1119734cc864c8cc7fe743f8156f0ee1d41e194106aad72749ccd2f9feb392b2

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7736cb8173b75debc546b711580f2489.exe
Size

227KB
MD5

7736cb8173b75debc546b711580f2489
SHA1

9f9a18e7c0d7ab949612ebecf9b85fbbf05ee78e
SHA256

1119734cc864c8cc7fe743f8156f0ee1d41e194106aad72749ccd2f9feb392b2
SHA512

b0c0f05b46304a62711e917bcb3d2bf3894a0f4ace408761d58662e77fa26740d7ed9172df79fc73ea577b89520f7d28fb733fa7951f9fcbc9c42304fff8e5bf
SSDEEP

6144:CifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVa9:Vfk6kDqHw2hmxlrz2HoSRU

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	7736cb8173b75debc546b711580f2489.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4696-0-0x0000000000C60000-0x0000000000CFE000-memory.dmp	upx
behavioral2/memory/4696-99-0x0000000000C60000-0x0000000000CFE000-memory.dmp	upx
behavioral2/memory/2652-100-0x0000000000C60000-0x0000000000CFE000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\utils.jar	7736CB~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	7736CB~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	7736CB~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	7736CB~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 212	4696	7736cb8173b75debc546b711580f2489.exe	88
PID 4696 wrote to memory of 212	4696	7736cb8173b75debc546b711580f2489.exe	88
PID 4696 wrote to memory of 212	4696	7736cb8173b75debc546b711580f2489.exe	88
PID 4696 wrote to memory of 2652	4696	7736cb8173b75debc546b711580f2489.exe	94
PID 4696 wrote to memory of 2652	4696	7736cb8173b75debc546b711580f2489.exe	94
PID 4696 wrote to memory of 2652	4696	7736cb8173b75debc546b711580f2489.exe	94

C:\Users\Admin\AppData\Local\Temp\7736cb8173b75debc546b711580f2489.exe
"C:\Users\Admin\AppData\Local\Temp\7736cb8173b75debc546b711580f2489.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:212
- C:\Users\Admin\AppData\Local\Temp\7736CB~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\7736CB~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
80155bffe4c9e00dcc7836dc926fffd7

SHA1
8ffaf44440a8da16214ad043a0fb109c2fdc2474

SHA256
0fb2dc1d5d3091a99cddfe001c990c831c7f01861418e675c565f4bec660c135

SHA512
6b96fba095e4402b5e1043d7b743e6042999d990ff2d7a83373a5c6806bf8d6b4b28242eb7e534137a72c0b8e395e239bfa7ec27b1d94cd107f43e2b4966046a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
8c86e9d558f2ab5412da7c618c564086

SHA1
e34c5a21d9adde428281a4411ecb4e48bdd1b4e1

SHA256
d7c811d80d896fad879c90190e7a748f6b69727366b0cf622bf66a1edc566f8d

SHA512
e9653dce4e0ad6eab9016c97f59296ec1afe04d24c6b9b357b3c85053b1133d55172db336b99949d754eea3cbe54a48be73e80f83c20b29ca5078c38a49b55c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
1ac6931460b24f6b71bf2cdd0925c866

SHA1
7c6aae2c41e277b456b230cf9cfc17ff157f4251

SHA256
9c53e0cfee15768fcde49889dcffcdb16d366f04378eac757a2dbd5eb70db9ab

SHA512
a326617e9658a62fcdd212ae72b63cfebe0dd676ad4d99523f981fb27db40902e7f48a250a1367fe76c9924e0d16212582a89c5c93dee29734dd67533a4b8b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
75e2c8f1ee3e8b6ddc8a853636fb6466

SHA1
2b6ae0dc0874a566c70d2ab511c52a97274f859c

SHA256
560c2478e5ddce46814176203d3bf57ff64e1d2f800588045917dd1ad368b7e4

SHA512
387e7aa3aaa80359791139b4a0f1b40bc10c242fd23cf7c9d713f1cc3cfd8d1964f6968069dcdaf71a62f34f64ffdfd36a8296e392925b2e721586526a59403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
806c7a989f8e7b0825bc0f7dcc24a3f0

SHA1
6e4a178cf8079370fc28c9e5a471cf079c01c8e2

SHA256
be9af5c9cb5fee1203d271a1f16e5483a2dd2734aa3a3f464936353633281ed1

SHA512
ec4b065c729af2b423865d9375b973de6cb0b8b0ca5e88da569f54aa7d59bab2c3d7158bf8cb03be0e357e7fcbf3d911bd5f7c24d41f3a914b2eab29bef8c966

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
7ac9c3d8ba2222418d02a3225b725c0d

SHA1
8cc175c34281af2d784248e91efc007ed79eb1eb

SHA256
e8fa0d993e6118977c197de058490d7bfa13e88e9c1455a119a4a68b89c654f7

SHA512
cab980976e5d5f823e9b1eca808f4a3ee5fa3ac5d09310113f52a0f4ee438bc9f265f7e48781a6d50d905ee8d4d5d66440ad3edfb7fbf5f3033d2f5f57ab0a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
631ceeadfbfe4d2980ff93eeaf34d66f

SHA1
ed9b7b095d5404bb4986414c6688a6ce5240f360

SHA256
22651d8cf58a0f70b19c7e7bf0b958b1fdfaf141c143a612a1af8b791eea242b

SHA512
412ab0c08bc49eb042dd95149cc86a485af0f84e455b4b67c580ef1f981d2b709b3cb88a0915c2d95bba574df9aeb0a21879e7606125489e4353c0ce3c3f7969

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
3KB

MD5
ef31b7a4ae7e79f01d986a1b9374f2a2

SHA1
b26d126cdc80ee7371a495f8b8822498ce0792e8

SHA256
f6d2ac3a18722f21bea00fb5dc387e15f0b64c7047060f7a02e2050f500d53b5

SHA512
0a4a77243bfca63852ae3b2ba2982baec45eeea21f5443a98171b8800a9855b0b2a211b1017409ac1c64d5fb62c15de45152ee6b56a1e57bc6a832fbb54eef27

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
58c73e8c549ddda73a53ed1b3ceaa83d

SHA1
3dfe76fd84a496b6924b7328565494b417870f31

SHA256
a7fd3912de126f3110b8540a16ea304b552e970c3f51856ba6403fa105ca624d

SHA512
996a9ffac18624108d5005a39339fe01f3f2c6a3ed2a9a7a98eb853cee006652939b057dea515cae2588138d32a16b812c0e72d2354710b7926b3ca520876cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
03c8cd1f6cda107aaca47915ea63b2e3

SHA1
6aab4245674f83e50046d8a5413e48feb18f0320

SHA256
986a9e616d2663ac682c13fcdce475923bd9a2bc2875f3840b07b5a86ae8991f

SHA512
e269b6867e0c6f620429a1106907c8e67af380318a3b56b1308eecee531a1e7aec6c45a403a0d65d6e1d5a69d2cee83db6266fc77d3e68b8cf8f6d4f87198944

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133482038199440699javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/2652-100-0x0000000000C60000-0x0000000000CFE000-memory.dmp

Filesize
632KB

Download
memory/4696-99-0x0000000000C60000-0x0000000000CFE000-memory.dmp

Filesize
632KB

Download
memory/4696-0-0x0000000000C60000-0x0000000000CFE000-memory.dmp

Filesize
632KB

Download