Extracted

• • Target

    2023-08-26_51e3c1e8f1e4bb84098cc6f86092aa51_zeppelin_JC.exe

  • Size

    211KB

  • MD5

    51e3c1e8f1e4bb84098cc6f86092aa51

  • SHA1

    d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb

  • SHA256

    d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c

  • SHA512

    f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080

  • SSDEEP

    6144:yia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+7o+:yIMH06cID84DQFu/U3buRKlemZ9DnGAI

  Score

  10^/10

  buranzeppelinpersistenceransomware

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan

  • Detects Zeppelin payload

  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin

  • Renames multiple (7402) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral1behavioral2