Overview
overview
10Static
static
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
21-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 1012-05-2024 16:15
240512-tqd3ysdh3t 1010-05-2024 18:05
240510-wpghssdd27 1010-05-2024 17:48
240510-wdyypscg56 10Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 17:48
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
RAT/31.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
RAT/XClient.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
RAT/file.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
Ransomware/default.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Stealers/lumma.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240508-en
General
-
Target
Ransomware/default.exe
-
Size
211KB
-
MD5
f42abb7569dbc2ff5faa7e078cb71476
-
SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6
-
SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
-
SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
-
SSDEEP
6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn
Malware Config
Signatures
-
Detects Zeppelin payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe family_zeppelin behavioral8/memory/316-35-0x0000000000820000-0x0000000000960000-memory.dmp family_zeppelin behavioral8/memory/2520-45-0x00000000001D0000-0x0000000000310000-memory.dmp family_zeppelin behavioral8/memory/2520-46-0x00000000001D0000-0x0000000000310000-memory.dmp family_zeppelin -
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
default.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation default.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 3320 notepad.exe -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 2520 services.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
default.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" default.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 geoiptool.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1780 2520 WerFault.exe services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
default.exedescription pid process Token: SeDebugPrivilege 316 default.exe Token: SeDebugPrivilege 316 default.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
default.exedescription pid process target process PID 316 wrote to memory of 2520 316 default.exe services.exe PID 316 wrote to memory of 2520 316 default.exe services.exe PID 316 wrote to memory of 2520 316 default.exe services.exe PID 316 wrote to memory of 3320 316 default.exe notepad.exe PID 316 wrote to memory of 3320 316 default.exe notepad.exe PID 316 wrote to memory of 3320 316 default.exe notepad.exe PID 316 wrote to memory of 3320 316 default.exe notepad.exe PID 316 wrote to memory of 3320 316 default.exe notepad.exe PID 316 wrote to memory of 3320 316 default.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 18803⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2520 -ip 25201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBFilesize
2KB
MD5c8bba7924f37fd3d5c549ad50f16a2ad
SHA1a199efd5291fd7503e0b4e7362ba863bbe29efca
SHA256f8d1b39724533e12eb12277a4be596b50af71e83693f6099d131d32c04c2c4e3
SHA5129f7813de321580e241dfb0765804bde11e88bddad94ff33d7b89b8454107708f488e965e5b1be1847ab3e3e1080f137816f7ae2762a9478a7fa033a01866b163
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4Filesize
472B
MD5a08472e3b6458d84da6ea50aaa44ec02
SHA1624f1766112acb8f45224b0658d512801eb93756
SHA2563eec2f4519bbfa97b8ecc3d64cbc767de28366dbbf0fa9209ded49741513c98a
SHA51252b82242f6012a12318df97f5ede1d0dc776a1f366afcd422a5df3292b8a2239e4995b9c3a6da5fc57f3fc06e59a3e208ed329d1e2fe1903b779bf556a0f786f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD5a26045c60badc3ea12344117b7bc4403
SHA1e042d0cb3844ca44869d5e01a2e427144b458556
SHA25669872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925
SHA5127b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBFilesize
484B
MD5e17eb47c17c4804828c46a08e68b10fb
SHA17f70c88bff9f127ce3b0e113c2a0de7c0efefcb9
SHA2565c4a2457048125d6a0960e88c64f43ec0e63bf76211911d050d1cf5a01f97bb3
SHA5123d46a4ef7f934fd8ec8e1d577d4aa761d28491eac43b7fa2084ccae9310bc411bd2dd99d01485f72d876503130a52d618e30daa3214396397d313fb5b2e7f94a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4Filesize
488B
MD5dd89bd3ab002b2c40eb2ad9a6b72faf7
SHA14d7da00c49f3ebf289f38443525cdef232b74d19
SHA256021c630bb4559b0e4d3d5cc3558167948371d761b8d00ec40b9d2b7f25d6ab1d
SHA5121a9dd01a8d73eb7150bd3f30c45c53acb4193db57f804867c69c4cbd9ef14f87558a198a0ebde369a20108d39939d1bb3f4fbb3886667e98d28537831ef709e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD584d3b5f38894bc2c742828d1bda4391d
SHA136e3064a5ae24cf461ceb93f1dd743d25369a2e7
SHA2566991ea0bf8ae5bc4929594b1a16b77353df61961eed4453f752890f65b2d23b9
SHA5124dce3af43cdd06d8f014ed6a0bd640a2fb1b0f4879f1b92fc33cf45cd7bf496d94509186463d39c1f9e19573b978b30f041e914631ae44f0d485fa48252308e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\MCFBQP69.htmFilesize
190B
MD56ebbeb8c70d5f8ffc3fb501950468594
SHA1c06e60a316e48f5c35d39bcf7ed7e6254957ac9e
SHA256a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1
SHA51275cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W5OVUPOF\KYGX2XTJ.htmFilesize
18KB
MD546e7f28a55cdab07533424725a04b9e5
SHA148a915fe8958b0882f364b1e0ceb37e7b7948319
SHA256e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b
SHA512717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeFilesize
211KB
MD5f42abb7569dbc2ff5faa7e078cb71476
SHA104530a6165fc29ab536bab1be16f6b87c46288e6
SHA256516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA5123277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
-
memory/316-35-0x0000000000820000-0x0000000000960000-memory.dmpFilesize
1.2MB
-
memory/2520-45-0x00000000001D0000-0x0000000000310000-memory.dmpFilesize
1.2MB
-
memory/2520-46-0x00000000001D0000-0x0000000000310000-memory.dmpFilesize
1.2MB
-
memory/3320-23-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB