Extracted

Extracted

• • Target

    7757c11c449860e2dd54ae97e05835fb39f89a9c93f32dfc23b258ad49c3622e.exe

  • Size

    211KB

  • MD5

    511e849a593b7787b1387b56f12d8c05

  • SHA1

    6c830eed04570ba8f8873cba3f61ca568f7b9535

  • SHA256

    7757c11c449860e2dd54ae97e05835fb39f89a9c93f32dfc23b258ad49c3622e

  • SHA512

    3d803144229fd7e63e971d0bd617fb96eaf2a1e802ad36dc2eac3fe809b351f68d07f4b81ebd24b9367e72b9d5e91a655a07acfd430ee631e226def7ff987fe6

  • SSDEEP

    6144:Bia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+Q+:BIMH06cID84DQFu/U3buRKlemZ9DnGAI

  Score

  10^/10

  buranzeppelinpersistenceransomware

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan

  • Detects Zeppelin payload

  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral1behavioral2