21afa9c398fb77cb5473f7761b49aa4e837fc0fa38682d1ba06d4c34ecd6152e

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cfbdf156b2eda963e54f5ac7932ccd8.exe
Size

227KB
MD5

4cfbdf156b2eda963e54f5ac7932ccd8
SHA1

4917d3c890e1aad201d1a9c6001810812053e373
SHA256

21afa9c398fb77cb5473f7761b49aa4e837fc0fa38682d1ba06d4c34ecd6152e
SHA512

72b28279da5bf17eebd61cc08c60bcdd6bd0d9b45289b45bd2678f2b4be87275fd2b43b7daf9738f3cb160f80c943094f51204fb2560b88e6459df3e4875f7de
SSDEEP

6144:6ifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVtS:Nfk6kDqHw2hmxlrz2HoSRC

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	4cfbdf156b2eda963e54f5ac7932ccd8.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4540-0-0x00000000003B0000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/4540-161-0x00000000003B0000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/1816-166-0x00000000003B0000-0x000000000044E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\utils.jar	4CFBDF~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	4CFBDF~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	4CFBDF~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	4CFBDF~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 1968	4540	4cfbdf156b2eda963e54f5ac7932ccd8.exe	19
PID 4540 wrote to memory of 1968	4540	4cfbdf156b2eda963e54f5ac7932ccd8.exe	19
PID 4540 wrote to memory of 1968	4540	4cfbdf156b2eda963e54f5ac7932ccd8.exe	19
PID 4540 wrote to memory of 1816	4540	4cfbdf156b2eda963e54f5ac7932ccd8.exe	21
PID 4540 wrote to memory of 1816	4540	4cfbdf156b2eda963e54f5ac7932ccd8.exe	21
PID 4540 wrote to memory of 1816	4540	4cfbdf156b2eda963e54f5ac7932ccd8.exe	21

C:\Users\Admin\AppData\Local\Temp\4cfbdf156b2eda963e54f5ac7932ccd8.exe
"C:\Users\Admin\AppData\Local\Temp\4cfbdf156b2eda963e54f5ac7932ccd8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\4CFBDF~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\4CFBDF~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
de0c28792a3c0fff739c990ef3e3cea8

SHA1
65a149a28202c69e4a71199f3eaa3990015c05e8

SHA256
c8e71f2f239f3714bbf69c2db8075b6d4908517db748834bf84bb1338f8f362c

SHA512
a19b3f7ecb99f5bc60b9d397dab90302298cf510758ea9bf5d3c5db95d384cbcb7e20ccfe6760fa82a6e3ebd60184215549d2ffffdbe60e0eb6f354dc888d9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
1e817784148f855f3e7b589c43545bb9

SHA1
37caba777f507901e42f55a0e4e48f6d8a40a617

SHA256
63bd3ed5af7fbc93f1f35001fc96f5ef8b543614a2bfc94467b103bf7c420706

SHA512
8686826ba8ae5873978ef52c270c007d2e6f145e21645c99d4dd960bca979731e4c708bd0eef7083aa7cd8c2ed344554838db55a2ce864398764fa0e90159ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
6e207417837b499d12dd4ca38a8c8ed8

SHA1
35068b9c933093c8033fa88676cbd501bc2a2cf0

SHA256
fc30aaaa65938bc91cf42c8565b85d7280e11ba47c5f8c3003d038288dc2ce5b

SHA512
6c5da6ae8b3d33aae0573e763cacb3c0cbeb829f9e2fc99ebeef8a8266af9076ff68cc4be4b09de1da2118d936818be46a01955a07a0c2039cfc73d1a3bc1b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
83d0de428e5082b563a1c393bc1c7749

SHA1
e21e7fc605ca5ac2cedfbabfc04e76ca4d13f86d

SHA256
390a1926a6d3d281a43bc402810244a7c81cde28c357062c1a61c92936f25151

SHA512
71fd91d1fca92f9e81614752eb82761d324de911d56cb121ce98b75baf810593bef4ab1db697d1067c2bf298763a8a4ad33312b6f040e7171f1f75902df15c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
5dd17ccad5675f34a17bd98cf00993ea

SHA1
864e05981b8146cc6ace0eb8721ac4bcde8e3435

SHA256
35755063b6a7079a8b2bcf0c60f2c6d10f96dc9475fc6e8f31fc4d67c9ccca30

SHA512
e7a4c053bfe720688aa7168c77c8d054e7207cf6029653e13324399c8c3cf9bff8c6b0c7c6b87aa783d211038ca52e1e6d446a17ac302174a65a28e27d8d4fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
10KB

MD5
20955080dbe5b9a057f17ab993b2497a

SHA1
474dd88878bbb82851f20a175f071e15e2aa4581

SHA256
8a648140fb40839d972cc80d6f8ac8c8d9f03305ceaf8c505b37268c90f1636e

SHA512
e62c4e182a22804f2e599f9dcb35cc4ea6fe6dba635f50333699b0fc1c2834b09223e62641d73ff1dc127ac2b9d4a086d94df99d0d806a7e13a3c4c499cc3844

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
4a9947fac629038d2cdada0ada7758c4

SHA1
b861f9e0cb0f3fd633f7306add33232b5c7ff490

SHA256
ea33f0639b643e2953840637c1232535c5fc6dc805a8dad2e4e043d3a82bb8ec

SHA512
e3f694bc8fef0f3b1c149a3c8e2b423008a8c82a8a4ebf23b5fe67e77d992f343b1b0898e042bf356ae9976df54ff8237dad9217027963c6e9e535a0a10d2bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
25751ef1f5be911674aef2b51aeff488

SHA1
493e3d85e11941c5bf9c491196cf2894efca264d

SHA256
e6ba05a4aa3d2c250d63b899aa8721cddc1f5c3f6760afcd3215c99fba2e2571

SHA512
9d83c066e18c30e985b484ced0cac6c6e469a2f12547a6dc46f7752b05d33f8d0b3949200bf1cd3feee9b09b6144f823182332c59ea410da714682fbdc35573f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
441b9ee60a625b7e16081e293886ca8f

SHA1
3a137b6ebc2292b20a010f121bfe074f15398bc5

SHA256
7fd703b4ddd5fc5a536bb1a8a959e981b8748a5820d435fb13e0b9a7acf6287d

SHA512
48241b5d7e7f99a68135a763b4393acd064dfc5c58c3717af853ca92812d48a011f881ed23d70ef2dac2a2aaf5b9f9a0ae70de634312256b3ffdb1bfc22b63c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
eaacd30bace623e312912a4812608a0e

SHA1
71214b95f58801d090bdf73de76c4c9ed1653b27

SHA256
92d434c2c506b35e3d9d6ff5053032b13d525f841d58b961eaca900cbf19e173

SHA512
835c377f6b7f30c7f44b1774cd22640ded500930b1e6871079d2647bf17d0749c44ecdcc1ba48f06917869912cf97cb2103b0e35c15515c66da1c4c9d634cea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
da69238d129e6f1a23b600064db463e2

SHA1
454f1f689b9b74ce2788c418bba9ff716ec1385a

SHA256
5462f899d7482bba64fb7f8c9e8c5f462b8fc850ea3022be5e562906b72d8c04

SHA512
edf680b7f299bc7ae46b185b8a3a87d6011eee5429c62e46a0974cedabfab7097e09eabc55ad55763b3432e71398551e8bda479f0f47a9124114660d190b2705

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
a7d135c419267998f9436bc3671a4716

SHA1
026840cd8c3181373690bfb2a1300b1eb2353d9b

SHA256
8090d3dbbac63d62c6f7923ac4f4b799c79bae379a461846daf9fefd7a99eaaf

SHA512
e69779b5456dcab0276f158a37430b80e93e144beb662bd5dac578dfe04a176a6eeed862832477c11d3a9fd1161a8e7b8f13d97756bd750a5fb238c3a31dfa81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
ae5cc87b9af6ff7b1991fb37f0336a4b

SHA1
8021df5787dbf386c77f24ac9ccafd3256c0142f

SHA256
227f0b5289e15e9d89e2dc12376b089ca962f503a6d7e69083780dbfc2248f9f

SHA512
12f37b477b1ecdb583e8029f3aeb2c6be09ac45c9378a0661566d60a7d375321a3bb5987cc0d5aea99d13d12528637a36f9b472bb272d6f4ea7bc9cfeee08b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
68ecaf4f1bd0cfacb33d86e19ff51afd

SHA1
bce2ffbb2b4c0d32ea0252f23841b189310accfa

SHA256
2a9716e759cf5be2b81d2fc98eadda2ab309458aab5612667e63bc74f6174b77

SHA512
2c49230f84739307c467f38b4dcb5749db71d866abf4d8bdeb28fec4258d8401a93422091eae2bb1b19bd9a937063db7098db4fd02488facc1eb7ccc3b2a82a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
95b6a1246e26db51089e84d7450d5c1b

SHA1
74029f1167285358d2cc14ad6d73706e74066adf

SHA256
50b41a154e34fe8ab3184b92349d020bcbbf9ee9656678503e09b452b48c057a

SHA512
23d97f984cdbf6e88f4e43ba56be984b4adde773bc9207b260ecf1b9b43a3bd6c15efc731f1fa7cc05ef667c7b927cc6e82b063f3999cec108a46e23f7a0649b

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133492373589136515javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/1816-166-0x00000000003B0000-0x000000000044E000-memory.dmp

Filesize
632KB

Download
memory/4540-0-0x00000000003B0000-0x000000000044E000-memory.dmp

Filesize
632KB

Download
memory/4540-161-0x00000000003B0000-0x000000000044E000-memory.dmp

Filesize
632KB

Download