zeppelin | 1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d

Analysis

max time kernel
15s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2023 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe
Size

250KB
MD5

8298bea449a626ed8d9cd54d741075a7
SHA1

506c82cfd2d54e3684787aee836645788cf4dca3
SHA256

1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d
SHA512

74b7538a941f9008a84764a4b4e57d05f0b492015fa560fddfcef2a99d0227088300fa26d8b9e9a85f363164793ec9331b32d26044b069c885a5ef5b7ff9d1bd
SSDEEP

6144:PWfM6iKwtADM5njFGKfi/Xm51QCG8VG1XhmIQ4L:+l0LnjFGKf351rGagwhW

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000800000002321a-137.dat	family_zeppelin
behavioral2/files/0x000800000002321a-139.dat	family_zeppelin
behavioral2/files/0x000800000002321a-140.dat	family_zeppelin
behavioral2/files/0x000900000002322c-160.dat	family_zeppelin
behavioral2/files/0x000900000002322c-161.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin

Executes dropped EXE 1 IoCs

Processes:

hgfdfds.exe

pid	Process
1516	hgfdfds.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hgfdfds.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	hgfdfds.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
39	geoiptool.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe

description	pid	Process	procid_target
PID 3364 wrote to memory of 1516	3364	1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe	98
PID 3364 wrote to memory of 1516	3364	1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe	98
PID 3364 wrote to memory of 1516	3364	1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe	98

C:\Users\Admin\AppData\Local\Temp\1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe
"C:\Users\Admin\AppData\Local\Temp\1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Public\Videos\hgfdfds.exe
  "C:\Users\Public\Videos\hgfdfds.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1516
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
memory/2256-162-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download