484b2932e697c23ae9f6bea74f48b2

SHA512
2ea88aaf2321d4e8063601d76ad15f55c1376005b4a421d9d613f90f04d7b0d3a816346d174f11e2eb8cd945ff34003f04e9f55abfc4bbfbd8fa90c79e93e1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
594B

MD5
a348f65d16407d1ee3474fbfd0fb756b

SHA1
5c50004b3c8391ba44322cc94b1d94e210c073de

SHA256
56ccb06628807a7db3417619f4cb19ce2e5e14091df62e453c8dd33085f8371d

SHA512
e06b9efb0a31d2ae2acaffe0acd97b0467fb2cba2969269a5d05b8af244222f1d009306ba2e08b179deb9db04f742bbdbab6f9c8c000ab35bac149d82b5ec181

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
bba8e74fbc351c1f73498c61ac87fd41

SHA1
c6052b7024352be533d85bd282bab6a8b9ddbbe6

SHA256
933fe8ffaeac690c7d53b2eb6aac29065ee71fae9f2200a8941284426d7f25bd

SHA512
bd0525c7ebe6ed4de3a7ea5ff982e6b654f89f1f54431fdc75a7b155f7ee993aa49276c9ec33fb9d71faee072fae3d36af6e472dd66495d64a90b5ae8eca2aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
d86635e0c8c9840f2405a67a4c9a1233

SHA1
7e7d1f615d53c19954ce97ac5a6102fd408b310e

SHA256
a08f099e9bed13371d50c4b3399c5d1622457ec8a93d443e1699c832c71a54dc

SHA512
9d6e3f6a39ea04d51b48d764c2dbdbac2244545226c6075ad88946e8196513a54eae1f0c685a2948229fcd174144bf47dc06caa42866df4e25eededc451cbd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133482944001797209javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/3660-91-0x0000000001000000-0x000000000109E000-memory.dmp

Filesize
632KB

Download
memory/3660-0-0x0000000001000000-0x000000000109E000-memory.dmp

Filesize
632KB

Download
memory/3660-26-0x0000000001000000-0x000000000109E000-memory.dmp

Filesize
632KB

Download
memory/3752-93-0x0000000001000000-0x000000000109E000-memory.dmp

Filesize
632KB

Download