zeppelin | 6656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2023 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4.exe
Size

211KB
MD5

8f43f1fddbcf5409408eb618a981b23b
SHA1

3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2
SHA256

6656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449
SHA512

3a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387
SSDEEP

6144:+ia1gMH2EXtAup5Qnqn64DQFu/U3buRKlemZ9DnGAe+hsOn+8:+IMHxGe5Qb4DQFu/U3buRKlemZ9DnGAz

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e68-133.dat	family_zeppelin
behavioral2/files/0x0007000000022e68-134.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin

Executes dropped EXE 1 IoCs

pid	Process
4844	smss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	4.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	geoiptool.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2008	4844	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4844	3444	4.exe	80
PID 3444 wrote to memory of 4844	3444	4.exe	80
PID 3444 wrote to memory of 4844	3444	4.exe	80

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  PID:4844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1908
    3⤵
    - Program crash
    PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4844 -ip 4844
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
32db96b37f2eae8b4a5ea57eab7a06a5

SHA1
5c9452a956b990092a63df3149bd30f18828ebf9

SHA256
f1a4ba37c974965555658c88ce6a0e2085d8a51614393d537aca65c46e09d09e

SHA512
d7097cd356d07b7df806d7e0e6b5c832c0b60b0bbbffe354c3e7cf89c81b5bdb7672de9b4da2bf2ae4499e2bad95f2ff0ca7d7f28c8df767dc07c367a9759d27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
472B

MD5
2b31673c5aec0f1f947b38be3c240ea7

SHA1
e315c9ab07e0163e096e8b04429ab18a1592889c

SHA256
19cd82739b40d6fb3496f711b2e8cb8d2c1dca9f9b0379dc4976358bcd007c34

SHA512
5a6df805b6c3637a766f5f049a53b308bb5fc26132667439cd5e00929fe7688d2b21e7608f00201bc2d61f6908eedc2dc7037d59cbf4d27e6c64a462ee0f59de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
87975cbd581677a6d5cd26114617fd3f

SHA1
419007e489475e1a31e6200d1137d013b80a35e6

SHA256
dc6f87cc6bf6c82609944c30dfa67249c8cbce298a968cf03e791c62c9ec25c2

SHA512
1bc31a114308b5773138a10db665409fe542eb47f4d4529ad901c64d133dfa8e41f638d57d253ca5a4155461cc847a7e284f2c43b6c3807ce37ec476df5aed57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
2ccc3db9b0c647e470f7740ba9e47804

SHA1
8a7369c349390100420e5691242c0fac2f86b0e1

SHA256
6fc7e30711a1856d6f01d63fc0da52233e40233257299db83399322634a4b5ca

SHA512
50ba69a5c151c61a5691a78a3ef34b39eb7c7f45bcada45145182841b4c17ca12a6d774c15a9c3bfdf4a4d75dc08419431d3ca3a79c2bc63c4cf208f5d78b406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
488B

MD5
32ceff41916a2d57794bcb4da5af9110

SHA1
b2a7c5595ffaf6206538bf95a52e5e3e5623b2d3

SHA256
cfe5ea50a4f498548859e17cf7bbb8c69a5358a54ca6c4b75ebc5129c2f26bcf

SHA512
b9a6b25e82c52149bacd8664fce9cbb4f4d137be55a483f275c3876135130f7e9d78fb28785c34d2d3ac8ac38908d02419683b9efdc10e868af1e115b88a552c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
991751eb342296bff5efbe4618ad7b58

SHA1
9794d9c37bf80efecfa9e7ab9c3da42c427532ca

SHA256
c9defcdd826b460d9316fcf16da9ed95e89d480ab10ecfd14c4d04ed7c429e3f

SHA512
ebdff46300490ebe4bf857c629ceaf445142e6068846851c9427532e2b6a54e11fe92d020af43a72eefeda4452d6cc8092f2932885b20da01db83bba64be6824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\LUZVT3TB.htm

Filesize
18KB

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\Z8OPXCKF.htm

Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
211KB

MD5
8f43f1fddbcf5409408eb618a981b23b

SHA1
3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2

SHA256
6656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449

SHA512
3a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
211KB

MD5
8f43f1fddbcf5409408eb618a981b23b

SHA1
3ff15167aa71fc29c7f3ee17fc5f482d8ecceaf2

SHA256
6656c50ffbdc59ce71b93474f43270dfeb42b57451724c25fa26f5bbf532e449

SHA512
3a6bca15442233f9b36e51ea984353925d43ac17326742ad8a562542ca20e99da0477b583b8cc415eb8ab09b306a6b903e7ee1d79137487312ab5327f8ac2387

Download Submit