zeppelin | 64c665b2dbdaca4a20aaef96d625091757008c88b49d71070e4eefcd45d986d8

Resubmissions

10-05-2024 17:13

240510-vrrk4sgd7t 10

10-05-2024 17:09

240510-vphv7abd29 10

Analysis

max time kernel
103s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe	family_zeppelin
behavioral14/memory/4412-35-0x0000000000960000-0x0000000000AA0000-memory.dmp	family_zeppelin
behavioral14/memory/4788-38-0x0000000000940000-0x0000000000A80000-memory.dmp	family_zeppelin
behavioral14/memory/4788-39-0x0000000000940000-0x0000000000A80000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

default.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation default.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

848 notepad.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

4788 csrss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	default.exe

pid	process
848	notepad.exe

pid	process
4788	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	default.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

35 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 geoiptool.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2124 4788 WerFault.exe csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

default.exe

description pid process

Token: SeDebugPrivilege 4412 default.exe
Token: SeDebugPrivilege 4412 default.exe

flow	ioc
35	iplogger.org

flow	ioc
1	geoiptool.com

pid	pid_target	process	target process
2124	4788	WerFault.exe	csrss.exe

description	pid	process
Token: SeDebugPrivilege	4412	default.exe
Token: SeDebugPrivilege	4412	default.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

default.exe

description	pid	process	target process
PID 4412 wrote to memory of 4788	4412	default.exe	csrss.exe
PID 4412 wrote to memory of 4788	4412	default.exe	csrss.exe
PID 4412 wrote to memory of 4788	4412	default.exe	csrss.exe
PID 4412 wrote to memory of 848	4412	default.exe	notepad.exe
PID 4412 wrote to memory of 848	4412	default.exe	notepad.exe
PID 4412 wrote to memory of 848	4412	default.exe	notepad.exe
PID 4412 wrote to memory of 848	4412	default.exe	notepad.exe
PID 4412 wrote to memory of 848	4412	default.exe	notepad.exe
PID 4412 wrote to memory of 848	4412	default.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\default.exe
"C:\Users\Admin\AppData\Local\Temp\default.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
2⤵
- Executes dropped EXE
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1776
3⤵
- Program crash
PID:2124

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4788 -ip 4788
1⤵
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
2KB

MD5
c8bba7924f37fd3d5c549ad50f16a2ad

SHA1
a199efd5291fd7503e0b4e7362ba863bbe29efca

SHA256
f8d1b39724533e12eb12277a4be596b50af71e83693f6099d131d32c04c2c4e3

SHA512
9f7813de321580e241dfb0765804bde11e88bddad94ff33d7b89b8454107708f488e965e5b1be1847ab3e3e1080f137816f7ae2762a9478a7fa033a01866b163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize
472B

MD5
a08472e3b6458d84da6ea50aaa44ec02

SHA1
624f1766112acb8f45224b0658d512801eb93756

SHA256
3eec2f4519bbfa97b8ecc3d64cbc767de28366dbbf0fa9209ded49741513c98a

SHA512
52b82242f6012a12318df97f5ede1d0dc776a1f366afcd422a5df3292b8a2239e4995b9c3a6da5fc57f3fc06e59a3e208ed329d1e2fe1903b779bf556a0f786f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
a26045c60badc3ea12344117b7bc4403

SHA1
e042d0cb3844ca44869d5e01a2e427144b458556

SHA256
69872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925

SHA512
7b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
484B

MD5
4d4e13cf70e12ec9ee679f9009a71d3e

SHA1
7128cf173eb46b5e450b3f087c3e9e2548cd81f8

SHA256
53e6883cf98b8da448902160f7f6da15c15dfc3f0fc87c4f3ac2a3cdec8abd28

SHA512
662734429aa5707028ecbde5b2da67e12d73768c8e89c90c24659aca0a15f0a24f7e5dd5614e9ef04d75f602b081b59bebe3cece6897ab9439259bba540dcc23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize
488B

MD5
4ec05d2dd9c0f94d91f6639191669702

SHA1
bb48b6036b3357843f41d5374b3c07798798fefc

SHA256
c10fc67646817520d75e4ee4074cbdef06ebaab1eddd979f4e60a521c5055363

SHA512
9b2d5321f78b5e220b5cb65b0e371b69658123c7f889e647d9dea50e05d9d8b68108fabf92b21dee73db57958edaef21df47a8a64f8ae2ddf87b072942aaa78d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
a29c7014c0d2f88b18dee8ccdb8c9745

SHA1
3bb458da2345d96732c300f876218ab6db00a1bc

SHA256
99a1f806ce5de4cb25b714b023d6d92d648f4fce3097f2c235bc18eb2f7ec4a3

SHA512
1d82ee7e242e46285e4c29be05c454f0168e9d26bf82f2f23ff83f33ee607e867129cd6d14ba4fbc50576c1bf584a9576795c2be8aa3d4436bd9d2f7eaf68e25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\UYG3R6HZ.htm
Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\ZFA9N6YU.htm
Filesize
18KB

MD5
46e7f28a55cdab07533424725a04b9e5

SHA1
48a915fe8958b0882f364b1e0ceb37e7b7948319

SHA256
e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b

SHA512
717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
memory/848-23-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4412-35-0x0000000000960000-0x0000000000AA0000-memory.dmp

Filesize
1.2MB

Download
memory/4788-38-0x0000000000940000-0x0000000000A80000-memory.dmp

Filesize
1.2MB

Download
memory/4788-39-0x0000000000940000-0x0000000000A80000-memory.dmp

Filesize
1.2MB

Download