zeppelin | 24efa10a2b51c5fd6e45da6babd4e797d9cae399be98941f950abf7b5e9a4cd7

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2022 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aa0fef7356c18214f9c9bb3a9ea16cd.exe
Size

216KB
MD5

4aa0fef7356c18214f9c9bb3a9ea16cd
SHA1

92e655dbe599a3ecfc9c8f510ccc03f81185f660
SHA256

24efa10a2b51c5fd6e45da6babd4e797d9cae399be98941f950abf7b5e9a4cd7
SHA512

2c0cb5a6ecac3dde2fea800fdbb53f13f7b057216487cd9889218f7cf63b4b98cd6c3ba4cd1866d8cf9ed52b0a5b8a0da971566fa4e26ecebf119da1048f9c10
SSDEEP

6144:uyJE1yd7WWlJmcyfwAPWna4DQFu/U3buRKlemZ9DnGAevIGcF7+:uU/d7WWKvhPWa4DQFu/U3buRKlemZ9Dh

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0005000000022e17-133.dat	family_zeppelin
behavioral2/files/0x0005000000022e17-134.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid	Process
4316	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4aa0fef7356c18214f9c9bb3a9ea16cd.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	4aa0fef7356c18214f9c9bb3a9ea16cd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4aa0fef7356c18214f9c9bb3a9ea16cd.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	4aa0fef7356c18214f9c9bb3a9ea16cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	4aa0fef7356c18214f9c9bb3a9ea16cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2032	4316	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	Process
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe
4316	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4aa0fef7356c18214f9c9bb3a9ea16cd.exe

description	pid	Process
Token: SeDebugPrivilege	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe
Token: SeDebugPrivilege	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4aa0fef7356c18214f9c9bb3a9ea16cd.exe

description	pid	Process	procid_target
PID 2620 wrote to memory of 4316	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe	83
PID 2620 wrote to memory of 4316	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe	83
PID 2620 wrote to memory of 4316	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe	83
PID 2620 wrote to memory of 1968	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe	84
PID 2620 wrote to memory of 1968	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe	84
PID 2620 wrote to memory of 1968	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe	84
PID 2620 wrote to memory of 1968	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe	84
PID 2620 wrote to memory of 1968	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe	84
PID 2620 wrote to memory of 1968	2620	4aa0fef7356c18214f9c9bb3a9ea16cd.exe	84

C:\Users\Admin\AppData\Local\Temp\4aa0fef7356c18214f9c9bb3a9ea16cd.exe
"C:\Users\Admin\AppData\Local\Temp\4aa0fef7356c18214f9c9bb3a9ea16cd.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 660
    3⤵
    - Program crash
    PID:2032
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4316 -ip 4316
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
216KB

MD5
4aa0fef7356c18214f9c9bb3a9ea16cd

SHA1
92e655dbe599a3ecfc9c8f510ccc03f81185f660

SHA256
24efa10a2b51c5fd6e45da6babd4e797d9cae399be98941f950abf7b5e9a4cd7

SHA512
2c0cb5a6ecac3dde2fea800fdbb53f13f7b057216487cd9889218f7cf63b4b98cd6c3ba4cd1866d8cf9ed52b0a5b8a0da971566fa4e26ecebf119da1048f9c10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
216KB

MD5
4aa0fef7356c18214f9c9bb3a9ea16cd

SHA1
92e655dbe599a3ecfc9c8f510ccc03f81185f660

SHA256
24efa10a2b51c5fd6e45da6babd4e797d9cae399be98941f950abf7b5e9a4cd7

SHA512
2c0cb5a6ecac3dde2fea800fdbb53f13f7b057216487cd9889218f7cf63b4b98cd6c3ba4cd1866d8cf9ed52b0a5b8a0da971566fa4e26ecebf119da1048f9c10

Download Submit
memory/1968-135-0x0000000000000000-mapping.dmp

Download
memory/4316-132-0x0000000000000000-mapping.dmp

Download