zeppelin | 6656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449 | Triage

Submit
Reports

Overview

overview

Static

static

4.exe

windows7-x64

4.exe

windows10-2004-x64

Sharing

General

Target

4.exe
Size

211KB
Sample

230122-xzrbesbc4x
MD5

8f43f1fddbcf5409408eb618a981b23b
SHA1

3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2
SHA256

6656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449
SHA512

3a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387
SSDEEP

6144:+ia1gMH2EXtAup5Qnqn64DQFu/U3buRKlemZ9DnGAe+hsOn+8:+IMHxGe5Qb4DQFu/U3buRKlemZ9DnGAz

Score

10^/10

zeppelin persistence ransomware

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

4.exe

Resource

win7-20221111-en

zeppelin persistence ransomware

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

4.exe

Resource

win10v2004-20220812-en

zeppelin persistence ransomware

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  4.exe
- Size
  
  211KB
- MD5
  
  8f43f1fddbcf5409408eb618a981b23b
- SHA1
  
  3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2
- SHA256
  
  6656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449
- SHA512
  
  3a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387
- SSDEEP
  
  6144:+ia1gMH2EXtAup5Qnqn64DQFu/U3buRKlemZ9DnGAe+hsOn+8:+IMHxGe5Qb4DQFu/U3buRKlemZ9DnGAz
Score

10^/10

zeppelin persistence ransomware
- Detects Zeppelin payload
- Zeppelin Ransomware
  Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
  ransomware zeppelin
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

zeppelinpersistenceransomware

behavioral2

zeppelinpersistenceransomware

© 2018-2024

Terms | Privacy