Overview

overview

10

Static

static

10

9999.exe

windows7-x64

10

9999.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2022 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9999.exe

  • Size

    211KB

  • MD5

    985d95919b67d3b791dab3ca373d5fdf

  • SHA1

    d2705558b3096ac3165e90eac19da099f0d23fe8

  • SHA256

    a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0

  • SHA512

    c4e5036e933e3821f73b9cde6eea799c9fded8d18c313c91305f909402586205afae79505e9aad24219acff9ca49321c476289dc1362677159ab6b591bc48047

  • SSDEEP

    6144:Yia1gMHHPDWImID8X/4DQFu/U3buRKlemZ9DnGAetTfd1JpLQ+:YIMHv6PID84DQFu/U3buRKlemZ9DnGAq

Score
10/10
zeppelinpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED!!! We downloaded a lot of sensitive data! employee passports and financial data! All your files, documents, photos, databases and other important files are encrypted. If you do not want the data to be made public! you need to purchase our software! You are not able to decipher it yourself! The only way to recover files is to acquire a unique private key. Only we can give you this key and only we can recover your files. To make sure we have the decryptor and it works, you can send an email to: [email protected] and decrypt one file for free. But this file should not be valuable! Are you sure you want to recover files? Email: [email protected] Reserved email: [email protected] Your personal identifier: 140-6FD-524 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, this may result in permanent data loss. * Decrypting your files with the help of third parties may result in higher prices (they add their commission to ours) or you may become a victim of scammers.

Signatures

  • Detects Zeppelin payload 3 IoCs
  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9999.exe
    "C:\Users\Admin\AppData\Local\Temp\9999.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Drops file in Program Files directory
        PID:1440
      • C:\Windows\SysWOW64\notepad.exe
        notepad.exe
        3⤵
          PID:5056

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
      Filesize

      211KB

      MD5

      985d95919b67d3b791dab3ca373d5fdf

      SHA1

      d2705558b3096ac3165e90eac19da099f0d23fe8

      SHA256

      a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0

      SHA512

      c4e5036e933e3821f73b9cde6eea799c9fded8d18c313c91305f909402586205afae79505e9aad24219acff9ca49321c476289dc1362677159ab6b591bc48047

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
      Filesize

      211KB

      MD5

      985d95919b67d3b791dab3ca373d5fdf

      SHA1

      d2705558b3096ac3165e90eac19da099f0d23fe8

      SHA256

      a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0

      SHA512

      c4e5036e933e3821f73b9cde6eea799c9fded8d18c313c91305f909402586205afae79505e9aad24219acff9ca49321c476289dc1362677159ab6b591bc48047

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
      Filesize

      211KB

      MD5

      985d95919b67d3b791dab3ca373d5fdf

      SHA1

      d2705558b3096ac3165e90eac19da099f0d23fe8

      SHA256

      a33e434ed9671b0bd3c2b0b2ee3e172dc4da119437fc28c77a190ca39469b4f0

      SHA512

      c4e5036e933e3821f73b9cde6eea799c9fded8d18c313c91305f909402586205afae79505e9aad24219acff9ca49321c476289dc1362677159ab6b591bc48047

      Download Submit

    • C:\Users\Admin\Desktop\CopyPop.M2V.140-6FD-524
      Filesize

      1007KB

      MD5

      9e56c2b803077abaef8a4354a3be24be

      SHA1

      4838b459d54e28ad28cd5eca20ad7482d25bf560

      SHA256

      71e9ae494ab5cd9953186f7314f0ee9a45b4053cdf98086cd72293defea9c647

      SHA512

      d3cd5ee438e3f0877eed0aaf45d72a4a11943e761eaae3bfb0d84796dcc665b5582ecdd7918464a5df52dafa4d603541ba754a4797c8581b4882f96c40d9cac3

      Download Submit

    • C:\Users\Admin\Desktop\DisableRead.crw.140-6FD-524
      Filesize

      385KB

      MD5

      42414ec1aa373be60a46ca1a08306201

      SHA1

      427e1911f7266239cd58d6b7e6279535d71cba85

      SHA256

      5dddad26711fa882493d6d2c79a48cee669b236e703d4d3112320d45a973ee31

      SHA512

      fc57f757cf9b47c511e543bbb9aa555be861373f2f3551abddbb839cf7e45fb53b19fc3d307596e3c85343002be63b69eddb0774246e326ccfec68beadb0abf3

      Download Submit

    • C:\Users\Admin\Desktop\EnableResume.svgz.140-6FD-524
      Filesize

      623KB

      MD5

      11fa2aa18d632c46519b9f5a1f94742e

      SHA1

      f604ce3d8b216bc009fff2305a7d55650c9b7534

      SHA256

      79cdf20eff53536732a7d6796bbce7f954b32fcc24886bfd0b89eedd9534f3ed

      SHA512

      35d942c771131bca51e4e685c745456284f4349f7c707edad5242261de9faadfb614f18c270e67677253f59bdfd272ddef485d9a0dfd3139ac7499a98d89f444

      Download Submit

    • C:\Users\Admin\Desktop\ExpandRead.xps.140-6FD-524
      Filesize

      733KB

      MD5

      ece742405b86edea3c5d2a6db19b6c09

      SHA1

      88f4442d82cf17e426931007b7efef510844bae5

      SHA256

      3c9e0ea6ee0123b723d75dad216c1ccbde05fb659ee0cb270485dda0819ed1f4

      SHA512

      d9022fd231e3b5559b66a44d72a04ea9f6f018d8c2097a5a85581b797f7aed1f96f2b58ebe38fa99c040c1ca4c3316e5490014d74326992981cbd070d24a4cad

      Download Submit

    • C:\Users\Admin\Desktop\FormatMerge.TS.140-6FD-524
      Filesize

      714KB

      MD5

      7917c60b1ddff864dc68825e6f44a457

      SHA1

      4d8a732e36dfdc575e256ac868ee2272882fae91

      SHA256

      6e0e9c5958771578c4158b47fc45b6107346c79b240d8e20494c9dec77f67f25

      SHA512

      e1a572b22f0163fd627f1286b35a8111862e040e21b5a98e46d38f3da2d163b19c7e293cc70b2bb0e2a6e6b3b3b6e056eaa01c9aa2f540eb49cc49620735ddf5

      Download Submit

    • C:\Users\Admin\Desktop\GrantReceive.xlsb.140-6FD-524
      Filesize

      641KB

      MD5

      8bd3b6e9b5820d1e5d1afa192f1483e9

      SHA1

      b86a690a9fcd2262a72ea3fe2017705d72ff1a5e

      SHA256

      77f5543085535659ce8073d19add58dffe964aa2ed29ee0bcda10acf7f2a2ca9

      SHA512

      5cb79fbb60bef2aeb92c3152857a8af890dfeb714023f8f3ddbafcbeef8d6d5d1e60160c8385792f90965481dfc5ba5fb1e60ec661acb040874b7fc438aa3410

      Download Submit

    • C:\Users\Admin\Desktop\InstallRevoke.snd.140-6FD-524
      Filesize

      605KB

      MD5

      a56a1369967393648c33467a85c9d605

      SHA1

      ed5e2133eefeff56fd1e2a9d2e62d9f14b51532e

      SHA256

      9cf8394591f24fb84b1422fca3be5b77378fb602e2aa01bf68a8195beb9c32e6

      SHA512

      61d82074a7c7deda43d581a328cd0f827e4c6156820c053e5925117c16ad733ba5a5611d53772323023ed25c6c6f0f8293e86eae0dd4d849abcf34e5c956e717

      Download Submit

    • C:\Users\Admin\Desktop\InvokeDeny.ico.140-6FD-524
      Filesize

      495KB

      MD5

      d54a7607beb4badbed60ffcae64ac7df

      SHA1

      d81ac5b0bea78ff09afdd7a7d3c01e14b0731ab7

      SHA256

      773f22e776991889c0721e4870c203c0765bdf64a4fda06aa93ca17fd62212dd

      SHA512

      717036c41e10cf8db95d0245c463fb9a19b2282015b6b6072c282738c4cc9e307da6136d74dbb26e8cfad2308fd404b1f44d0dc4234a361fd732d24440741b70

      Download Submit

    • C:\Users\Admin\Desktop\MergeBackup.cab.140-6FD-524
      Filesize

      349KB

      MD5

      9c41393e1677e6b905168f3da888b9d3

      SHA1

      a11e531a802e05716fbf42c9af10c7f2b04a6801

      SHA256

      43e3256fb6e69d6f01174f5acf4f64145fc32545b2e605055af328df4f7573f0

      SHA512

      37a5cf60d5c06530b234f4fc7e4877f2f7edaf133292e519d0748c5df5c5c433b771be883f3a828523bb2cc2544777980b962f8e191a4e2f7992e93d0a369884

      Download Submit

    • C:\Users\Admin\Desktop\MergeRestart.inf.140-6FD-524
      Filesize

      696KB

      MD5

      d7dc4fb4c7fc095eea1e1797df596481

      SHA1

      9bdd645cca42e14475acb1b4da00890f10bd030b

      SHA256

      5aae5f51a76af5084e2e29d60f6143151ad57a4bf5fe401a840996220db37f46

      SHA512

      710e4c5099412613a1c1b9b80e192a61a2049c743622008f3cddccb5bc840e5a1663ba850fc7ac4d888e715eabf2bf4d1942dc7e32a750f096686ff2a8ac772e

      Download Submit

    • C:\Users\Admin\Desktop\OutRestore.aiff.140-6FD-524
      Filesize

      458KB

      MD5

      6f7a7407409d96e4192060e32f4a65f4

      SHA1

      c6a1ac2dc656e42fedf40961bae78b348ba28d92

      SHA256

      2e31953f209553f6b64569d93e339293ba9a1f0e98427ec3eb914c78bcd2af76

      SHA512

      7d3e3115959f3d39ddaa248ad496d70214657bdbe2c839e43754fbac18b4d2af47a44c65ed83250b72ff1fcc98b2c085e2fc948ee16fb7e8da66cea902c009d2

      Download Submit

    • C:\Users\Admin\Desktop\PopExpand.wax.140-6FD-524
      Filesize

      550KB

      MD5

      7bad04e6ab1ccc4ba80bfdd03b699f3e

      SHA1

      dce89f23367b9e9c7232cd53adc6e6dae8650f96

      SHA256

      69eea894354be31f88f43002ecb51f8fbbf364220c24ead73e5d1536359d1526

      SHA512

      9eb084bfb43fe1b254eb72c6dd24164488a25f95bd631f5c75642cb73b5f89e9e9b4da1d4de7ae9713aec102c414ffcb936f5490f4e76548c74f720fb785a24e

      Download Submit

    • C:\Users\Admin\Desktop\PublishSend.mov.140-6FD-524
      Filesize

      678KB

      MD5

      db729824a54b51f5b1476787c9ad98cb

      SHA1

      3cd7ee5cbbf737cd8b45264c50bf13e40e52a9c4

      SHA256

      aeecf09fab43ebd1bdd98c160b4c3f333dde8564d3adac52e07e5a658fcdff0f

      SHA512

      7972958bd1cf64f7e789e6e4eb611be3b3547cf35fb3af4325c88ab6767a330694c00e6ef1255b515ec5ca651e3a6b109f642268224609fcaab36646ca656d41

      Download Submit

    • C:\Users\Admin\Desktop\ReceivePing.docx.140-6FD-524
      Filesize

      330KB

      MD5

      93324af437c9c34a9907c7d1d986fa61

      SHA1

      5ed51a4340c7b0ec258785f80265d58eade7e766

      SHA256

      0453f29999270c33e657602146187f97d9cc561156ccc28caa8383b1536e3d12

      SHA512

      084145a0b2646b98bcc7d6157e2cafe69d5aad19bc50ffa7cbea5e6b7d74a20c10d997941c699fd293ad17147a215dc6b431874b5fc0a69d4118a82e08cafc88

      Download Submit

    • C:\Users\Admin\Desktop\RedoConvert.xsl.140-6FD-524
      Filesize

      531KB

      MD5

      786a13d8c344f886d3a141f5b1d05a49

      SHA1

      fad9c902dee5f6d9287ba46288522a6efabb3b9a

      SHA256

      18970fb1dca047dc9e6abeba84ee0ac77c711d7906c8eff0ae1ceeabd5d7e0f1

      SHA512

      e9252cbf58cc0b5ad85b8da4109ef081456ffb36932e84736d7b48d8e6d6fec066b0efb1787e549e15c08203ec91142920a98bf056c235651e365bd357fd90e8

      Download Submit

    • C:\Users\Admin\Desktop\RemoveJoin.eps.140-6FD-524
      Filesize

      440KB

      MD5

      e507f8f920220c9defb306b69f9912bb

      SHA1

      9a25d307f23e0dca26d62e5cb78d00c4e02118fb

      SHA256

      0d87e52cafea2a29b2ddf4831ce472eccc70e4da6de6f75296a53d7f49322e2b

      SHA512

      7f95109a6ec629aae15b79d3a43f1a623691dc38d321829b627b5ab55680ffa4499d36fc72036e95ab37570b215338ec7a38ef47df734403a8d1d46b3d7d6cef

      Download Submit

    • C:\Users\Admin\Desktop\RenameExport.mp4.140-6FD-524
      Filesize

      568KB

      MD5

      b1c5c615cdfc667ce0d841e32489d12f

      SHA1

      972d4e79259cf59152de73e770a6be928559ffc0

      SHA256

      be02d3f1c1b8ae276a225670edbb60d2f64975973e42a95ede736c9f7e14ae5c

      SHA512

      ebf06ce6b5aeeba322538728553373daf4331b1dafa3192ca454f99022ddf6337f5126947ea5544a1f4db9e2d22c57f6c408e6392fd845324692f87ad004a6c9

      Download Submit

    • C:\Users\Admin\Desktop\ResetSave.dwfx.140-6FD-524
      Filesize

      275KB

      MD5

      b2005602c203164284fddbbc659df73a

      SHA1

      b517ca35febc25f9c491dd75d0c560f03dd61e41

      SHA256

      93a94505481659226bb6c29a65bc9650fad8bcd723ce812577deceb77a564d7a

      SHA512

      3849152cb6dc6e07512817308a023c86f598345f94acd0d129ca2f30440292b215afe5cf9d37bc8d55c5b49553f8d8bc726123ba4e0ca5f9ca6e41c59e86fe9f

      Download Submit

    • C:\Users\Admin\Desktop\RevokeSend.wdp.140-6FD-524
      Filesize

      367KB

      MD5

      ba962bd7655c5f920dee2dffb3daf704

      SHA1

      27fd6754e893900c2538e4aff2a07c1570f4235c

      SHA256

      75b73aab3193558969b148ee8779307f74f1fa273c34f11b8cffba577d12df50

      SHA512

      f73dfc11634cc6e0567abb52ade6cb244d6fd67c10cb23a5dbe7761134998dff19bb69dd8c5c30858298b9f01d1801057bd9d76d836a6367b2535897533dd530

      Download Submit

    • C:\Users\Admin\Desktop\SearchBlock.ps1xml.140-6FD-524
      Filesize

      403KB

      MD5

      fca819eb5b6130c325313c0b0f2bf7a3

      SHA1

      7ace0b9f7994322e49a062c60c164d61f61c1b37

      SHA256

      d748c171f87d64a246eec5498e7f393dd5ed4d7ea61db6156cd58834da0d5613

      SHA512

      c9fbbb2c4a87b53a27b096c65115e37d14a0d902096a2a26725c882fb01e5f1a06bf7f9c76df2aee2efa6f58f5425aabb3a9fe716a1924bd8e8b3907d8c8d737

      Download Submit

    • C:\Users\Admin\Desktop\SetSearch.eps.140-6FD-524
      Filesize

      422KB

      MD5

      704d785deb4c5ac9603167f26b986c3a

      SHA1

      0cb729eea9241fad934418764bb93be4ce0dc814

      SHA256

      cffc933eb4a925b08227efac7b5488a5f3dc3175ebdcf308e9afdb5a08b36dae

      SHA512

      6b7c6f29ab0831b8dda38fbe9fc37c88a0018397878a39464bdfc2af81726972c58117a6fa9a75a5907baded01932e22296a9f7a476cfadc3eb1e8fca8a3aab9

      Download Submit

    • C:\Users\Admin\Desktop\StartUnregister.svgz.140-6FD-524
      Filesize

      659KB

      MD5

      f36cd8b8c47be1402bb401c27ca85d07

      SHA1

      363027112491f67f5ef5deba54e71af8ed8e1266

      SHA256

      2fb211664b38753c14cd48e3ed28f6182d18856c8901ccd5b405f5ce3cb6ac21

      SHA512

      5c5406877d1aeee4b214233630a73c87f7b82eea4149bb0868a520479e1b89d2739df2c6173695b04f5ba20202b1c1e322369e8e8d72e4224bdda0b5bc27c74b

      Download Submit

    • C:\Users\Admin\Desktop\StepStart.dotx.140-6FD-524
      Filesize

      586KB

      MD5

      633e40113ba66817fe162a30cd224d38

      SHA1

      17ed311dbf0e5c440ad14467651e08757197df24

      SHA256

      1a1f49f51c86a29c348c845a493b4c54c8716a8ed76682112888a3660bb8430f

      SHA512

      c96a67f05228efafd290a619d48d3eb914259eda31b626dd8b6d985e942b0108c1c44ae9b375193d1c1a1aebe71ce967aa05c69169c37113beebf8261c0d54e2

      Download Submit

    • C:\Users\Admin\Desktop\SuspendImport.ppsm.140-6FD-524
      Filesize

      294KB

      MD5

      dabf676ffe939680b2f1806151fa7ab2

      SHA1

      19bdd4cfd0e0c8c55181e27985dd84539ec2f089

      SHA256

      19e9d877c07ea7ecb4b7a64d2e0e4add8ed0c380f1f9d0f36b1cca60f2cbbb37

      SHA512

      23c29e1e1661863d54c3fd9ef7a502e12fcb226b28c22ced6bc7f07f0dd2f90e4776d12274164578b6165a45ef86876aff55d881f0eef81e0176608f9bee3033

      Download Submit

    • C:\Users\Admin\Desktop\SuspendSplit.wax.140-6FD-524
      Filesize

      312KB

      MD5

      15623c7b62bd94fdcf9bf6f8090b1356

      SHA1

      77438051dc77b844c25032f1fc12b7f66ad79005

      SHA256

      6a8c1f2f1cb46e981192b245adbb2540db1a7593f6e7be95d44c740aaf5febb0

      SHA512

      4b89933d49f7cad2baa82c9319ef1d7213215ac04928686bcb8b82a0f93fb3434bda0f7ae963ea4c67b6370cfe249d53b4cf15f598334ecea5203d6739e35265

      Download Submit

    • C:\Users\Admin\Desktop\SyncStep.wav.140-6FD-524
      Filesize

      477KB

      MD5

      2a9a12b949173e43c4595d46cbcbb28b

      SHA1

      f7b7a8e3fd27eff9d4d7f734259ff61015559a9b

      SHA256

      e291688729918c6f4ea382e3be2c1f6adc36198acd8682ff36c418d58ab98ece

      SHA512

      cccce49d43d43818534bd71f701ce46a7b44068b3fd45d128cdefcde611b1415f87924b0f2c2b43f624cad657aebda136aa55a787773cf7310562502acc11365

      Download Submit

    • C:\Users\Admin\Desktop\UndoDismount.cab.140-6FD-524
      Filesize

      257KB

      MD5

      fb63beb9c75832a08366aa7b718e47b9

      SHA1

      91b2e1cc86e941241d24a98807eba9e28a021b72

      SHA256

      8a1d48dc8f20ab6dc9f7492e2b0c6893057f9f67664645c9fab1e39786ba118c

      SHA512

      4dbc21176f1aaa23a640f05d24b3fcdf9c209c13b09ecc90f940922020cd57b4be3228233624acea72031b442559c173a7ff508097966beed1702f4a9a2614c5

      Download Submit

    • C:\Users\Admin\Desktop\UnlockSearch.aif.140-6FD-524
      Filesize

      513KB

      MD5

      a3613c83f46735ab1943d89d4b49c698

      SHA1

      5629c7366f65986432d85fdf8ef71b074909fa68

      SHA256

      613dd09fe1004112bc1b165a7a2d1545d7674535fc634dba111a503612fd10e0

      SHA512

      f8f289b37055d394f6484de1db79cdb160420a91affc6ab2fd762ebf9190db4af75543a2692632af93309dbfcee6ff150ba69b7aa8417efd12bc101c90276381

      Download Submit