General
-
Target
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
-
Size
218KB
-
Sample
221202-qcvl1aaf37
-
MD5
b8845a76e3942ff4d20ba4660ae926bb
-
SHA1
eb90f945087c270a2ecc11753180ba4ecc270696
-
SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee
-
SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc
-
SSDEEP
6144:aC61i972rJmciP98f2H64DQFu/U3buRKlemZ9DnGAe/Ix3Sd7+:aK972I/Gf2a4DQFu/U3buRKlemZ9DnG9
Malware Config
Targets
-
-
Target
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee.exe
-
Size
218KB
-
MD5
b8845a76e3942ff4d20ba4660ae926bb
-
SHA1
eb90f945087c270a2ecc11753180ba4ecc270696
-
SHA256
8ab79654152668be2c10be9cb17d941685e7733628dd7d38d6979516a75682ee
-
SHA512
9e2eda3dfe3bbdf149707eefe67d889fc88e0aa45ae23023367a8914b8feabd1badb043dfb5f8301541d4489d31b79164380a5ac8031662156c639008c26c4fc
-
SSDEEP
6144:aC61i972rJmciP98f2H64DQFu/U3buRKlemZ9DnGAe/Ix3Sd7+:aK972I/Gf2a4DQFu/U3buRKlemZ9DnG9
Score10/10-
Detects Zeppelin payload
-
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-