zeppelin | d67091e8079d0dcf4f3962628e4f7520309a8111750082218c3be89a8fa70e3d

Analysis

max time kernel
10s
max time network
131s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

260441ed9d2a0fb7db58c1b904c7c374.exe
Size

241KB
MD5

260441ed9d2a0fb7db58c1b904c7c374
SHA1

b0c88807180389872df34dd98b1e3bdbc1a6f6e9
SHA256

d67091e8079d0dcf4f3962628e4f7520309a8111750082218c3be89a8fa70e3d
SHA512

3aa5326cd6a49f117e2097c457fdf85c0fcf88e39fd0966893504da9cb13cd16275a444336e49462edc2e375cbf888d543184fdb2be00ce71716f2f695fd6005
SSDEEP

6144:PXyH5a0vECLJg6bEmNAgGA1C4PGtv13T:6H5zY6bRKgGA1CkY9

Score

10^/10

zeppelin ransomware

Malware Config

Signatures

Detects Zeppelin payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3044-2-0x0000000000220000-0x0000000000257000-memory.dmp	family_zeppelin
behavioral1/memory/3044-3-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral1/memory/3044-80-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral1/memory/2020-85-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral1/memory/2020-112-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral1/memory/2020-182-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 geoiptool.com

flow	ioc
3	geoiptool.com

C:\Users\Admin\AppData\Local\Temp\260441ed9d2a0fb7db58c1b904c7c374.exe
"C:\Users\Admin\AppData\Local\Temp\260441ed9d2a0fb7db58c1b904c7c374.exe"
1⤵
PID:3044
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:2536
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar461A.tmp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
241KB

MD5
260441ed9d2a0fb7db58c1b904c7c374

SHA1
b0c88807180389872df34dd98b1e3bdbc1a6f6e9

SHA256
d67091e8079d0dcf4f3962628e4f7520309a8111750082218c3be89a8fa70e3d

SHA512
3aa5326cd6a49f117e2097c457fdf85c0fcf88e39fd0966893504da9cb13cd16275a444336e49462edc2e375cbf888d543184fdb2be00ce71716f2f695fd6005

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
92KB

MD5
b00bdd86eac8de702ff32fec978b8318

SHA1
a4c4414a5a9967b9509a3d0c40adf924458116a6

SHA256
76ae6d919e467b8542ec99a077202fd23a474e4e9432b435f67cc3a50c6225ab

SHA512
3520de6fdbeea77b3d41f01416d9411d1530acfb4218f4ff5e7cf541f6cab8232906edc96c22b9dea40e334a8e2da8ae05796084103a9260c6de2805c17721ef

Download Submit
memory/2020-184-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/2020-182-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/2020-83-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/2020-112-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/2020-85-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/2536-78-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2536-82-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3044-80-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/3044-2-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/3044-89-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/3044-3-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/3044-64-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/3044-1-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download