13bb46ee6f0f412962378ba5a49a392f9ac84eec1affea90b75bf54e0f9f400c

Analysis

max time kernel
141s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6557886bdd5f8a120b244df6431f0e06.exe
Size

226KB
MD5

6557886bdd5f8a120b244df6431f0e06
SHA1

1aa1f1eaf67075d0bf77330bbc174f8b1b63d57e
SHA256

13bb46ee6f0f412962378ba5a49a392f9ac84eec1affea90b75bf54e0f9f400c
SHA512

ec002c3f3b63eabc16b85fc07f0318beb718b328f05a2f0a427580c0f36d9b282edf19db902577c62c9daa3c457ff5c12a915cce3ba17fb3eb42ea394a1eac28
SSDEEP

6144:4d/oKyhlMI4s9hs9gqt8sHE8Ywe3Mox+pqoSSVYH:4Jhlsnstn+LroSSE

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	6557886bdd5f8a120b244df6431f0e06.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3512-0-0x0000000000260000-0x00000000002FE000-memory.dmp	upx
behavioral2/memory/3512-99-0x0000000000260000-0x00000000002FE000-memory.dmp	upx
behavioral2/memory/812-107-0x0000000000260000-0x00000000002FE000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_ru.rtf	6557886bdd5f8a120b244df6431f0e06.exe
File created	C:\PROGRA~2\Zona\License_uk.rtf	6557886bdd5f8a120b244df6431f0e06.exe
File created	C:\PROGRA~2\Zona\License_en.rtf	6557886bdd5f8a120b244df6431f0e06.exe
File created	C:\PROGRA~2\Zona\utils.jar	6557886bdd5f8a120b244df6431f0e06.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 2056	3512	6557886bdd5f8a120b244df6431f0e06.exe	87
PID 3512 wrote to memory of 2056	3512	6557886bdd5f8a120b244df6431f0e06.exe	87
PID 3512 wrote to memory of 2056	3512	6557886bdd5f8a120b244df6431f0e06.exe	87
PID 3512 wrote to memory of 812	3512	6557886bdd5f8a120b244df6431f0e06.exe	92
PID 3512 wrote to memory of 812	3512	6557886bdd5f8a120b244df6431f0e06.exe	92
PID 3512 wrote to memory of 812	3512	6557886bdd5f8a120b244df6431f0e06.exe	92

C:\Users\Admin\AppData\Local\Temp\6557886bdd5f8a120b244df6431f0e06.exe
"C:\Users\Admin\AppData\Local\Temp\6557886bdd5f8a120b244df6431f0e06.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:2056
- C:\Users\Admin\AppData\Local\Temp\6557886bdd5f8a120b244df6431f0e06.exe
  "C:\Users\Admin\AppData\Local\Temp\6557886bdd5f8a120b244df6431f0e06.exe" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
3a28a41df3bc1e0c963232b702d477af

SHA1
65075cfd75f2a89dc357f234843fc510396ff58e

SHA256
0aaf729bdf021239ec6a3602f52ab564b6d7b392c800075424067f53d4aca627

SHA512
3cc4eddea439d141e2bfabe4a9c4247cb4bdef33f4859a4fc1f7f4713d5786a65502aafeaeac5fcc602badb20d87d1cdf89c21e830a59aeead059e17a1ece010

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
6f3924579188fe4820e3fe82a82e4504

SHA1
c97237e9f51ed8f05a52124e2e7731715f30061c

SHA256
a0c4d9d45f3321f8fffd28d95f66985bf162870d6146827a5dbc1ad26333c8f1

SHA512
fc52f3f73ccb236fd65958278496d5fd6ba2868c14e5abd9426c981d284f81076cd40a1f00b4726d037304e060f17c3a1b3debf662ed15886b74be792acb2be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
534a38b4786df182a50ad445b3d812a7

SHA1
b3d2de5c8ae01a96cfda4295ca1bc1d5f31cdebc

SHA256
7c2c7253a78596967c311f000d33d83039847d1c160ca864d5a0c5fa9f898680

SHA512
c6dd4d8036696b7abf57ec96cce67ba249d6b986366ee93cc4d93dc7ad6e6d3060097afce0ecb7a450599bb559bef96ec06d1f9682b8996ebc8cb0899b42381d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
86914eb8832117a18eb34385a2033be0

SHA1
90dd4a851e8400eb26857d93aa67db59d3cbdd04

SHA256
26c1a46b11b4567b28b10c89272877195ced9090d45f35dda4eb2e4d3e70de26

SHA512
12dbdb59a7e1f6488dd95f7af193cb647200a0d07fb10f2a9e3e8b3d80d659d24e7da61e713f702923be836e97afe2d67accbda857ac925271645616692446c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
6452bcc002b331c749608e27a4ec6861

SHA1
a6f496663a2f6c02dc143553d4fc30c1ca149f89

SHA256
02e0aa4207a6bbc3c8a0258a9866df441aa5871059156c5ac9f4b033ee973d69

SHA512
ab92496765c4ff736826bb7a6d37bb3d909652a1d16544bdcdc8618f219d22cd0802b1c54f93a5b37cf640066d6ce98b7ab8248db9e0652138c92c2f633d5f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
16KB

MD5
a039a303b0206924694fa9bfd4ec6fa4

SHA1
e9753ac9d286450e1859d8859da1871b26d05da9

SHA256
5d92b02b81c9a25cf022bb2e921563c8edd82717a668479e0e9fd44dd571ed2e

SHA512
1d974edb7946fbd60f415ef00da186e8cff0eb59e99d6d6a080381e1a83ec2464b2507a798778acc0ea24df5c7bba8fa207a86140d01d8e196ce1a39cdc72a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
3KB

MD5
3c1f7121bcbbf5b77e697a190ab467a3

SHA1
5c6660ef16e1277f011e2c135a1349587c98e6dc

SHA256
fd7e3e925e19ef301b21dabaa7e4fda3c7a438db944761e84308824badc9e5e5

SHA512
47ddfe77ebbbe0342c3a2d6b592d2ba39bb19fe4924a788fbea6891335ec11d96be3f45c76cdffcbc56feeb42582cf6d377da2f41790c24cb353522574930e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
cc511157d966f69ba4586020b24f1641

SHA1
e609c662aafad057057c81f7f7ecfdd584481728

SHA256
2fd7bb846b8386dd2a2a0a459d4c34728747995a3d90c0554936a3533fe20452

SHA512
0c4b780b8b067909338cb2278ed7a548da8035c5ae019dc3f724190d0a522934b54073c7e68c3efe88d26d77a169db2a286ff7de330f03c133e7c6b13d789982

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
746ef9938c15467b40e7891e57bb4f9c

SHA1
118d633974f3aae73a1ff7f8e74a29fde6dd51f1

SHA256
1fd4a9dfc3890db2493a754f8cc2dc9a723651b8ca9b28673ec5d52795121146

SHA512
5cfdf65945feb8e0215398e8341504517ee4f5e0d90673fec54f30f7858c0cd0278ddb7e89f8f53e1cfdb4ff3517f141489c8507b46b5dc594cce2e7a08dc2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
80b512fd2e5643b44c0b2414d5282a7c

SHA1
11ad8f8b2eb2226156d7db156ef56fc440d1cef4

SHA256
0023e033ce1f79ce18bd2ec1a2adb740f6ffa6629bbaa5623b4bd98f3a831ee3

SHA512
308f995f506c4cddbc7a6ce326b2ae9753801cb9f8cf2ea6c1ae6890182b8c6c9e096ba2c250d0607c0b88134b2eec21c629221d0280a59f7eebb64cc1ce7e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
620ca81411252164704e401c4e7e3a2f

SHA1
25d5f90249a1ce7e8370afc151a362701e3756ac

SHA256
9262a099d0baea3381c8bc304aced588c86cd84a08188797a65ece67ba225cc2

SHA512
9314eff9a6f9a990f2eaadcd32cc83d0d499cac940cd5109cc38c1576d63ea3b28d4803132fecb7e9c1a43cb4e8f119e447fffe26b8ad3f89b843f046143d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
memory/812-107-0x0000000000260000-0x00000000002FE000-memory.dmp

Filesize
632KB

Download
memory/3512-99-0x0000000000260000-0x00000000002FE000-memory.dmp

Filesize
632KB

Download
memory/3512-0-0x0000000000260000-0x00000000002FE000-memory.dmp

Filesize
632KB

Download