0514513dd2c53cb46149cf4d57eb6ff29863f9d5b7d1d8dd122d99a0210dae3b

Analysis

max time kernel
142s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0292853e8e5fb47cade7d20275690c9.exe
Size

227KB
MD5

e0292853e8e5fb47cade7d20275690c9
SHA1

4a60c7d277a0fd592c6a8c163752e0b8a6a83858
SHA256

0514513dd2c53cb46149cf4d57eb6ff29863f9d5b7d1d8dd122d99a0210dae3b
SHA512

0bbb195c81b76d6e65c9f1042f2cfc7983c4627c73ff95289cc0c2c144ef5c03a145583102da05ccd299a6198a76cb8131ca35eddbc531c8abd08fc02f489bc3
SSDEEP

6144:KifApVMqplDf/h5O/lBC8+2hyDRlX7llrnz2P4t8oSRV/0:9fk6kDqHw2hmxlrz2HoSRm

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	e0292853e8e5fb47cade7d20275690c9.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4548-0-0x00000000006E0000-0x000000000077E000-memory.dmp	upx
behavioral2/memory/4548-163-0x00000000006E0000-0x000000000077E000-memory.dmp	upx
behavioral2/memory/4540-190-0x00000000006E0000-0x000000000077E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~2\Zona\License_en.rtf	E02928~1.EXE
File created	C:\PROGRA~2\Zona\utils.jar	E02928~1.EXE
File created	C:\PROGRA~2\Zona\License_ru.rtf	E02928~1.EXE
File created	C:\PROGRA~2\Zona\License_uk.rtf	E02928~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4232	4548	e0292853e8e5fb47cade7d20275690c9.exe	86
PID 4548 wrote to memory of 4232	4548	e0292853e8e5fb47cade7d20275690c9.exe	86
PID 4548 wrote to memory of 4232	4548	e0292853e8e5fb47cade7d20275690c9.exe	86
PID 4548 wrote to memory of 4540	4548	e0292853e8e5fb47cade7d20275690c9.exe	91
PID 4548 wrote to memory of 4540	4548	e0292853e8e5fb47cade7d20275690c9.exe	91
PID 4548 wrote to memory of 4540	4548	e0292853e8e5fb47cade7d20275690c9.exe	91

C:\Users\Admin\AppData\Local\Temp\e0292853e8e5fb47cade7d20275690c9.exe
"C:\Users\Admin\AppData\Local\Temp\e0292853e8e5fb47cade7d20275690c9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\SysWOW64\cscript.exe
  cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs
  2⤵
  PID:4232
- C:\Users\Admin\AppData\Local\Temp\E02928~1.EXE
  "C:\Users\Admin\AppData\Local\Temp\E02928~1.EXE" /asService /logPath "C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log"
  2⤵
  - Drops file in Program Files directory
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
e139042c2d62623f61720fb0d055ed46

SHA1
983921e763093d4394b0f0841ec840a9c9d78de3

SHA256
ef2eb4b4a7b8b387e8b6ef8f98c79a1b7f143304b62711f609ada619fb5ed467

SHA512
453aeb5cc8b277438e4f80f0f58073edf81fec017b33de09c86d2fbf578eaad9514db28520a02f820589a81fb81ba98249d23a56bc47aed964bc817bf274ff1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
bb45ce96ccce712900a4182a6f0bd2bb

SHA1
5c55fe8f4b96d8a76fe0a343470de8803132eb54

SHA256
4ec22466918f0b837a0c0ddc6ac2321cfb332257b66fe2d27facbeba75897494

SHA512
9eff837daf4a20dcc9e12520d06430951f7454d24c1a4d4b259ad71fad969339ffc11d7d0fab8881fb39786e029c961a973019fc9c7ce23782c4e520fb1aba56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
8KB

MD5
3157f211166d8b2596182cc28c4ac41e

SHA1
559a8f953cfbe0c3ff8e9b1ed2ad2d059b95c5d6

SHA256
8e1be3aae63af7b1d6c7a23202f56a697edac97094e8d4b262340b085f9cdcfb

SHA512
b5a9c2e72cbaac322fd5f5a59ef33437170383acb2b29cdd5c12866f47b97b0a2ca215d554283405a1425aefb8f9271a005c4ba4c7ff6c2fd7c9baa702ff6659

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
ae83171e5328441df045066f8ccdb19a

SHA1
90ea2ce668fe3475972d4e493960aea1b5f1905c

SHA256
abad90df39bca19a5116674327bb8007452571f75f96f286cd47924a1026a1b6

SHA512
2041cd4ef3ed3d31797617ae78eb2d785ed271e43c584a4bc0d2d925434f7d851bbabf952d606dd29492c99807c54483abbbdfbe43c8662ff8e7f38f7301e7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
9KB

MD5
537b2601b8696f024bc18b9d5df9dc21

SHA1
7d896cead2a4328289ad8aeb8b004fa93e99611f

SHA256
f49de0fe5d3027f1df6a6faf448b51b7b034ff296a00688f1a433d6218ba54d8

SHA512
8013d8980c280d669fc900c4d16c57ad85790749f69e679357a928a03f57e60c882b8c8540a0d421605c17142df85f609e12b9d75117e55fd9aabe47e517ff8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
2KB

MD5
26364547330a0ae9fbf4194b2b4c3e60

SHA1
c3532c7bcc13225f9c6b10e759d637ca326345bf

SHA256
4f6c81c9f55a177d9815e1445392d96a5d07527a23b4bc5afec5418b60a190dd

SHA512
2bdb03a9b2d1ff0a00e736fe10687b9eb79cbf878b8d2aecd5c07d290999a9cb2c303372943f7e7214f3e18247130cb0548ab519fd64dfaae8922c62b00c806b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
11KB

MD5
87a290c8e49b3f7ab28a6704dfcbf631

SHA1
c780b5deb6322d77f480aa03bcfeb2f70ff0e272

SHA256
85410301a3d4735b1542352cb18e66dc5d1111b96d5f2f65a1856e28779080f1

SHA512
144e663721fe3a9d056bd5d727b87b94e862ec782335f89ff0e5219a87e934347f60b38d7aaea0488ba1fc28a0ec02ea3f2dbeb2b4dd2510afe672e91b2a0b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
12KB

MD5
2248ca4d8bd363eae95512b25815c356

SHA1
6309c0bfc8f4b8ee0ea6ddd8a24e91eba91e1c4e

SHA256
02990f4204cad5aeb20469c0c6c0a7ce670ba986c23b4e0a749fe4ec3d9cbf01

SHA512
770d5c10b70f77d85800a21f5862e52273bc04b1b81d46898caa93993b956aea338001e78e8e9ff771c11be5226474fcda6e1333937e44667668430603f2514b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
13KB

MD5
6ed7afe618b5816470d246ee5bb0057c

SHA1
24b92b5074cbe28e544520afa4d8fcb65a5d55eb

SHA256
1737ae353d9526810b84c0961914558eebd795a25d901c66dcd1b9a7ced94d2f

SHA512
934e65625890616d87e93cb7ba3469b443624fd658a51cc88a0d83a5351d989851923cd8ec9ecc747df2631c444d49dc73b11d692d54908105b0d3820fd0d81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
0442d784233c949b6f2fea30a232a2bc

SHA1
74c95e5eaa73ebbb10169b84e15fa1e69ebbbeab

SHA256
9f798824f2f7187a6bd0f067fe2c0fb4ad27ba0bafad6e691f07629bf3e7fa29

SHA512
1a7f6fddf188f06b6f25cdd2c4b3317030f5e682de6da03658b2299a11425a937d319b6d65f104b2117766ae5c0d8a75ea7fb173165575e4d9a34b7c37aac8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
4KB

MD5
e6bcfe3865b5537141ed6389dfb8a76b

SHA1
14d4344261cce8005e400412d3640e84426d4209

SHA256
7ac824a4aa1517b634ef9a926595ed1cc824d48d652899ace39af5faf1f85ed4

SHA512
263e5908867820e5bb49be31bf40584ffcd71726244f8a2024e5a5936f84e6b7ceaad2463545696f6e1427c2a08bf5b44f954bdbbd7543cc04420794364e03ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
5KB

MD5
9d7dbe25ef8fb556cc96cf0eb89070cf

SHA1
822e845fcfd14cc22813cd8926b58c9e909f1724

SHA256
5a6a96d9fc3ea44df5a55a9e378428922ac6339726b6d17ac27c81542cea3ca0

SHA512
95ae4bfec50f71e0f5466ad350f8c49926a9db57a2358d6bf5da4fa2d634d935a4e6affb900c8f84ebaeafe2e83d645ff2d5d032fa5b0505dad9f9d0eb119778

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
b33a9e848171ad20c3def055224db75d

SHA1
5e51e5830fee7364b04a300ccbecbeaa8a1edf14

SHA256
f339f294079d43c4fbc77221e5b4bda190e0b0dfff11d4e17c10a5c863c0f504

SHA512
643f317042d1837a448843a1262e5acae473be47d0d4f1f8c6e5fb9f3c15a10fc0be0fd6a1f72fa0728fc0420976656069c180365e9f3c07c567f332c4249321

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
594B

MD5
5ae00fed0771ef63767422c227b94f67

SHA1
5b8f96d8ce5eeb2be082696aa5199dc815754759

SHA256
c836cc83e7ae387fdb987f7564dd26cf29e9c6d1e34b9cfa9a5a406092125f4c

SHA512
3a67856d4b116f36108cfd976037607949fc4b4c53a3228e9d6b7ba252b4c2836e98ca7ef32fe46cd6f594d24ab6a418bec495e8892d5c881bd68c11ab4d578a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
6KB

MD5
cb54ce6db8cb25398bd34fe408e556a6

SHA1
10946abf48852156a22f5b0f8770e1424d216d7a

SHA256
18dec3e1e45e8a941152e01b0e5b76eab5418cde477fe8e8361f4eddf64e2b47

SHA512
c76c69ce2cc4b4d25e63b423c05f1db5bf127bb15a5b24ce5e07cd65e967cc58bfa3f1aa655ce819352042f6b700bfc5fd97951095e21d80f5118b39087b00ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZonaInstall.log

Filesize
7KB

MD5
ea32e73aa173aa0a55c370d50a409a18

SHA1
4cf9f62c97239db1b9dc6d7d8a9cf46a5e62b92d

SHA256
92f8c4dfd40a90fc6f0c1981f51b7fcf538b669e4066d283ff71e77589d6765b

SHA512
8b2914169d0fbd3539a0fa65a9d7ab5c5f8d2f1c915c00b59f0be8490ab5d7c8beaee03c2681952c9b0038ae11b6b88ed968a93caf094e59af54cbae3c3e7e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hd.vbs

Filesize
245B

MD5
d8682d715a652f994dca50509fd09669

SHA1
bb03cf242964028b5d9183812ed8b04de9d55c6e

SHA256
4bd3521fb2b5c48fe318a874bf64c6b1f62f5212b8c88790006cafaf31d207ba

SHA512
eaa39d87002df1eea16b215c9f099731253b7af72e46b12f64423874dbcdd8f68a164d7641bafb3f854aa6ad8aa7269da59ed0b32cd41eccba5d6f296f9a52ca

Download Submit
C:\Users\Admin\AppData\Roaming\Zona\tmp\133560694643788345javaSetup.exe

Filesize
153B

MD5
a53e183b2c571a68b246ad570b76da19

SHA1
7eac95d26ba1e92a3b4d6fd47ee057f00274ac13

SHA256
29574dc19a017adc4a026deb6d9a90708110eafe9a6acdc6496317382f9a4dc7

SHA512
1ca8f70acd82a194984a248a15541e0d2c75e052e00fc43c1c6b6682941dad6ce4b6c2cab4833e208e79f3546758c30857d1d4a3b05d8e571f0ce7a3a5b357be

Download Submit
memory/4540-190-0x00000000006E0000-0x000000000077E000-memory.dmp

Filesize
632KB

Download
memory/4548-0-0x00000000006E0000-0x000000000077E000-memory.dmp

Filesize
632KB

Download
memory/4548-163-0x00000000006E0000-0x000000000077E000-memory.dmp

Filesize
632KB

Download