1119734cc864c8cc7fe743f8156f0ee1d41e194106aad72749ccd2f9feb392b2

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7736cb8173b75debc546b711580f2489.exe
Size

227KB
MD5

7736cb8173b75debc546b711580f2489
SHA1

9f9a18e7c0d7ab949612ebecf9b85fbbf05ee78e
SHA256

1119734cc864c8cc7fe743f8156f0ee1d41e194106aad72749ccd2f9feb392b2
SHA512

b0c0f05b46304a62711e917bcb3d2bf3894a0f4ace408761d58662e77fa26740d7ed9172df79fc73ea577b89520f7d28fb733fa7951f9fcbc9c42304fff8e5bf
SSDEEP

6144:CifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRVa9:Vfk6kDqHw2hmxlrz2HoSRU

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	7736cb8173b75debc546b711580f2489.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4508-0-0x0000000000AE0000-0x0000000000B7E000-memory.dmp	upx
behavioral2/memory/4508-192-0x0000000000AE0000-0x0000000000B7E000-memory.dmp	upx
behavioral2/memory/3516-193-0x0000000000AE0000-0x0000000000B7E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\utils.jar	7736CB~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	7736CB~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	7736CB~1.EXE
File created	C:\PROGRA~2\Zona\License_en.rtf	7736CB~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 1504	4508	7736cb8173b75debc546b711580f2489.exe	55
PID 4508 wrote to memory of 1504	4508	7736cb8173b75debc546b711580f2489.exe	55
PID 4508 wrote to memory of 1504	4508	7736cb8173b75debc546b711580f2489.exe	55
PID 4508 wrote to memory of 3516	4508	7736cb8173b75debc546b711580f2489.exe	92
PID 4508 wrote to memory of 3516	4508	7736cb8173b75debc546b711580f2489.exe	92
PID 4508 wrote to memory of 3516	4508	7736cb8173b75debc546b711580f2489.exe	92

C:\Users\Admin\AppData\Local\Temp\7736cb8173b75debc546b711580f2489.exe
"C:\Users\Admin\AppData\Local\Temp\7736cb8173b75debc546b711580f2489.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\7736CB~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\7736CB~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
2e47f756ab74b5ed37f04cfac5fcbc1d

SHA1
5e215dc6ae00e8b1f8a6b50d708e188afa707b1c

SHA256
40ed4a7f35899f111c1286d3da71210f38e446a60f7f7bf1647db35576c8f60c

SHA512
7c9df6f5e5a2dca9086a61bda05cf16a420a01973199bb6377fd2142d5b4880b958cbb32ab6690b5fcf8268df19cd0163f0002ba716f6976dc58f7adec10b3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
3fe4f3d179770e17fd49756003275ced

SHA1
fa8083424772af34baf3371a2727fcd8e6073038

SHA256
72a9d061f9036eb3af45047c00cc0cb72c250caaa29677aa801f8958eb3cb7a0

SHA512
3a2932d84d076d2c2bf2664123f128823c58cc13a409473ef71e9a90bcc7f6699a44fdf6403417fa4993733aca3c16cbe11f2de1020047defd9cd470214dce81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
4608e8ff2fbb1d65c9f198f2355a2048

SHA1
5e066c207426bc3597113b8f70b2bb93d8962ff2

SHA256
7ca275e81f58493b344177ccfab20e3b7382dcd31ee7293432cabe56c279f815

SHA512
b8ed13ff0f333cd243456c35b99ab29ce27407ec8e42b34fa877f6fe3a15b76ebfc039cb145868792f28f8e2d95549a77bd3f39e74bbea5bdf1dc48bbe65a799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
570a54567db29954b473cfafe930925b

SHA1
8c4b09cfd09c1592a7e4fafe8ef2a4c2930fb4c9

SHA256
6639db245a9fa23895dc9fae500398220435aaf07d800eee5990a389e61374a8

SHA512
7a23b6b6e7302a329b6c6b452e20beb7654f2d24d4eef046d73fb41d40bfc219f4b5db7b1be669b1fa0f20b052da2124c243d973e962d3f35db974c1c55636a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
0845a6f915306409894d8145e1109de1

SHA1
ca73c553fe4818bac5e7ab32d37ed646ae4688de

SHA256
8db48ae0f45dd13c77b58eff3562c75d7883d3cabbc259302ca57309497ce0b5

SHA512
3aeb1f0e12643fc6ec17d24808d9b4c63872a3318dbe894aba02e46749c22d6b7598408900d196c36b8455f06b8bcb57a35da92892eacce979d924452a3e0824

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
d4ac9a232cd381f41b60c54612df8739

SHA1
c83b9b5ccfd491df73172a761aa64286c5e888b1

SHA256
71a8ce9f69bf24eb504543d65a3e3dca156b2e9d0c1c40edac616b850cddb53a

SHA512
c327e79de22aabf4487939a042e9df7077c6f227ed106c761e4d21cc3e2c1922c9af80489cefc8b3d168d15ccfdf6a0f1babced457c8986d2f0d6435d291381d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
ceee332b02ab99f340411e0c2a4f957b

SHA1
73c0f1d3ee101b3ce44c567e0895c6a53754570e

SHA256
13661bf0aafb5d78fb63c2802da5a8668d8100f467a5d85a2a5ec2669bcc9535

SHA512
323c4f40e21b5a66cbba1a197a5e32e16b8d70a6f5c7bef18f01c3253e00d5789d4bfa75e8a8f7de168f5270ec0116d18863e10da939d2aa1eab4fadcb8ec0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
eaff35e22b07d85294a3e3242695d409

SHA1
b982bbd22e42804c4ba474c44183a8e5121d7b2b

SHA256
bbd359b0364b53ddefe6f2320b0f60680634950c7871203ce07762eab70fa0d9

SHA512
f527685cb43d6ebe90a065e09684135b0ac75f076cd393a5ec6157194a3caafc3f128384729d1f8934d60be329ec409b7d0aa15256c8048c1a756083b26d36a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
3KB

MD5
5ded3c27c21264670b20643a56b6fa7c

SHA1
761f19c130290e5ed5d1815c8bdaee141a6b5d53

SHA256
587d9eb390d9ed89c5aaecb79d2aac2d9e264465bf06ce0cf6c8ee0b9400b624

SHA512
c7fb26194671c05ffdd1af78ba2ca1666595684c8ba985f090cfa76917c196505e435f2d0e945827b1035d8eba25044216c100caa6794d24a9e497e31ab10404

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
1798dc5fcb82f5b612f6f8c72ea5be22

SHA1
d7400a39a0969d924382e77c25d103e308220aec

SHA256
95964311bea21717c7d9473c01f39464e56889a75c6148568a34542a905ed9ae

SHA512
2187782cbe48226269773ea05ee09b73d8e6b7aa816f8055f2298aeb62a23fc15e43e27931546ce425eee6a5650ae20bf952ed6502cd9000fc6a8054b22118f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
4b4c4a779e60272de95a1412d8816d88

SHA1
a0ddce9bfbc12e1df0b33b9a3b60dcb754ae746b

SHA256
5a652a3a9cfe2f6f91c7689db558b0fe3a80c27188d3ccffc3b173ea04e0c28a

SHA512
0af654a60e9946613eb90f8153938c628ce6e87d5adeaa0af086e808c2f2c84d392d1c33d238f51b3111e17d4bcb2d8ccbb8825addfcd68868d49472a5bb6a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
7da0ffe832f7adc933f21a57a912bec3

SHA1
efd99212bf7ac7dfae576d9dabd65ad4251ee6df

SHA256
0b1b0833e35103c7482df2febf911d2a2c28a63b545daabe5dd9370efaa009ce

SHA512
9a324917e55ab08265711761d7e9a08a5dbc59777d7e07148c5cc5c82601f36e408951a1ac21bf4e83b69e8549434739f6ffba427e2dc3a0a4bce38c7ba9afb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
a0d5587485c2d8f0ab12604bef099a0a

SHA1
94748e6e896880fa82ed898d82eb2a09f5c5357e

SHA256
e3d5c6e83735f80f95bd89fea819f4bf67fd1941ea208c34767ea6330b72d88c

SHA512
ca5876374ac80967fa50ea6b8eb1a4587382b0a9cfc8746d1aeb7f603c3a82127c11f651c41b40b00e6ee7e573b25c84c7c102c776f7e4e193c3ed3a596882e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
47b41505111dfbb1ba62613a1bd2f20c

SHA1
734134fb4f13b4032ef9d29a425d0f531e82f51d

SHA256
55cddadfd497fb829bf2b6895d4a7f04c77d7a865108812669eb3704f6ca51ff

SHA512
58b31c1c9ae0f4e7d3aad8486ee6c47fc2203d18977491dc2782e349c46edfa71f924fcf87bbeda66b85da470ae3166ddd7059ebb2f80053e2f4e3497b9cdcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
2b0145a508b362a63a73e8db54544344

SHA1
fd8fce2f88b53a6b2ad81e34881bde4fea7be182

SHA256
53c429e304509e3d008ba480c33616db18169f2e537ed6a17ad6428766021f0b

SHA512
dfbac6f31b138f938c99d450c369379c8fd6fd42364ab78fb30492736bcd1540920c4d001cc9d36db7828d4f7d4232446107192f0a47eb3e6f0bbca2bdbbd53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133507414018850661javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/3516-193-0x0000000000AE0000-0x0000000000B7E000-memory.dmp

Filesize
632KB

Download
memory/4508-0-0x0000000000AE0000-0x0000000000B7E000-memory.dmp

Filesize
632KB

Download
memory/4508-192-0x0000000000AE0000-0x0000000000B7E000-memory.dmp

Filesize
632KB

Download