Overview

overview

10

Static

static

10

6b97553c9d...d8.exe

windows7-x64

10

6b97553c9d...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8.exe

  • Size

    215KB

  • MD5

    f41306eb937e2dc08f196a61e0f6c34e

  • SHA1

    e3e6af9e1be25f86a892018f35876b48b31dcc6c

  • SHA256

    6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8

  • SHA512

    5e28f987097ca961d6911c671dd9a0868ced5e1d7a434930d1eec242d5044978877453f3e667dfcd195e12ea381ebc21db841d99639de273a4e653b514aecc3a

  • SSDEEP

    6144:WyJE1yd7WiJmcyfpHaShzh04DQFu/U3buRKlemZ9DnGAeIS+giiK+:WU/d7WnvtLhza4DQFu/U3buRKlemZ9De

Score
10/10
zeppelinpersistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note
!! ALL YOUR FILES ARE ENCRYPTED!!! !!! READ AND QUICKLY PAY $ 290 in Bitcoins !!! = 0,0077 btc!!! After 2 days, the ransom will increase by 2 times!!! !!!Write to the telegram : @ letsgo600 !!! !!!Write to the telegram : @letsgo600 !!! !!!Write to the telegram : @letsgo600 !!! !!!!!!!!!!!!!!!!!!!!!!! download here to contact me https://telegram.org Bitcoin address bc1qhs2h04y80vcur0k6kgtdtfdhy26k7uwrdy86rh All your files, documents, photos, databases and other important files are encrypted. You are not able to decipher it yourself! The only way to recover files is to purchase a unique private key. Only we can provide you with this key, and only we can recover your files. To make sure that we have a decryptor and it works, write!!!Write to the telegram : @letsgo600 !!! !!! and decrypt one file for TEST 40$. But this file doesn't have to be valuable! Do you really want to recover files? !!!Write to the telegram : @letsgo600 !!! Your personal ID: 2BF-10B-D15 Attention! * Do not rename encrypted files. * Do not attempt to decrypt your data using third-party software, this may lead to irretrievable data loss. * Decrypting your files with the help of third parties may lead to an increase in the price (they add their commission to ours) or you may become a victim of scammers.

Signatures

  • Detects Zeppelin payload 3 IoCs
  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8.exe
    "C:\Users\Admin\AppData\Local\Temp\6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3468
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        3⤵
          PID:2152
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:4180
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:3904
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              3⤵
                PID:1996
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1212
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1648
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  WMIC.exe shadowcopy delete /nointeractive
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3820
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
                3⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                PID:4464
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2996

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
            Filesize

            2KB

            MD5

            794ea8181f4d37b0f73017ceab1fdd7f

            SHA1

            480e66aca597bea5cbfa6e94500382884ed8714c

            SHA256

            5fddc76ae7757a4a0d48032866af390cdcdc9c5b4f46cb3254d12624ca2fa18d

            SHA512

            e2f7469eb2d2712db57a0ff4da315fb3419cf1424f8bffe6f0d032d373211c65ac558e2e3c6e4da935c24b1846b35c62e992f45c48c14042fa21944d0c3c4ac5

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46
            Filesize

            472B

            MD5

            cbbc0ef90939308569639c47f0df0ef2

            SHA1

            05176e0da4b301e162d284aa7f567b8b6e9aa9bf

            SHA256

            66fb1d2515479817ad789450f87a969d3c588c374a1d7cbf6e3eddd177b4a59f

            SHA512

            b7acd7bbc669c811df646ce1f6c9e42225b2beb30d04d249853423a15af77de4228936cba5ee8a8eefbc03b716cf71d57346d03f5e2046830edd776db70cd1f2

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
            Filesize

            1KB

            MD5

            912da6b52d140c350937afa14a357061

            SHA1

            5eb54c7f9f32a1e3442113fd93c348027e218004

            SHA256

            033b9d2ea11a924f8cd8af9d923c311efc401040802424ad0f7c8c811cb5f88d

            SHA512

            ace1abd89c31d0979a817b994fff933fec49b5f1204bc8d6ba43a41fd776500e719d3df95f1f90358d000b6de1705abe3cd8d120d13a9096ecea24afff4bdc2e

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
            Filesize

            484B

            MD5

            01cae79413eaf244efafc77303e6c41f

            SHA1

            6b05fa6b13e449d79ad42ad52a94e48d457471a2

            SHA256

            a43d48337323a7e405a98833e55a738d07dec5f7ec61e28005d110415699efe5

            SHA512

            5acadd6407497b29d8139947878817e67f693c84a1e86a1c03f0fb8fd56f203076128cddd7b804cf6293f50467445454d04d7a34cb653232af326867c32a39e4

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46
            Filesize

            488B

            MD5

            0b9a66fdf0f6946d4c733eeef50c0035

            SHA1

            63299fe2fc8a3d3de48d2734a219f2e89793c2c3

            SHA256

            d9a8894e31a57291d71f1169e17b095d5f58afc88da7821869e6178bd6f81b14

            SHA512

            19f0369ad51df702b8c49d0e22f157618ab98fe7a0356df856e59278210dc9e00f072d19fe29f395cd6b1c4d658476fc390f09df29bb9e5b78714bc6928c2c2f

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
            Filesize

            482B

            MD5

            38e468542f58bb9b8bef222fa4e0dfa3

            SHA1

            86d0ae20443e4f2f4e0f74f75dbd93bae245278f

            SHA256

            5e814e621854f61087444664f1283c03ad472312cf7c1bc6edc389b42fe7467e

            SHA512

            bc46ea0d939105116ed65043a8e9ad448fcc2f05624392f0f99ad42eac1fa0f1610eaeb07ddabccb0e402bef2b8dc11080709b3559a1ed9362983b10e03e71f7

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8YLPV06K\SFT3VW4W.htm
            Filesize

            184B

            MD5

            b1cd7c031debba3a5c77b39b6791c1a7

            SHA1

            e5d91e14e9c685b06f00e550d9e189deb2075f76

            SHA256

            57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

            SHA512

            d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\94PW68LC\VGFF9IVP.htm
            Filesize

            18KB

            MD5

            8615e70875c2cc0b9db16027b9adf11d

            SHA1

            4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

            SHA256

            da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

            SHA512

            cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
            Filesize

            262B

            MD5

            e6545ccb3660f88529716ed4e647c713

            SHA1

            ecd628f29985599a24c5c1d23083c689917dd74e

            SHA256

            e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

            SHA512

            f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
            Filesize

            215KB

            MD5

            f41306eb937e2dc08f196a61e0f6c34e

            SHA1

            e3e6af9e1be25f86a892018f35876b48b31dcc6c

            SHA256

            6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8

            SHA512

            5e28f987097ca961d6911c671dd9a0868ced5e1d7a434930d1eec242d5044978877453f3e667dfcd195e12ea381ebc21db841d99639de273a4e653b514aecc3a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
            Filesize

            215KB

            MD5

            f41306eb937e2dc08f196a61e0f6c34e

            SHA1

            e3e6af9e1be25f86a892018f35876b48b31dcc6c

            SHA256

            6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8

            SHA512

            5e28f987097ca961d6911c671dd9a0868ced5e1d7a434930d1eec242d5044978877453f3e667dfcd195e12ea381ebc21db841d99639de273a4e653b514aecc3a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
            Filesize

            215KB

            MD5

            f41306eb937e2dc08f196a61e0f6c34e

            SHA1

            e3e6af9e1be25f86a892018f35876b48b31dcc6c

            SHA256

            6b97553c9dfeedcc50b19dacacf8662b68bd3f65b3fa6bed2e5cb9ae778eabd8

            SHA512

            5e28f987097ca961d6911c671dd9a0868ced5e1d7a434930d1eec242d5044978877453f3e667dfcd195e12ea381ebc21db841d99639de273a4e653b514aecc3a

            Download Submit

          • memory/1648-159-0x0000000005C70000-0x0000000005C8E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1648-160-0x00000000074C0000-0x0000000007556000-memory.dmp

            Filesize

            600KB

            Download

          • memory/1648-156-0x00000000053C0000-0x00000000053E2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1648-157-0x0000000005CD0000-0x0000000005D36000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1648-155-0x00000000055F0000-0x0000000005C18000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/1648-154-0x00000000029D0000-0x0000000002A06000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1648-163-0x0000000007B10000-0x00000000080B4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1648-162-0x0000000007470000-0x0000000007492000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1648-161-0x0000000007420000-0x000000000743A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1648-158-0x0000000005D40000-0x0000000005DA6000-memory.dmp

            Filesize

            408KB

            Download