zeppelin | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

13-05-2024 17:36

12-05-2024 17:17

12-05-2024 16:15

10-05-2024 18:05

10-05-2024 17:48

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe	family_zeppelin
behavioral8/memory/316-35-0x0000000000820000-0x0000000000960000-memory.dmp	family_zeppelin
behavioral8/memory/2520-45-0x00000000001D0000-0x0000000000310000-memory.dmp	family_zeppelin
behavioral8/memory/2520-46-0x00000000001D0000-0x0000000000310000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

default.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation default.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

3320 notepad.exe
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

2520 services.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	default.exe

pid	process
3320	notepad.exe

pid	process
2520	services.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	default.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

26 iplogger.org
28 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 geoiptool.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1780 2520 WerFault.exe services.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

default.exe

description pid process

Token: SeDebugPrivilege 316 default.exe
Token: SeDebugPrivilege 316 default.exe

flow	ioc
26	iplogger.org
28	iplogger.org

flow	ioc
1	geoiptool.com

pid	pid_target	process	target process
1780	2520	WerFault.exe	services.exe

description	pid	process
Token: SeDebugPrivilege	316	default.exe
Token: SeDebugPrivilege	316	default.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

default.exe

description	pid	process	target process
PID 316 wrote to memory of 2520	316	default.exe	services.exe
PID 316 wrote to memory of 2520	316	default.exe	services.exe
PID 316 wrote to memory of 2520	316	default.exe	services.exe
PID 316 wrote to memory of 3320	316	default.exe	notepad.exe
PID 316 wrote to memory of 3320	316	default.exe	notepad.exe
PID 316 wrote to memory of 3320	316	default.exe	notepad.exe
PID 316 wrote to memory of 3320	316	default.exe	notepad.exe
PID 316 wrote to memory of 3320	316	default.exe	notepad.exe
PID 316 wrote to memory of 3320	316	default.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1880
3⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2520 -ip 2520
1⤵
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
2KB

MD5
c8bba7924f37fd3d5c549ad50f16a2ad

SHA1
a199efd5291fd7503e0b4e7362ba863bbe29efca

SHA256
f8d1b39724533e12eb12277a4be596b50af71e83693f6099d131d32c04c2c4e3

SHA512
9f7813de321580e241dfb0765804bde11e88bddad94ff33d7b89b8454107708f488e965e5b1be1847ab3e3e1080f137816f7ae2762a9478a7fa033a01866b163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize
472B

MD5
a08472e3b6458d84da6ea50aaa44ec02

SHA1
624f1766112acb8f45224b0658d512801eb93756

SHA256
3eec2f4519bbfa97b8ecc3d64cbc767de28366dbbf0fa9209ded49741513c98a

SHA512
52b82242f6012a12318df97f5ede1d0dc776a1f366afcd422a5df3292b8a2239e4995b9c3a6da5fc57f3fc06e59a3e208ed329d1e2fe1903b779bf556a0f786f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
a26045c60badc3ea12344117b7bc4403

SHA1
e042d0cb3844ca44869d5e01a2e427144b458556

SHA256
69872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925

SHA512
7b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
484B

MD5
e17eb47c17c4804828c46a08e68b10fb

SHA1
7f70c88bff9f127ce3b0e113c2a0de7c0efefcb9

SHA256
5c4a2457048125d6a0960e88c64f43ec0e63bf76211911d050d1cf5a01f97bb3

SHA512
3d46a4ef7f934fd8ec8e1d577d4aa761d28491eac43b7fa2084ccae9310bc411bd2dd99d01485f72d876503130a52d618e30daa3214396397d313fb5b2e7f94a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize
488B

MD5
dd89bd3ab002b2c40eb2ad9a6b72faf7

SHA1
4d7da00c49f3ebf289f38443525cdef232b74d19

SHA256
021c630bb4559b0e4d3d5cc3558167948371d761b8d00ec40b9d2b7f25d6ab1d

SHA512
1a9dd01a8d73eb7150bd3f30c45c53acb4193db57f804867c69c4cbd9ef14f87558a198a0ebde369a20108d39939d1bb3f4fbb3886667e98d28537831ef709e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
84d3b5f38894bc2c742828d1bda4391d

SHA1
36e3064a5ae24cf461ceb93f1dd743d25369a2e7

SHA256
6991ea0bf8ae5bc4929594b1a16b77353df61961eed4453f752890f65b2d23b9

SHA512
4dce3af43cdd06d8f014ed6a0bd640a2fb1b0f4879f1b92fc33cf45cd7bf496d94509186463d39c1f9e19573b978b30f041e914631ae44f0d485fa48252308e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\MCFBQP69.htm
Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\KYGX2XTJ.htm
Filesize
18KB

MD5
46e7f28a55cdab07533424725a04b9e5

SHA1
48a915fe8958b0882f364b1e0ceb37e7b7948319

SHA256
e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b

SHA512
717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
memory/316-35-0x0000000000820000-0x0000000000960000-memory.dmp

Filesize
1.2MB

Download
memory/2520-45-0x00000000001D0000-0x0000000000310000-memory.dmp

Filesize
1.2MB

Download
memory/2520-46-0x00000000001D0000-0x0000000000310000-memory.dmp

Filesize
1.2MB

Download
memory/3320-23-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download