Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.msi
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
8Ransomware...KB.exe
windows10-2004-x64
10Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1679s -
max time network
1704s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral18
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Pysa_08_04_2021_500KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
RansomwareSamples/REvil_07_04_2021_121KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
RansomwareSamples/REvil_08_04_2021_121KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Ragnar_11_02_2020_40KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Ranzy_20_11_2020_138KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Ryuk_21_03_2021_274KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral30
Sample
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
RansomwareSamples/Thanos_23_03_2021_91KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral32
Sample
RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Resource
win10v2004-20220812-en
General
-
Target
RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
-
Size
812KB
-
MD5
5181f541a6d97bab854d5eba326ea7d9
-
SHA1
16d9967a2658ac765d7acbea18c556b927b810be
-
SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
-
SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
-
SSDEEP
6144:73KIrUL3UE1S5mY5/i+i6thb2/VMpfkgXkJX/h/O11/vMLZ935PFXwz6Ui:DTru3FS5C/VMpfkg2ROs9dSz6
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload 12 IoCs
resource yara_rule behavioral32/memory/1640-134-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/1640-139-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/1640-140-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/3052-141-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/3052-144-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/3052-145-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/3052-146-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/996-160-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/996-161-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/996-162-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/996-163-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin behavioral32/memory/3052-187-0x0000000000400000-0x0000000005678000-memory.dmp family_zeppelin -
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 3052 lsass.exe 996 lsass.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\GroupCopy.tiff lsass.exe File opened for modification C:\Users\Admin\Pictures\ImportEnter.tiff lsass.exe File opened for modification C:\Users\Admin\Pictures\RepairWatch.tiff lsass.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Zeppelin_08_03_2021_813KB.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run Zeppelin_08_03_2021_813KB.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" Zeppelin_08_03_2021_813KB.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\F: lsass.exe File opened (read-only) \??\A: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\B: lsass.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.3D5-499-44B lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-150.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-60.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-400.png lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo.3D5-499-44B lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Silhouette.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg7.jpg lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-250.png lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js.3D5-499-44B lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt.3D5-499-44B lsass.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-125_contrast-white.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\SplashScreen.scale-200.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\help.svg lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt lsass.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe.3D5-499-44B lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms.3D5-499-44B lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.3D5-499-44B lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main-selector.css.3D5-499-44B lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-30.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-125.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\office.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.bfc lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.3D5-499-44B lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.3D5-499-44B lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.3D5-499-44B lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL.3D5-499-44B lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.3D5-499-44B lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-100.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W0.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.scale-125.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\credit-illustration.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nextarrow_default.svg.3D5-499-44B lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js.3D5-499-44B lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms.3D5-499-44B lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML.3D5-499-44B lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-colorize.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-48.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-125.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\ui-strings.js lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\ui-strings.js.3D5-499-44B lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_sv_135x40.svg.3D5-499-44B lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1640 Zeppelin_08_03_2021_813KB.exe Token: SeDebugPrivilege 1640 Zeppelin_08_03_2021_813KB.exe Token: SeIncreaseQuotaPrivilege 1252 WMIC.exe Token: SeSecurityPrivilege 1252 WMIC.exe Token: SeTakeOwnershipPrivilege 1252 WMIC.exe Token: SeLoadDriverPrivilege 1252 WMIC.exe Token: SeSystemProfilePrivilege 1252 WMIC.exe Token: SeSystemtimePrivilege 1252 WMIC.exe Token: SeProfSingleProcessPrivilege 1252 WMIC.exe Token: SeIncBasePriorityPrivilege 1252 WMIC.exe Token: SeCreatePagefilePrivilege 1252 WMIC.exe Token: SeBackupPrivilege 1252 WMIC.exe Token: SeRestorePrivilege 1252 WMIC.exe Token: SeShutdownPrivilege 1252 WMIC.exe Token: SeDebugPrivilege 1252 WMIC.exe Token: SeSystemEnvironmentPrivilege 1252 WMIC.exe Token: SeRemoteShutdownPrivilege 1252 WMIC.exe Token: SeUndockPrivilege 1252 WMIC.exe Token: SeManageVolumePrivilege 1252 WMIC.exe Token: 33 1252 WMIC.exe Token: 34 1252 WMIC.exe Token: 35 1252 WMIC.exe Token: 36 1252 WMIC.exe Token: SeIncreaseQuotaPrivilege 2468 WMIC.exe Token: SeSecurityPrivilege 2468 WMIC.exe Token: SeTakeOwnershipPrivilege 2468 WMIC.exe Token: SeLoadDriverPrivilege 2468 WMIC.exe Token: SeSystemProfilePrivilege 2468 WMIC.exe Token: SeSystemtimePrivilege 2468 WMIC.exe Token: SeProfSingleProcessPrivilege 2468 WMIC.exe Token: SeIncBasePriorityPrivilege 2468 WMIC.exe Token: SeCreatePagefilePrivilege 2468 WMIC.exe Token: SeBackupPrivilege 2468 WMIC.exe Token: SeRestorePrivilege 2468 WMIC.exe Token: SeShutdownPrivilege 2468 WMIC.exe Token: SeDebugPrivilege 2468 WMIC.exe Token: SeSystemEnvironmentPrivilege 2468 WMIC.exe Token: SeRemoteShutdownPrivilege 2468 WMIC.exe Token: SeUndockPrivilege 2468 WMIC.exe Token: SeManageVolumePrivilege 2468 WMIC.exe Token: 33 2468 WMIC.exe Token: 34 2468 WMIC.exe Token: 35 2468 WMIC.exe Token: 36 2468 WMIC.exe Token: SeIncreaseQuotaPrivilege 2468 WMIC.exe Token: SeSecurityPrivilege 2468 WMIC.exe Token: SeTakeOwnershipPrivilege 2468 WMIC.exe Token: SeLoadDriverPrivilege 2468 WMIC.exe Token: SeSystemProfilePrivilege 2468 WMIC.exe Token: SeSystemtimePrivilege 2468 WMIC.exe Token: SeProfSingleProcessPrivilege 2468 WMIC.exe Token: SeIncBasePriorityPrivilege 2468 WMIC.exe Token: SeCreatePagefilePrivilege 2468 WMIC.exe Token: SeBackupPrivilege 2468 WMIC.exe Token: SeRestorePrivilege 2468 WMIC.exe Token: SeShutdownPrivilege 2468 WMIC.exe Token: SeDebugPrivilege 2468 WMIC.exe Token: SeSystemEnvironmentPrivilege 2468 WMIC.exe Token: SeRemoteShutdownPrivilege 2468 WMIC.exe Token: SeUndockPrivilege 2468 WMIC.exe Token: SeManageVolumePrivilege 2468 WMIC.exe Token: 33 2468 WMIC.exe Token: 34 2468 WMIC.exe Token: 35 2468 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1640 wrote to memory of 3052 1640 Zeppelin_08_03_2021_813KB.exe 81 PID 1640 wrote to memory of 3052 1640 Zeppelin_08_03_2021_813KB.exe 81 PID 1640 wrote to memory of 3052 1640 Zeppelin_08_03_2021_813KB.exe 81 PID 1640 wrote to memory of 2000 1640 Zeppelin_08_03_2021_813KB.exe 82 PID 1640 wrote to memory of 2000 1640 Zeppelin_08_03_2021_813KB.exe 82 PID 1640 wrote to memory of 2000 1640 Zeppelin_08_03_2021_813KB.exe 82 PID 1640 wrote to memory of 2000 1640 Zeppelin_08_03_2021_813KB.exe 82 PID 1640 wrote to memory of 2000 1640 Zeppelin_08_03_2021_813KB.exe 82 PID 1640 wrote to memory of 2000 1640 Zeppelin_08_03_2021_813KB.exe 82 PID 3052 wrote to memory of 3116 3052 lsass.exe 87 PID 3052 wrote to memory of 3116 3052 lsass.exe 87 PID 3052 wrote to memory of 3116 3052 lsass.exe 87 PID 3052 wrote to memory of 4568 3052 lsass.exe 88 PID 3052 wrote to memory of 4568 3052 lsass.exe 88 PID 3052 wrote to memory of 4568 3052 lsass.exe 88 PID 3052 wrote to memory of 1488 3052 lsass.exe 89 PID 3052 wrote to memory of 1488 3052 lsass.exe 89 PID 3052 wrote to memory of 1488 3052 lsass.exe 89 PID 3052 wrote to memory of 4068 3052 lsass.exe 91 PID 3052 wrote to memory of 4068 3052 lsass.exe 91 PID 3052 wrote to memory of 4068 3052 lsass.exe 91 PID 3052 wrote to memory of 4228 3052 lsass.exe 96 PID 3052 wrote to memory of 4228 3052 lsass.exe 96 PID 3052 wrote to memory of 4228 3052 lsass.exe 96 PID 3052 wrote to memory of 2444 3052 lsass.exe 98 PID 3052 wrote to memory of 2444 3052 lsass.exe 98 PID 3052 wrote to memory of 2444 3052 lsass.exe 98 PID 3052 wrote to memory of 996 3052 lsass.exe 100 PID 3052 wrote to memory of 996 3052 lsass.exe 100 PID 3052 wrote to memory of 996 3052 lsass.exe 100 PID 3116 wrote to memory of 1252 3116 cmd.exe 101 PID 3116 wrote to memory of 1252 3116 cmd.exe 101 PID 3116 wrote to memory of 1252 3116 cmd.exe 101 PID 2444 wrote to memory of 2468 2444 cmd.exe 102 PID 2444 wrote to memory of 2468 2444 cmd.exe 102 PID 2444 wrote to memory of 2468 2444 cmd.exe 102 PID 3052 wrote to memory of 2580 3052 lsass.exe 108 PID 3052 wrote to memory of 2580 3052 lsass.exe 108 PID 3052 wrote to memory of 2580 3052 lsass.exe 108 PID 3052 wrote to memory of 2580 3052 lsass.exe 108 PID 3052 wrote to memory of 2580 3052 lsass.exe 108 PID 3052 wrote to memory of 2580 3052 lsass.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:4568
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:1488
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:4068
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵PID:4228
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 03⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:996
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵PID:2580
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵PID:2000
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406B
MD5ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
Filesize
812KB
MD55181f541a6d97bab854d5eba326ea7d9
SHA116d9967a2658ac765d7acbea18c556b927b810be
SHA256b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
-
Filesize
812KB
MD55181f541a6d97bab854d5eba326ea7d9
SHA116d9967a2658ac765d7acbea18c556b927b810be
SHA256b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
-
Filesize
812KB
MD55181f541a6d97bab854d5eba326ea7d9
SHA116d9967a2658ac765d7acbea18c556b927b810be
SHA256b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
-
Filesize
560KB
MD56f8d34771785cc2d5f46f72522dd6c1c
SHA1913e8f2d0e7184ff6ee6f9b774453b990094f2f7
SHA256bb934e42d0a5e553d4e7e040609c130edeafa1f8100e83d36711a7a6fdc645a4
SHA512c484496b4aa2dc0fb3415645fa462208127c65c512a8070131c554385aabbd041a691e1e910196b01e4c3cd0dc1c63d8b995b9f35171c070903b0db6a7eba3cb
-
Filesize
700KB
MD5aefb0a2b5035caf86817ee4c5fd199fd
SHA19f053b476f60de8a6fa01c9f771bf7c0a2803bc6
SHA25653ac8f80a803bf01c3f442da9a2e0d06ff25662bfa6220c41f8c86f66d1ea239
SHA5126c1d2440e0be79dad3c65b7b843ddd56e8990e1a25f4d6214968e198d59bb6f5394cdc9a63cc108d07b02a5c6179db4daac2725c60f49c7cc4818dfcca203a0e
-
Filesize
653KB
MD5d2c44de07eda23297a17939f739c49ba
SHA1322b4c178b9a11f6b30fda3e1a8c86f1a8fd76c4
SHA256e8480f39de80eac577b92d57ef4b0c2cc44fbfbc9016f6d27b35446d69651b8f
SHA512860202e94d155522176def947c8f0853a98d9b9d5086ab1ac094d8e8d9980ac3e3f30ea0c08cafceae8e0933b9a0a4c8b11af463df7e00fa3bd60c8326643d5e
-
Filesize
723KB
MD52887912352da288fd2cf36a41e9f038c
SHA1ae530a92cda6b58d43f12911d1dc5ddbd91f4b5e
SHA256be9b3df89a2d37a15a9c447dfdc5c8fda5702525eae666ee7c65d050380a675a
SHA512b129816f3c37a14fdee65a1fcbfb027147fed18e0649e16252d6dd78189533ef49ab2f644334553b3a1278a827047a068bb067044c637b3acc149ded1b1dae1b
-
Filesize
607KB
MD56715c447e11e282190129646a26a2e6c
SHA173e08856c43782fb607f61ba4f79fca3d7f6aee3
SHA256efd6439694a8342be70d0ee2c3ce0545e549afcbfe29f19c2494ccf5bc72f0ac
SHA5120ef62dfb827cb43531c2ed82ecce2debf773c9e850d8dac45ea79b4134a938d37c5db298eaa0744d73f648b4a222ade1f342badbc6cb6e6e408eeb1735b21276
-
Filesize
351KB
MD5d0dd8f27a41f18648f0c60c31b67abcf
SHA1f09c30dd514a6f30ded7a8d305e685ec97885dd0
SHA25674ad9d009372ceddb33c18bb4656bd80effcdc3f421002c264412ec19f5810f2
SHA512181ca11783a50525344adb2017e699e7030a714e4611ddd834ee8d995e0553f5a736fcb49fefd85e916ea80b7ae1efe8ae7f1b9f72670e9310b87abcaac7fe5c
-
Filesize
397KB
MD5df5d5ebf12de1fc6de001f6cdad07a05
SHA1ea02bc223f401fd9505c815703008810ba1b4295
SHA256ce82f74389357743a93dc4008e469b8552a993ff2475a328ea1ca374d85c6032
SHA51245468363c8dce4d216156223f5f3bc7eef663481d51a25c9bd0aa3fe2263e210d99bb8b7d19c8cd57ec81ced7ce17526a3c51aa7db89c5db51fcc1212628f1bb
-
Filesize
514KB
MD56d8f687567cd554f7d17a18ba4c78cab
SHA174fab7a8d0fb5a1576fc58b8ebaa26181560e08d
SHA256ee822fff35debcca0ab008554ac3eb768b82cc5a94e7f966b634191a2bb57da0
SHA51253612da8adfaf67deff780f375e1e4be9298f4edc47a07182abf4c58eaadcfce327474781e55662848f9bf1b65b87ba7c706e995a4bb005bedd2639d7e83dda3
-
Filesize
491KB
MD50aa7e3ec6b134b6b6299d0509dd3f3e2
SHA1080a20788243744375f9d3bcd13bb5cf9f7dc8bf
SHA25625d8536f72865da909bc5cd83bcb0d736642cec417c4e9067153e2f18e9c6991
SHA5121ea5bc4fa5f2b0f97bc283b44790870ebc28151be0b23ff1ff3fc6a6dc5d2aa2239eb04f03080e359cf2db82a5008cffce744fb545e1b4fe5c5416fe01c12102
-
Filesize
630KB
MD55a39bdfbf848cb322e0a9bf06a1c038f
SHA19d9bbf2fc63d7e3d29bac2f33fd79f7270cc172e
SHA256cd2f3fd588809130dae04ddf3c3c3929d6d4943c72b88bc04f14a509885eb26c
SHA512e46509832b630472d5ffee5858a00eb8265bbcb72508fdb167709029da950a9bf9f8c4329b5148382e61fda000ae0c456cdca01be6faf1c33327119ae4c3314d
-
Filesize
467KB
MD5e5ac3ba357029ac15cf45477678e5ac1
SHA1800154b174f850ae51a1b6d5362f55d79f13cec0
SHA256e9907d445f11b1355c6eb3553ee2b61cdcc4e242f8827868078dc9322d589448
SHA512a077751ef01d92ff5629e803c84a1ea5a63cfc226b9909eaf341e23409f30e29c81dccc09d7021533bcb8c58502d2873b78bd4a47e254a711544ec05a4eb50cb
-
Filesize
537KB
MD57b4aef03cb279d27c854037f6f0539fb
SHA1f518f809ae3ab21aec092341a3e09fa8b12960a7
SHA256e443ea42317208941ef2802f01ca7bf07991e47a079e1dc8e5b3c7a60ad6e4f8
SHA51228fdacabbf700914433bb9ae6a048715f4bb55eca0fe80da436a7cafb62da887a90e85e8f7e747cda9867c15315504a03cd4ede7d122ea27fea162471f7067e7
-
Filesize
258KB
MD5b5551751aaafee4390b4e6e002607402
SHA1fa54678401c84b1b1951f35b82d720d6b29d1951
SHA256346a31a3d1acaf494af1f660259b5094218fa937a22e25e5c8d262f7e54f180f
SHA5120797585eff78e762c27129925c2a9f731bf0e47e396384e9ace06f7122770501245ae504a7597d66373e15db355ea4d514b3693ff825a7e098eebed5f20159ce
-
Filesize
374KB
MD56edf6a3297c3de0b897b8b22980dd3a9
SHA12ebab3c79d15f160a25f830e322825719eeed116
SHA25666c50c1b4ac250a77259ebe3be78c2f122f76104e62a86f8076b62e321b59d96
SHA512cc835997dd81343533748e9e75cbd3cae3d754315e50d129e572759687c09df662bd1a1aba88fff7666226f864321bb8c706001905fd2264b10abe8575b7752e
-
Filesize
421KB
MD591f2d9acbab50a6066f7a8e4cb71c971
SHA1a2e4fc969361fc55f92c123f78c292b6e25a54de
SHA256cbb2eb8832b2f24c3e61bf57f48043981dd2c8d698813ccb4d9a862fe348211a
SHA5125440497946ba2d92c4121e217519e9dbecc71e5b2d338b18de93125e6d36d874870cb325be7272160fed49370d7a264f4e4d4a1809dd8d1f59b3317bbd5fef8b
-
Filesize
584KB
MD5e70124d152ab3ddebb99a1de43b973a4
SHA1c4ed7f25023c2895a17807dcd3179ccc87881b3b
SHA2562fe26ef8bf78ccd49f3be866cad1f3dfafa5695b5c5ea1ace3ab64a5903352b1
SHA5121d74435449045e450f415ae2dedbc17a8d5c734b34d1c261c2ac82812cd52c15abe786d15195ada768386455a8ee36ab04610cd57feea521f9b2f1f6fe0bc313
-
Filesize
444KB
MD5f9f10af65ec50536b859823b3e467eda
SHA191cc961c783480bb9faf64cb27a22543976641ba
SHA25693d22dee54055897e00c893216f6e1302802576f793bcd0dcede317961eb5338
SHA5124279c2dd662b17a35256365ac5ee5847b1d597f296859eb22166ce7af482ed22a96fa2fc20f92e16307883664f58c07150a55e898ff3c5dd51f3bf9b7356190e
-
Filesize
304KB
MD5c340cdadaaaddec01b9321bf15c16819
SHA18bf97e1374221f8c8baa5bc6eb8923eb5059771c
SHA256446e21deb0c9b38d246ae8754ec3d6d0774e661cf2b2acc44ed34cc762b16318
SHA5125ad5847241d70b5af0c5e93a0676807a64982db6f3932e131372d816e09e2e5aabe718f9d69c417d27ec0a63ef24dd4309807f62008f6565b91a51a0826514bc
-
Filesize
677KB
MD5bf56b215445c6ce368b758737c1bcb4b
SHA118c5b8520f6959e5d5303ef308198d324582079c
SHA256f14f427b4182c8df58bc323733ccd01e56e62fb54dae4803eaa468191904cc64
SHA5129aa3fcb66bd62a296935acfed5ebdad6b63ce4986d8c3e19e8c28739992c92abb6df210d46118f30d852f7c4af493972e87651419fd1b92acad547d1b0bd8d99
-
Filesize
1003KB
MD5c03ff27f7e2e9e6b3d54cdc759ca757a
SHA1d9a3dd6193fabc3fa789f6540fde8c9a7e0cc725
SHA2565dc8a680347026c776c4749d4069c96ee1aea092735eeba4271a21c09dfb6a49
SHA5129be27b84e311951e8385f2e07918410f59f22ca7b7b8c434d18e952b600749cffac6cea9807df1c55dcdbe43ec27504b8d97fb58d23b725b9c8e4e57a72612a0
-
Filesize
328KB
MD5874fcbd5ce7fbd39d5a2f3bd6b118e53
SHA12e147a5e386118ef70130b3e4c8cae8ab9956fd2
SHA2569a35c660ae0d0552b29cc0fb95d23e60032c36c6eba87af2db52122866b9289d
SHA512a91ee0caadb0b840df26b98a44012427df0f36bbcb53e0d74362c6b24487da3fd28baab871d747e568a11b45a3912e6ba4af23214fc4414573582a085e43f6d2
-
Filesize
281KB
MD5d3fb4890d02bdc589fc7e4842ffa4f7c
SHA1bc562e6d92ac0a86331a8bd313be2e2478e10b04
SHA256798340476366adac617748043186c2c9ee87d3efc0f72e87ddec4d81adb2aaa6
SHA5125c11e529045c9df043a441f4bcca41de6eb4b196c390944cb59cd97ffedc90ba64ed9f2ac3d29dc528541bd98a9a7c525e9d57e47823c364b424cc84d6f729f1