Overview

overview

10

Static

static

10

Zeppelinbg...xe.exe

windows7-x64

10

Zeppelinbg...xe.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    155s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    02-08-2023 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Zeppelinbggaehbcdj18_browsingExe.exe

  • Size

    100KB

  • MD5

    cf5a358a22326f09fd55983bb812b7d8

  • SHA1

    1addcffae4fd4211ea24202783c2ffad6771aa34

  • SHA256

    dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

  • SHA512

    5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

  • SSDEEP

    3072:ge2IWDaNiBBXtw4KLStagKwbzCcO8WWZ5:kIeoiBBXGLSYgZzCx8Wq5

Score
10/10
zeppelinpersistenceransomwareupx

Malware Config

Extracted

Path

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note
ALL YOUR FILES HAVE BEEN ENCRYPTED BY "VICE SOCIETY" All your important documents, photos, databases were stolen and encrypted. If you don't contact us in 7 days we will upload your files to darknet. The only method of recovering files is to purchase an unique private key. We are the only who can give you tool to recover your files. To proove that we have the key and it works you can send us 2 files and we decrypt it for free (not more than 2 MB each). This file should be not valuable! Write to email: [email protected] Alternative email: [email protected] Public emai:l [email protected] Our tor website: vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to ours) or you can become a victim of a scam.
URLs

http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion

Signatures

  • Detects Zeppelin payload 23 IoCs
  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (269) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Zeppelinbggaehbcdj18_browsingExe.exe
    "C:\Users\Admin\AppData\Local\Temp\Zeppelinbggaehbcdj18_browsingExe.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2352
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2748
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        3⤵
          PID:1452
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:2796
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:2900
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2964
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:2852
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2840
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2800
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:2108
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              PID:3068
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 1
              3⤵
              • Executes dropped EXE
              PID:1096
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            2⤵
            • Deletes itself
            PID:2312
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1948

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
          Filesize

          1KB

          MD5

          bbcf34cd6da2b72eabeafe2e82846df8

          SHA1

          e17a5459251d6fdce6184a438752766158337c4b

          SHA256

          46bb44ee485f8ae3d19c3890f69430c5dc2fa8f88bb13138bbf5073a3c9812ac

          SHA512

          520b31de32e5e0acbd7c725ef246b6f049b6ad19060b1631c00ab06caa60480128af39016ae40f7c287ec66a0fbc1ffec6ade85fde12d5333792b92dcec957cf

          Download Submit

        • C:\MSOCache\.Zeppelin
          Filesize

          513B

          MD5

          5d0187ffdf87419fc8f56f58ad65b092

          SHA1

          1ca27fd360d3d7a42b600de4a047adb2aca31e80

          SHA256

          2e64b7e05eab9618681023654d37ee007df4592e082b5a78ad88c6b05f73dc12

          SHA512

          6072ba29bb6da96f42c2461b67bea643b4ddefbd4fab96c1397164c038ff4d9f7cd5ca6733acc685ccf90cb274d8796a9b72da535af036bcbc6d029fbc749c58

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
          Filesize

          406B

          MD5

          ef572e2c7b1bbd57654b36e8dcfdc37a

          SHA1

          b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

          SHA256

          e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

          SHA512

          b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
          Filesize

          100KB

          MD5

          cf5a358a22326f09fd55983bb812b7d8

          SHA1

          1addcffae4fd4211ea24202783c2ffad6771aa34

          SHA256

          dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

          SHA512

          5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
          Filesize

          100KB

          MD5

          cf5a358a22326f09fd55983bb812b7d8

          SHA1

          1addcffae4fd4211ea24202783c2ffad6771aa34

          SHA256

          dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

          SHA512

          5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
          Filesize

          100KB

          MD5

          cf5a358a22326f09fd55983bb812b7d8

          SHA1

          1addcffae4fd4211ea24202783c2ffad6771aa34

          SHA256

          dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

          SHA512

          5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
          Filesize

          100KB

          MD5

          cf5a358a22326f09fd55983bb812b7d8

          SHA1

          1addcffae4fd4211ea24202783c2ffad6771aa34

          SHA256

          dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

          SHA512

          5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
          Filesize

          100KB

          MD5

          cf5a358a22326f09fd55983bb812b7d8

          SHA1

          1addcffae4fd4211ea24202783c2ffad6771aa34

          SHA256

          dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

          SHA512

          5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

          Download Submit

        • C:\vcredist2010_x86.log.html
          Filesize

          83KB

          MD5

          e17cc53232eb72167a7b20e3714cc188

          SHA1

          a9d912a0555b86efe701510b665cde67052e709c

          SHA256

          57ea44bad17fc2c96ae0f8d3bfafc3084dae36401bfebdacc4bc3aaee4ee5c9c

          SHA512

          5b2ee31adfb148c130dc42a13286b1c44b71b0c661dd85c0ffe8f0fd5775c04a6524cd36949c9153555362e3d1995016d972d6fcf34c82e3ace306bc7beece6f

          Download Submit

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
          Filesize

          100KB

          MD5

          cf5a358a22326f09fd55983bb812b7d8

          SHA1

          1addcffae4fd4211ea24202783c2ffad6771aa34

          SHA256

          dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

          SHA512

          5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

          Download Submit

        • \Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
          Filesize

          100KB

          MD5

          cf5a358a22326f09fd55983bb812b7d8

          SHA1

          1addcffae4fd4211ea24202783c2ffad6771aa34

          SHA256

          dd89d939c941a53d6188232288a3bd73ba9baf0b4ca6bf6ccca697d9ee42533f

          SHA512

          5e4129009c716286c9a2d85f846c75053d71251c9ab52f440da5a3f1a5cc6d9d7d795753bc7e37ef11353fb694f1c0991d127c28d6cd1188316623aa57cb2e5b

          Download Submit

        • memory/1096-86-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1096-90-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2076-75-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2076-54-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2076-68-0x00000000029E0000-0x0000000002B26000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2076-66-0x00000000029E0000-0x0000000002B26000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2296-84-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2296-450-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2296-1169-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2296-69-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2296-96-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2312-74-0x00000000000E0000-0x00000000000E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2312-71-0x0000000000080000-0x0000000000081000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3068-1168-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-384-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-723-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-810-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-950-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-1087-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-85-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-363-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-1162-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-1172-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-1178-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-1182-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-1247-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-1476-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3068-1659-0x0000000000400000-0x0000000000546000-memory.dmp

          Filesize

          1.3MB

          Download