046b8f2d77949e94a1d3d8a2aa3a9cff0a6aba0f664555e420318ec3c125b355

Analysis

max time kernel
146s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

499972f4f129ae52427714b81a2c2492.exe
Size

227KB
MD5

499972f4f129ae52427714b81a2c2492
SHA1

41bf4f9ccb3eaa173368ae7c53c42242daa47092
SHA256

046b8f2d77949e94a1d3d8a2aa3a9cff0a6aba0f664555e420318ec3c125b355
SHA512

7c33fe9ef3c21e882897c38b34961c46702cbda18bfab60cd9877235c59f9e458f0ce51b56e88f2454820331a83b387fc63e3c9009a3f28055dcb25a592fd592
SSDEEP

6144:Rp4wdZ3t4A6M2kwp+E4tEZw7BkJgSoS3VB/:Rp4wj3t9B7wp+1+w7NSoS3f

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1104-0-0x0000000000B10000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/1104-45-0x0000000003B00000-0x0000000003B9E000-memory.dmp	upx
behavioral1/memory/1384-46-0x0000000000B10000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/1104-96-0x0000000000B10000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/1384-97-0x0000000000B10000-0x0000000000BAE000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_en.rtf	499972~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	499972~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	499972~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	499972~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2756	1104	499972f4f129ae52427714b81a2c2492.exe	28
PID 1104 wrote to memory of 2756	1104	499972f4f129ae52427714b81a2c2492.exe	28
PID 1104 wrote to memory of 2756	1104	499972f4f129ae52427714b81a2c2492.exe	28
PID 1104 wrote to memory of 2756	1104	499972f4f129ae52427714b81a2c2492.exe	28
PID 1104 wrote to memory of 1384	1104	499972f4f129ae52427714b81a2c2492.exe	31
PID 1104 wrote to memory of 1384	1104	499972f4f129ae52427714b81a2c2492.exe	31
PID 1104 wrote to memory of 1384	1104	499972f4f129ae52427714b81a2c2492.exe	31
PID 1104 wrote to memory of 1384	1104	499972f4f129ae52427714b81a2c2492.exe	31
PID 1104 wrote to memory of 1384	1104	499972f4f129ae52427714b81a2c2492.exe	31
PID 1104 wrote to memory of 1384	1104	499972f4f129ae52427714b81a2c2492.exe	31
PID 1104 wrote to memory of 1384	1104	499972f4f129ae52427714b81a2c2492.exe	31

C:\Users\Admin\AppData\Local\Temp\499972f4f129ae52427714b81a2c2492.exe
"C:\Users\Admin\AppData\Local\Temp\499972f4f129ae52427714b81a2c2492.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\499972~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\499972~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
c26ac4564f2eeb313e58561cabd235eb

SHA1
47a943a42b38cd9913deda0e5255e0c5ba32bb4a

SHA256
7773b9870c243084d9844d882528ff655561301f8a576b7abeadb392b769a4ee

SHA512
c017ab3113a3a1c5dd796bd4f4e44b81300d28bd889ec923bda13844efabad03ed7d46d1d4ef6d10b3512bef3909a5cd3c2fec134be0d2b0da37b5285a305bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
248ba38f88d1b90f071585a48ca56283

SHA1
dcdabe25a52d3aaa550c8c5ba75931f9a0e03edf

SHA256
fa3bc835f0d6cee0d6d67b15dcb46ad2f30284077331b6addb144e49f58f074b

SHA512
fa0b9752a6625dedcdd9dc9aea21bb373ac8b310669b6ba9a9658609205dc9566c6d90859875437a412b667720204ca62d355cbd5cdb3ff347a528bef5bf46d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
2ba369bfb48dfd9c8f8f0984129fcdb9

SHA1
6fc03b3d94c0b1df77e60a42a7c33abf6a12c3f8

SHA256
d6f85c32e9839c9251cb88c971c2bae2e4e16ff59dcfd83e341136c7da01f392

SHA512
7d76024cfff85e8c9cb21760053ccc6d4aef570fedbabae4f79cbbd307f94f183d740bdb8471925aa3575064004dc8415bb4d6ff3c871eb2a78d6a14c2be0e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
7e7509ad2fe7903eaef96387522c0695

SHA1
8165abe3c88d3a8291cef71b2305651154d2ea3c

SHA256
f3a0f5845890df3f264f32715ff96a8ad8ccc0197a42ed675cd3d28917811972

SHA512
33f278e5b232c9c3d9a6195c3f76b3a645948be9df4750b118cad7971d12856463b778dbc78da4a2bf8272dbe6125e7309a4e06e5ea2b1f2204933bf87da4d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
228f8b5e86aba3bec096b7a91cf9d7ff

SHA1
ed7c6f43c7eb923ed2d726d0eadda99d41cc577b

SHA256
49a7747efbb14bc22460cc67036940ec3cf88c7279a656a2b1d3e265d7982019

SHA512
0dee8d64a9bc9c7214acb528dda83dcc39f35fe5dec3aaf28ef96411026efc98203eded204c66bb47daaaedc31bbcd8def3d687690cdea27ff111d0c39ebdbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
144d43310c550310626ae1330dfc4bc5

SHA1
9ef0b80dc235b5b72a958c7f294e68de38212b8b

SHA256
97a44289bb63299a4e394dd2c35105dcc4301c23905d96f5274b33fead10cef7

SHA512
4249338689c90dbbff78e8ce831587dda27675b42dc4a6a7682837a5b17af2b5c9a118744b24b205f588bfcb502165b9518430f06af74f0686b849ab1a61492e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
4c0e428439bb33d207e60a63ed1bf3fd

SHA1
48326733747956497e397ebc587ce59912e887b7

SHA256
64437221e501964793f1c4148760bf988d84cb69161ba4f9af4c43e90bdb4831

SHA512
fea070c24a85d8fc256d4978b4b764694cdf2b62ba8e60164a40fa8dabd4162e31e0b627fba7407cd430a727dd42d673f16726bba1b86b9592834ba6a56eab01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
956cb1016574c036e9bf709028877912

SHA1
9051f49671f10dfc61fafd37ba44b8e9e66f1994

SHA256
6046ff0111b067e67e9e81652e37d0ea894bc3295c3a72c486819abaf9c59db2

SHA512
014fa15ee6b4d6c1f4dd71d2f611acf8c0cac8eb61c2d18a95f6d96944f8938071697c2a6a74c2283f6bab6ac69e926147cdc3c3acce95a5f8a09cb09ccfa813

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
7b316b4f7eae79fa17f543d2c46a4fc7

SHA1
25ce7a130d90ea60c911f03593d0b3066d305f65

SHA256
e104526e3735b75fa5062c3530ff4c1f491b8cc99d42d830e613ed9024c00456

SHA512
286952593d14e5507415d86a971c178f04ad587935d49b0be743d36aa2ee3446426e251912e82deb99e1add675d781881e1b1dfc3fd2e098296a4b1cec419aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
593e7dc2e3585c4ce011911298c2ce7f

SHA1
0edb127932d8c770eebea27dda13d0710a7cb23b

SHA256
0819445f0cd705871ca0265b09ccf56b448cae9dbba54019d6b3f94f89aab7dc

SHA512
8594fbdb84c84297d7202d362d4633319c0bd3325abfa50374e0325b102776c15aef45cc8b076cee09a70e1de512b43c3b0837700af3bb3abcf751e03f97d9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
d92788eee27b437c29d92ceca9becd68

SHA1
7e94a409abe5a2aabb9c1063c02476dee3b700c8

SHA256
73e1ec3cec8dac5b0bf98b82299e9681309858bb9e62895c7e92b20bd35dc512

SHA512
833af472adf08aea28c73c44b297bf167551db53b3c2563d94598f1fca3348845785f36c07ebfb79b8f8a0c9062fbe04dee389c96f306e8cace6dcc8f996cd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
dfca1aa69e00369fd0f40ddaf4b53dcb

SHA1
6253a4f0ca45a57551b558e79093081dd6724507

SHA256
e918aee04ca76aa4bde10f80a61818a34e2454763803640717868fbd364e8053

SHA512
93577de01f20227745ff42bcacbd333cdb4d09dfe4d32cd58ed37b35fa8b026bc0e8d0a853eba1947b5cac30212e6f795ebec9ae9634a9d09a28f8b0f77c724c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
5b995e0fbd6cfa93ef7bea6533391a77

SHA1
1acee08b1671fa5f4111507b9156a888889c1ab9

SHA256
0148300f39565939fafe80ac026c7f0618d635d10904bc4af0a448c9332742b9

SHA512
b493fb13efaeaeb5a09f8fe7cf3a64704f06d869d8e1a1b5d549d47815aa3a9697b143f21f542cd9c50ebe0873693a315147564e1b0be33a2391f56497a97bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
6ed3187c84e2caa24a9f0d100eb956c9

SHA1
8e54bedc43157a5e65d0bb913aebdb7c4917cc94

SHA256
60e01e86cd7d439d10e62a52cadf64df2e70efd06367fa3053ef31c1379d58fb

SHA512
59248130f2c420c63c9b71e9d13f944800ef20e6c9967d1ca082bcf36d221658cc903df0b5c2aba7b7026dc45c357e2b157499a884c253820490adf1af6b404d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
memory/1104-108-0x0000000003B00000-0x0000000003B9E000-memory.dmp

Filesize
632KB

Download
memory/1104-0-0x0000000000B10000-0x0000000000BAE000-memory.dmp

Filesize
632KB

Download
memory/1104-107-0x0000000003B00000-0x0000000003B9E000-memory.dmp

Filesize
632KB

Download
memory/1104-96-0x0000000000B10000-0x0000000000BAE000-memory.dmp

Filesize
632KB

Download
memory/1104-45-0x0000000003B00000-0x0000000003B9E000-memory.dmp

Filesize
632KB

Download
memory/1384-97-0x0000000000B10000-0x0000000000BAE000-memory.dmp

Filesize
632KB

Download
memory/1384-46-0x0000000000B10000-0x0000000000BAE000-memory.dmp

Filesize
632KB

Download