12303a80a77bdc987a6740f5bf6226e21516b55bb700f761777283ea53222b91

Analysis

max time kernel
156s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0564d1a8532bf5902ef888ac67af116b.exe
Size

227KB
MD5

0564d1a8532bf5902ef888ac67af116b
SHA1

4ac80c34df78084f36c16d01f625c3afc874618b
SHA256

12303a80a77bdc987a6740f5bf6226e21516b55bb700f761777283ea53222b91
SHA512

870d8bb601da292e82e64448eab7bcafb8006e356d7d44300b70ac12f005bc19163f0c6cba51f7c28a47dbbc275cb45a94a07ff3a4844e40b8341a58908eb211
SSDEEP

6144:KifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRV2E:9fk6kDqHw2hmxlrz2HoSRF

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	0564d1a8532bf5902ef888ac67af116b.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-0-0x0000000000460000-0x00000000004FE000-memory.dmp	upx
behavioral2/memory/4608-43-0x0000000000460000-0x00000000004FE000-memory.dmp	upx
behavioral2/memory/1484-49-0x0000000000460000-0x00000000004FE000-memory.dmp	upx
behavioral2/memory/1484-95-0x0000000000460000-0x00000000004FE000-memory.dmp	upx
behavioral2/memory/4608-100-0x0000000000460000-0x00000000004FE000-memory.dmp	upx
behavioral2/memory/4608-180-0x0000000000460000-0x00000000004FE000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_en.rtf	0564D1~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	0564D1~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	0564D1~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	0564D1~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4012	4608	0564d1a8532bf5902ef888ac67af116b.exe	91
PID 4608 wrote to memory of 4012	4608	0564d1a8532bf5902ef888ac67af116b.exe	91
PID 4608 wrote to memory of 4012	4608	0564d1a8532bf5902ef888ac67af116b.exe	91
PID 4608 wrote to memory of 1484	4608	0564d1a8532bf5902ef888ac67af116b.exe	95
PID 4608 wrote to memory of 1484	4608	0564d1a8532bf5902ef888ac67af116b.exe	95
PID 4608 wrote to memory of 1484	4608	0564d1a8532bf5902ef888ac67af116b.exe	95

C:\Users\Admin\AppData\Local\Temp\0564d1a8532bf5902ef888ac67af116b.exe
"C:\Users\Admin\AppData\Local\Temp\0564d1a8532bf5902ef888ac67af116b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:4012
- C:\Users\Admin\AppData\Local\Temp\0564D1~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\0564D1~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
e5cf43e7ee64b34e23ca4d3ab5ce073b

SHA1
0c1eb073047d1518132f522591ed09286b7032ef

SHA256
82b8f0a4c988151310644d9de4b1ce7a5b6c938afccbf3828ad76c076495a0cc

SHA512
db5cd7e4904c8708a3e856884cf8cf5d97b17efdbaf8362713a6381a03a4469e62dbda97b1313e55a9604e69f3d7516b5b75ccab9d1682db5e79a3d9d5edb470

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
7669f28b26c495849b820454b35dae69

SHA1
1353d42b7167138e50bb25fe6afd58e055791b86

SHA256
d6d7e64698346b9dbdb9605ca9688e68b33ccf6e3611bf29d2d8463bcb2f62c7

SHA512
c96555b0f1776de54a08d9de6e822be440c29572d6613b994cdba141fe50a7a7de08b7620b8ef9394f9f6fbad2fd3d661f95bcc9301a5db354ac6257c0f387a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
d62baceecee84588ba61099fc0321438

SHA1
9025cd0a8d52f6c865c1a64d7ddfe8d1343c5dd7

SHA256
64e1f19d5c0e591ef404c7b1eab6ec4ec837618906c09c36203daf1a41fd8072

SHA512
51bd6fbf1d8157ec82ae1d97d540d30b231b93e7be19b6177090318f38e770875951b4af84c13dbc7a429db8e8169ea632ce2fdc75aa7691b70f28e9c3b16095

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
38a5cc883fb3adf64de0db624129bd9a

SHA1
ae061cf0dc91f5072f5b32f9264c92d6edd13421

SHA256
463def910b342dc63b5fc53a5f2fd54782244843e92e51a92755efa8a19ad948

SHA512
dfe21a2a2227cecdf0123b129d8d8b02124488b2ce7fd760f72db7fe4e0c001eeec23c248b54c18a5b58916767b10db5122e55eaf621b6076eebcb14ba626411

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
8cf21a470ec373d5926299d0f97ca4d0

SHA1
725a1e58ccd0b1318fc423bc596d5a15e8b41b77

SHA256
039c58f8a68a748a71dc426db4b2e2ea8d0f252bc734f5e28beac162fd426b9c

SHA512
2e80fee5d42a7f00e2f33f4b567816dc2a036e81489b2cbde57a2dc5448cf8691fb259f5ce802e620557e35022d2f3dfe8467d21671b8a9f1e5ad33f413ff824

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
b8a7721d19da8203f90f9a9f3a7f8c45

SHA1
8d393d6a6d42372aa4ab70f5b554abda84387955

SHA256
7cbb17c3199c1df5cc6237de7fc42efe72a6ab3a236de8518d567259a60e30c3

SHA512
15983c510b03fe25c70a8c6ab4a2576b1ec2b253a01e399e9d89ad6e94ab45a1fe81b9e32c638c56a07dae8859529123df47336211e0f51dccc30d09469d51c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
ef74c7f01e2c29dec3ed88831b4dfa68

SHA1
7d21d84da5cebeff939ee13f0c9a13bf9d6d9fd3

SHA256
cdd17887e3a10faf7c3177fef28634886f57e2e9575f5e845be7ffb88aa5b793

SHA512
ad82abbda52e2c1c7ceb6d96ae9083a47cfbede9e7745e66e38a77f55900092e2b6cb8e7edbbe69f5e9fece6760cd6b0c929458df42c9c83c3965f10b1be80f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
bff9ff1cc7464efca2fafc8f4f3de2a6

SHA1
d4cc1d4acba27441882366ad5788607303a12045

SHA256
9bbf10cc9172a73e5c11f7174c671aea1e9dec322e9932919b1c74e7e6290f91

SHA512
58c86022c1e70cb90e12ce1feb1a70ae13a60018029dc5caece4a506fe2a7bd40e1022acc13b73a90bed3a43e37f896f4e351425c54e8a658d666c4e5b40936b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
9550628e160e3905ae192b36e18cee6a

SHA1
894a174df15f93e567bd431f4063d59c12780280

SHA256
48dcded9f34e74f0c062cc3b9137970f5e502aeaed57c7a5c0e1bb2ca7cbdd29

SHA512
9a75c41e0e177c59ce7f0650ee18d66cdbe62c4ad3200ac0f13132a25668b762e2a999cc91b8cd1e230bf829c51fc315cc4b89264400bc4196117643cfa7faa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
f1d3747ca32e7c3dda3d384c5104cae6

SHA1
c291d6cd0e5c8093cfda2feaa6b61e9c96cc6750

SHA256
524627692140a1843fd1403a38ea4daaf62d9779cb16b56f156fda07d78ad245

SHA512
8624877eb13ab8c02b895691cdca1a5b835326bb20f1b2567db9e09142b8553767d591f72caf7c096d86731db6c3efd1a26b4e8dfe862f94766f94b60b3755d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
75779ab817422277ffc5bb4752fbd360

SHA1
0dac0acf7bc13a86cb4ac566b264ac7d553386d8

SHA256
fecc06261abda02fc5a0e2cde66f911b2b69a1cc69eedece28479dfedc0d5ab3

SHA512
93357270918611b3549e258524ab1fbd4f82d6612a92664c35a069e29da1c0fbf603600888a19cf68b616f260f7df532af4cfa18f89ec3d79e0274b0893d2ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
594B

MD5
90410f56d4ab321a9670f8a474d42b6d

SHA1
ffb032c1e0c741b5f505a73c10a612bc608e6912

SHA256
11a88e68182b133a9544c5b4587e90eebe47fcaa62958bd3b8adafed1f566f35

SHA512
cb04ebdf3d96eeb85d3a0bf06e0209f4f6677b6c4e424b1aa28b7e477cf27337ff624736f06b65ff1ec59fe22fc65c402568bde37635bbdd9b978910e6be34ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
37ce97a42afd3eb73208100a553e3634

SHA1
2db0e7b5a19c5572e2287a0da3c6e42540157ad0

SHA256
8ecad1a0dd410332223049bf970869af8b9514d7111157e266dd7cdab56fcb68

SHA512
41e004eec3f91f1bf6920a2d88ce2cbf58c8450a72bda13d32fa0197b417aa89acc5acfb7e8dc1a81bc0f6f0d4f43c03e4b9ffff11a5642730fc6782fba98f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133483825192810729javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/1484-95-0x0000000000460000-0x00000000004FE000-memory.dmp

Filesize
632KB

Download
memory/1484-49-0x0000000000460000-0x00000000004FE000-memory.dmp

Filesize
632KB

Download
memory/4608-100-0x0000000000460000-0x00000000004FE000-memory.dmp

Filesize
632KB

Download
memory/4608-0-0x0000000000460000-0x00000000004FE000-memory.dmp

Filesize
632KB

Download
memory/4608-43-0x0000000000460000-0x00000000004FE000-memory.dmp

Filesize
632KB

Download
memory/4608-180-0x0000000000460000-0x00000000004FE000-memory.dmp

Filesize
632KB

Download