Overview

overview

7

Static

static

7

1802ec142f...d7.exe

windows7-x64

7

1802ec142f...d7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 12:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1802ec142f1b92d1c0887f5d048d27d7.exe

  • Size

    227KB

  • MD5

    1802ec142f1b92d1c0887f5d048d27d7

  • SHA1

    35c5407b70cc96c32293eb9a772f6f41feeee42e

  • SHA256

    06662e12a0f4acd03e02901b5e8da36bc4745e0aa2754f6694419320caaadb90

  • SHA512

    7b6ed220768880f8dc3701de8ecafc79c36676148ae45969bb020edd207492c8ce4cee10b62d7865bed04cb9edc9a23962e90cacb838eac5454de35ca7b64e9f

  • SSDEEP

    6144:5p4wdZ3t4A6M2kwp+E4tEZw7BkJgSoS3VVF:5p4wj3t9B7wp+1+w7NSoS39

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\SysWOW64\cscript.exe
    cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
    1⤵
      PID:368
    • C:\Users\Admin\AppData\Local\Temp\1802EC~1.EXE
      "C:\Users\Admin\AppData\Local\Temp\1802EC~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
      1⤵
      • Drops file in Program Files directory
      PID:4016
    • C:\Users\Admin\AppData\Local\Temp\1802ec142f1b92d1c0887f5d048d27d7.exe
      "C:\Users\Admin\AppData\Local\Temp\1802ec142f1b92d1c0887f5d048d27d7.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3140

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log
            Filesize

            12KB

            MD5

            966e81c5b3905c7c4ade80650775d350

            SHA1

            55320bdb3c7ac4885c11094decdde487c6bfdc19

            SHA256

            0576c3ec0fe61dd38054cddff92523c76795abdf7fc7088432a1663bc31e424b

            SHA512

            b7630dc512c1c10a5b420c948c8febd34b5d52776a4d871f5b66884388be8ecb8b40d87ef7b8baa5a0a12c44bf491c1184b380d1fa2bff792cc2bd61ab00b3ce

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Zona\tmp\133485263244618684jre_packed.exe
            Filesize

            153B

            MD5

            a53e183b2c571a68b246ad570b76da19

            SHA1

            7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

            SHA256

            29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

            SHA512

            1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

            Download Submit

          • memory/3140-0-0x0000000000E20000-0x0000000000EBE000-memory.dmp

            Filesize

            632KB

            Download

          • memory/3140-161-0x0000000000E20000-0x0000000000EBE000-memory.dmp

            Filesize

            632KB

            Download

          • memory/4016-43-0x0000000000E20000-0x0000000000EBE000-memory.dmp

            Filesize

            632KB

            Download

          • memory/4016-167-0x0000000000E20000-0x0000000000EBE000-memory.dmp

            Filesize

            632KB

            Download