zeppelin | d67091e8079d0dcf4f3962628e4f7520309a8111750082218c3be89a8fa70e3d

Analysis

max time kernel
165s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

260441ed9d2a0fb7db58c1b904c7c374.exe
Size

241KB
MD5

260441ed9d2a0fb7db58c1b904c7c374
SHA1

b0c88807180389872df34dd98b1e3bdbc1a6f6e9
SHA256

d67091e8079d0dcf4f3962628e4f7520309a8111750082218c3be89a8fa70e3d
SHA512

3aa5326cd6a49f117e2097c457fdf85c0fcf88e39fd0966893504da9cb13cd16275a444336e49462edc2e375cbf888d543184fdb2be00ce71716f2f695fd6005
SSDEEP

6144:PXyH5a0vECLJg6bEmNAgGA1C4PGtv13T:6H5zY6bRKgGA1CkY9

Score

10^/10

zeppelin ransomware

Malware Config

Signatures

Detects Zeppelin payload 12 IoCs

resource	yara_rule
behavioral2/memory/1744-2-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral2/memory/1744-3-0x0000000004A30000-0x0000000004A67000-memory.dmp	family_zeppelin
behavioral2/memory/1744-4-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral2/memory/1744-5-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral2/memory/1744-10-0x0000000004A30000-0x0000000004A67000-memory.dmp	family_zeppelin
behavioral2/memory/1744-27-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral2/memory/1744-30-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral2/memory/1448-46-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral2/memory/1744-47-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral2/memory/1448-60-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral2/memory/1448-72-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin
behavioral2/memory/1448-73-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	geoiptool.com

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	260441ed9d2a0fb7db58c1b904c7c374.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	260441ed9d2a0fb7db58c1b904c7c374.exe

C:\Users\Admin\AppData\Local\Temp\260441ed9d2a0fb7db58c1b904c7c374.exe
"C:\Users\Admin\AppData\Local\Temp\260441ed9d2a0fb7db58c1b904c7c374.exe"
1⤵
- Modifies system certificate store
PID:1744
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  PID:1448
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
8f022f33400cd7c2acf4fcb382448b46

SHA1
48384b8f7626c8f336ac651fcaa3fccbb75be1d9

SHA256
c635a458951e40a7478a74d591fa213bbd9b752ed9268202d4f86895440b6b00

SHA512
003faf1ad8a027fb24d6c6f751f8a1314c50ba0256cc9dc676180c4771a6456cbb6359451df98501897ab1424fb1c2f0674695e0b0fe11b5d7f5d88b26f10701

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
472B

MD5
16a2e770e691be8c2bdf68398bcd620b

SHA1
514e07bd8c49fb8a857842ea606bb18f5e9d9f64

SHA256
3545ea675337ff64f23943491a9a552f9d8a1c7c43ab0ff381e69e85e7b00c91

SHA512
d0e6a1d6df39b740451f9ceadc1215b3085d8fc008d5c1a84b0a174d1cfe9c55000eee30c2b0112800e98ab702c33dd25c69927f103668dc5ba353ce6e76b68e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
47724cba3f4cf0fa3bdeb2b01671f214

SHA1
83897df7c696cf089b80df2d3e74f4c5de488bb9

SHA256
5dab82a60289704c34ffca0a777ba27e0a0a82ed0ef22af31297add946c8f1f0

SHA512
e0bfa0cec57a67db78349c8b8907272a0445b40287d7f5f0c526456730fc6d646e8fc0ab7607c9eb7c7b8c618d86bda9fa0971c4efec97fc832038a5520f2ff6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
37ecc163fb07232f2e7c14af4d2b477a

SHA1
6fb8f6c8ac4f2f62587e96e981fb8ee7159bd670

SHA256
f982ab3fdc5e7395975499075b8be076dca431073af37e58b0ae0401baa82836

SHA512
7e68f7480f4132bbc51b83a2e3bb2dc88393368bb47d248f6ffec61322bd84faa5add96776af2d7ecde2e2f5b61b41c8b57ceb6f367710766c24438b625be30a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
488B

MD5
9f45a67e5f2d1d6eee8f8f543c067532

SHA1
a1545a32fd14b14ad69d21b81dff9378117c6b66

SHA256
b93aab456f681c91e1a814481d7652f22d4b4d65475814eeb1f90bdc114fbb13

SHA512
a01e0d5dc6cdf908f0f727e6794e64cd52d4993ff77877e415361cb7c91c7644c06f5b63cca6cfee516e2bc5cc2d6a857426173e4d5b80ac58bcd622901986de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
3f2b634914478d58c531fe912d51767a

SHA1
d073158b2e197a86da6e67b61a9491d60f358a19

SHA256
643e07f938c863cacd97cfd0784537d605f145d79e3e939b78e07e63f08bfc8f

SHA512
62f18c8d62f91f83d2e86bad5c1f3de6ffe64a11709532976b19b05db2355d00f7fa0e4d1ddec98f79a23c9f99c86c5e462374eafffe81941b140e3f9b4def9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\43O0UZKG\T483JG2V.htm

Filesize
18KB

MD5
d86c179bcfbd66e883f47019ea1ca200

SHA1
c63ad8a4b2a4c3e5408225a1231e25ec44d65eb8

SHA256
b465036b723ca3a35874e6eb4a2560140a2a9364ecc53b2dc7c0f1b59d216bea

SHA512
d9136ce45ba1210a717199f6f9292a656ef0fa86674c168a9be09c7ae2aab25c247bc417d1bf24c11fc403becc0da50805a61f0731c358c596a0780ffe986d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G8X408WQ\9V2XP4QX.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
118KB

MD5
17af4d16cbd07a7d3326a3bb1810b057

SHA1
e01c5b32d661952dc43e3a1e6c59c755c15624c7

SHA256
13f7849eab6efdad509184364c30fe4199ebf1b4fb59314d1c4040a5cbdbe01c

SHA512
56932d625ef927eb440c80d90f17c38756fc4ba50dc87530087e7e350117bdea29bd18af5068e569ae80bc51cc37855f19b54875cdd4b7b30efd0aa0301fc3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
241KB

MD5
260441ed9d2a0fb7db58c1b904c7c374

SHA1
b0c88807180389872df34dd98b1e3bdbc1a6f6e9

SHA256
d67091e8079d0dcf4f3962628e4f7520309a8111750082218c3be89a8fa70e3d

SHA512
3aa5326cd6a49f117e2097c457fdf85c0fcf88e39fd0966893504da9cb13cd16275a444336e49462edc2e375cbf888d543184fdb2be00ce71716f2f695fd6005

Download Submit
memory/868-43-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1448-60-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1448-73-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1448-44-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/1448-46-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1448-72-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1448-71-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/1744-27-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1744-7-0x0000000002D00000-0x0000000002E00000-memory.dmp

Filesize
1024KB

Download
memory/1744-5-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1744-4-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1744-3-0x0000000004A30000-0x0000000004A67000-memory.dmp

Filesize
220KB

Download
memory/1744-2-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1744-10-0x0000000004A30000-0x0000000004A67000-memory.dmp

Filesize
220KB

Download
memory/1744-30-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1744-47-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1744-1-0x0000000002D00000-0x0000000002E00000-memory.dmp

Filesize
1024KB

Download