Analysis
-
max time kernel
165s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
11-10-2023 17:59
General
-
Target
2023-08-26_51e3c1e8f1e4bb84098cc6f86092aa51_zeppelin_JC.exe
-
Size
211KB
-
MD5
51e3c1e8f1e4bb84098cc6f86092aa51
-
SHA1
d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb
-
SHA256
d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c
-
SHA512
f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080
-
SSDEEP
6144:yia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+7o+:yIMH06cID84DQFu/U3buRKlemZ9DnGAI
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload 18 IoCs
-
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Renames multiple (2497) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-08-26_51e3c1e8f1e4bb84098cc6f86092aa51_zeppelin_JC.exe"C:\Users\Admin\AppData\Local\Temp\2023-08-26_51e3c1e8f1e4bb84098cc6f86092aa51_zeppelin_JC.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 13⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
943B
MD58712c051889f6a05b81917f08addeeaa
SHA139ea73ab29fe2d77cf11fcf8b0e090339a0e1090
SHA2565316aaf09a6ae9f8f2e6f150e42b2a23c6ba78ef87327403d0319feae018ac13
SHA5125f5676c9ada1a4b6e915c58870e8ff4e2bf5cc106e68095a0fd3bc61de5419968771897db77ecc66227d82116b252cc40c588a49377cc2199379d1e5f29331b5
-
Filesize
22KB
MD5fc65fa3b536a0ceea134a1eb15187555
SHA166c3706ade32a95100411cff9479821f8ada0158
SHA2567d80c82f1ee69ffcaec3f7a1b6a27a7f63c92e86ad8159afcfabda6a0f536102
SHA512b9303fb1d81978e8a015e5c724d69f9749c77fb13974cc162c45be0a9f13f08d5467dfc02455667faa01b6862e652d829ad1341ff9c42caa0fec587f95415818
-
Filesize
17KB
MD5a0bf03ffd75bde799658d7bcf631381a
SHA1a7cf6bec4160e70207f6a5ccd2497103097b1f4b
SHA256297609525950aeae11211bcf22a7dd5aa6ed318b3b927af259f4efb929668667
SHA512328dce8102c591724eb536aeeb7569ef04e03dd31e8e8026e39c06c5e9578d1303feebc9989932724bb56370f646f02cd5ea0cf42fa74e2a2cc39dbe70a4b669
-
Filesize
7KB
MD57bad6207bcd2c4dbf059a695f3d8ccd3
SHA1b20f03cc32749137343eeb0cb2ec142fa29fc824
SHA256145043bceebd2aef114dab0175aa088781735868f9b44a21878eaea291c88b9c
SHA5126555452cf76efc97ad8415c328adb72f2ecef0cac26abe463cf277efd31f48b941987c6b7c98b9233d6bb4aa173c200ba7b264bea3eea1e957f956f99110ca6c
-
Filesize
13KB
MD532210e71a9f5bd31480286dfd7e0e14e
SHA17b9001ec5d3d0484e489ef85633f00b35ddb2b1a
SHA256243e00a322561c58d15e1f183844ee48c564e34dfe53df1f81821cad75cf1390
SHA512254d5320416dd5dd6f25eee0689360d692da272b4d6236fb86416072d0dfe87412cc23dccf94becd1d69969e6a9f825618360d51be5bd4bad8feef66b4c19b8a
-
Filesize
10KB
MD5b6051a9f5aa2bf3cc08a34fe85191c7b
SHA10c7df072d63eb38a4ce7ff63ba22d400da45848e
SHA256081a08f50a5b07422e4e1e52b700fb91778838d4a6416813e755bca7b808d19a
SHA512de5e25ad0ca4309554de9cb3afae2686366724cc765d955eb3f4317d52ecf25d76762cdbeb86bf4ce6023711ca739dc392b5b70c297c741fc82705941306df51
-
Filesize
13KB
MD58dd3f7c942db69737a4074e9e21cdad8
SHA12c4d716dcc5e9f1a32bf230ed5e26e875d73635a
SHA256ddd7bab39b64144a9f477293871ed1b11f8c26fab42d10fc4182863c0d255fa7
SHA5127909f5758d657e11aedcf0c024a6d32af309e89e9870870bf2bbf9f054abba2a43ec39decd7cc11290708ac40f4e8545c25337a0ca960228a010a08b805910d8
-
Filesize
10KB
MD5a8d38a81231ad157a17e0671ab39d62f
SHA1b7892d38b9d9a0896bd6aaab0a741ae4a4b80f39
SHA256bfd0d6d32fe502e3fe52514aa12c3b496a5037374cac4f67361541183f14144e
SHA512f4879a896caae050cde38260956c121ee7feb03700614732382d746e2fdc736aa073515a748d50b06a1ed3d5fe69c9995d06363e7d6d27d5ebde4c80f945c2d5
-
Filesize
13KB
MD5b9410950fdc26a0840b279fe35f7cc6a
SHA18c622acf3a6dc9ba59ce6c12767332f9b0ef1b4f
SHA256c0919b76c23826561d61036270302071cb81af63e7d846e4ffcc5263ca7cd04b
SHA5129514dfa3a1fb4b419c5af8705e770afba297765163c1661c7cd617c17e797e9d7b593136069a244c2c5809c93a2bf36017593334bca191f3b17c45d5c8a1320c
-
Filesize
211KB
MD551e3c1e8f1e4bb84098cc6f86092aa51
SHA1d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb
SHA256d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c
SHA512f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080
-
Filesize
211KB
MD551e3c1e8f1e4bb84098cc6f86092aa51
SHA1d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb
SHA256d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c
SHA512f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080
-
Filesize
211KB
MD551e3c1e8f1e4bb84098cc6f86092aa51
SHA1d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb
SHA256d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c
SHA512f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080
-
Filesize
211KB
MD551e3c1e8f1e4bb84098cc6f86092aa51
SHA1d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb
SHA256d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c
SHA512f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080
-
Filesize
211KB
MD551e3c1e8f1e4bb84098cc6f86092aa51
SHA1d0dd5aa280c4db736aa1130d54cb8e8bd4830ccb
SHA256d7cece314f0c504bdb7f097718c4d66e4e5132016c83d9fbffb82528f440b13c
SHA512f6f274b7bfb91050f98a5190aac5790dc3d8d46b147f4200a993015442234c630a425b9800e2758aab4de5d554cf793d1ee529de3cafbf052fa29a05efe73080
-
Filesize
82KB
MD5c8e3fdde2c33ab19e0b20cc98c14cbfc
SHA10ffd9bc9792c86c163de98aedb65e08869cbd364
SHA256a4537570ee20e10258c3f61619efd2a24a5f5430afda36a5658c374a03cbeff9
SHA5128230921aac557d7e315b1e0de50e44a6560ec3e03e7dc4f0f54ea907a5b25a5c4241c133bb3eff8c4aa78d6039a6853199e7a468ff519bf4fa535dcd28e89583
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
