zeppelin | 1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d

Analysis

max time kernel
15s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2023 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe
Size

250KB
MD5

8298bea449a626ed8d9cd54d741075a7
SHA1

506c82cfd2d54e3684787aee836645788cf4dca3
SHA256

1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d
SHA512

74b7538a941f9008a84764a4b4e57d05f0b492015fa560fddfcef2a99d0227088300fa26d8b9e9a85f363164793ec9331b32d26044b069c885a5ef5b7ff9d1bd
SSDEEP

6144:PWfM6iKwtADM5njFGKfi/Xm51QCG8VG1XhmIQ4L:+l0LnjFGKf351rGagwhW

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Public\Videos\hgfdfds.exe	family_zeppelin
C:\Users\Public\Videos\hgfdfds.exe	family_zeppelin
C:\Users\Public\Videos\hgfdfds.exe	family_zeppelin
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	family_zeppelin
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Executes dropped EXE 1 IoCs

Processes:

hgfdfds.exe

pid process

1516 hgfdfds.exe

pid	process
1516	hgfdfds.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hgfdfds.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	hgfdfds.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 geoiptool.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
39	geoiptool.com

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe

description	pid	process	target process
PID 3364 wrote to memory of 1516	3364	1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe	hgfdfds.exe
PID 3364 wrote to memory of 1516	3364	1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe	hgfdfds.exe
PID 3364 wrote to memory of 1516	3364	1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe	hgfdfds.exe

C:\Users\Admin\AppData\Local\Temp\1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe
"C:\Users\Admin\AppData\Local\Temp\1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Public\Videos\hgfdfds.exe
"C:\Users\Public\Videos\hgfdfds.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1516

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
3⤵
PID:4160

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe
Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe
Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe
Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
memory/2256-162-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download