zeppelin | 5b458abfe7cd84787df8a77659729f73c7617b1a54daea04229a24071d7f650d

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 03:20

Target

0cc2f587dec522061d984365397cb340.exe
Size

847KB
MD5

0cc2f587dec522061d984365397cb340
SHA1

93c34efeb9efcfa2bdfbb4a50c0ab4b74b954a52
SHA256

5b458abfe7cd84787df8a77659729f73c7617b1a54daea04229a24071d7f650d
SHA512

1c48fa6ccf5756aa5a46c8e4e9ee9c13af7ba70913fe06c2ae59e2ed07a960cef88112b4b9a41f9855cd5d4c4b2dfa199e522865f3e41cad3604bfa3eaeba886
SSDEEP

12288:0Zdo2MjXkEeQGGOgSlDD7GjStd6ZG8yE:lxjXkEeQ1OnD/GjStd6lR

Score

10^/10

Detects Zeppelin payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2132-5-0x0000000000CA0000-0x0000000000DE1000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0cc2f587dec522061d984365397cb340.exe

description	pid	Process	procid_target
PID 2132 wrote to memory of 2672	2132	0cc2f587dec522061d984365397cb340.exe	28
PID 2132 wrote to memory of 2672	2132	0cc2f587dec522061d984365397cb340.exe	28
PID 2132 wrote to memory of 2672	2132	0cc2f587dec522061d984365397cb340.exe	28

C:\Users\Admin\AppData\Local\Temp\0cc2f587dec522061d984365397cb340.exe
"C:\Users\Admin\AppData\Local\Temp\0cc2f587dec522061d984365397cb340.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2132 -s 656
  2⤵
  PID:2672

memory/2132-0-0x0000000000ED0000-0x0000000000FAA000-memory.dmp

Filesize
872KB

Download
memory/2132-1-0x000007FEF5090000-0x000007FEF5A7C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-2-0x000000001AD30000-0x000000001AE16000-memory.dmp

Filesize
920KB

Download
memory/2132-3-0x0000000000B80000-0x0000000000B86000-memory.dmp

Filesize
24KB

Download
memory/2132-4-0x000000001A840000-0x000000001A8C0000-memory.dmp

Filesize
512KB

Download
memory/2132-5-0x0000000000CA0000-0x0000000000DE1000-memory.dmp

Filesize
1.3MB

Download
memory/2132-6-0x000007FEF5090000-0x000007FEF5A7C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-7-0x000000001A840000-0x000000001A8C0000-memory.dmp

Filesize
512KB

Download