Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
03/01/2024, 15:08
240103-shylyshgh6 1003/01/2024, 15:05
240103-sf7rvahgf3 1003/01/2024, 15:03
240103-sfclpsfdcq 10Analysis
-
max time kernel
3s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/01/2024, 15:05
Behavioral task
behavioral1
Sample
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Resource
win11-20231215-en
General
-
Target
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
-
Size
211KB
-
MD5
bab201c1a2c8e0f99e683591945e7e3d
-
SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65
-
SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
-
SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
-
SSDEEP
6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs
Malware Config
Signatures
-
Detects Zeppelin payload 8 IoCs
resource yara_rule behavioral1/files/0x000b000000013a71-4.dat family_zeppelin behavioral1/memory/2912-18-0x00000000001C0000-0x0000000000300000-memory.dmp family_zeppelin behavioral1/memory/2520-23-0x0000000000AC0000-0x0000000000C00000-memory.dmp family_zeppelin behavioral1/memory/1792-10269-0x0000000000AC0000-0x0000000000C00000-memory.dmp family_zeppelin behavioral1/memory/2728-16317-0x0000000000AC0000-0x0000000000C00000-memory.dmp family_zeppelin behavioral1/memory/2728-28286-0x0000000000AC0000-0x0000000000C00000-memory.dmp family_zeppelin behavioral1/memory/1792-30147-0x0000000000AC0000-0x0000000000C00000-memory.dmp family_zeppelin behavioral1/memory/2728-30111-0x0000000000AC0000-0x0000000000C00000-memory.dmp family_zeppelin -
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
pid Process 3064 notepad.exe -
Executes dropped EXE 1 IoCs
pid Process 1792 explorer.exe -
Loads dropped DLL 2 IoCs
pid Process 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 944 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe Token: SeDebugPrivilege 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2912 wrote to memory of 1792 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 29 PID 2912 wrote to memory of 1792 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 29 PID 2912 wrote to memory of 1792 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 29 PID 2912 wrote to memory of 1792 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 29 PID 2912 wrote to memory of 3064 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 28 PID 2912 wrote to memory of 3064 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 28 PID 2912 wrote to memory of 3064 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 28 PID 2912 wrote to memory of 3064 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 28 PID 2912 wrote to memory of 3064 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 28 PID 2912 wrote to memory of 3064 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 28 PID 2912 wrote to memory of 3064 2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
PID:3064
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start2⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:2592
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 13⤵PID:2520
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 03⤵PID:2728
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵PID:2144
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵PID:2768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete backup3⤵PID:1168
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:03⤵PID:2792
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup3⤵PID:2620
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:2652
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:2668
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵PID:1980
-
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete1⤵PID:2516
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2840
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet1⤵
- Interacts with shadow copies
PID:944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
668KB
MD583128fefb52382fed11765ff1618b86e
SHA1a0706126d362ac77d532171132303261dfc694f6
SHA2566f0fc76b240113d7146fd983b88941c7e0c6cb6af4dd26a7b4f00dfd1e96caaa
SHA512c89c34a7f2d71f8e4c6b68e8624c4276097a2841797a8fc70cf405ef2d6014e242158271b5df16da4afdcf9db6c773a2fefda945b7072955b97378c4ed00554b
-
Filesize
485KB
MD58e26371340d20809c335c0e371e80b81
SHA1863bd1c8bcf4dd15ba78eb9fe045af1a86f55898
SHA2566931ad97cdda8c7dca9fc246f7805f040a15dcc1af74603b8452f3c616c85827
SHA512985408246694ed9e6c48b63bc559033df1eb7f8955f9c878abe91e701fb47dcbbaa76a3747c6b1f8b0995d1984da1753e5459242968e34ab1007fb6450e1ebc7
-
Filesize
741KB
MD5f99b651fb886933ff103e3a4c1ea72f1
SHA1a563a6f3edde8c60940015296cbb13f224da9890
SHA2563b8a3d2e33eb59a99c6af23e3b29583fced198fd0fcedb85e9045fba5109f6e6
SHA512f2c29c4e805b7fd3c21fb9b50aa0f64d80c70dab31d9d65de0c3c8105c51a016d4978f968af501debba9ab44de06682383e9ade3e00833b7e603650a4bf5d7c3
-
Filesize
558KB
MD52831ad254605759e5e7840e3aa4335cd
SHA1a6bd4fdfdf35d3ab024f787eb30769c1bf136e58
SHA2565ae396223244674a897f77e92972adc99affe9ec3ee36951e1a91f9df6820ffb
SHA5121ea1ca111f671cbda9340c4af2fa5f295fc03086f218acd0a81d26d6fadd3716c7a002e26812f63b02600306b910292c961369136f78bc12fc21d5837668918e
-
Filesize
339KB
MD5253dc108b5ed50424ba9d403c954518a
SHA15873f409233ceff1facfa6dae230f57c1dab547d
SHA256b255af7219e88d402baf16533d9100d11981077f8ee0f854b426854cd7a74a9b
SHA5122e19bcda0ff2a6616d0f54a7ac2f8f6d145bca5d090f23139c41a6bc427955fa8bc483d4aa120e07b7438d06a2e5b222680a3e1490600eaed12fe609befac6db
-
Filesize
759KB
MD5689214e388ad2063da6b7df6b1378e40
SHA1a2cfa75435c61b05278571c40911d5431d85c22c
SHA2565e8bc0ffd79adb9167628df3821c9a50bccf271613558e44ee771e66e43b3dfa
SHA51228db157b2c546d460c6ca9b707381a1cb2046cdddee05d7ed603cbb88dd57fbac63e6c7468ddca706bec8275f106fb641f23f0da9fcc436df7aa5bd168996108
-
Filesize
631KB
MD55ddc15c5c60b2acfa3980d3ef182191e
SHA102158d938c6148eb479166b1a3933a105f1c2092
SHA2560230b2f8e2f786b8d65acb8701ca64a5defc03742a306378a6a170489d7e80d8
SHA512baecb0348cd5b09308d5fa7af61f7c1764ae931b46c5b2c9ed1d4030b063250ef7c8d47f3bd5c06f60dc7a4c878f29164aa59f0f411dc2f7a58af212123b3341
-
Filesize
266KB
MD568f1242582e9506e94c0ae1f40079286
SHA1183f25216c8e9ca5d1404a6d687147495ea2db67
SHA256550f955e40b96612614cbbf7990b28bd4b51932899c8fdf24308ab057fa00f96
SHA512675d57eeda0627a65e6f0f011afa2174871131a85d71d6760821796c9976cdc9eea0fc82f20b9cd50edcc356f20457a93a50eb9bd8f48744b38b0549050b51c7
-
Filesize
595KB
MD59930c305c46a195ac79b189e729a855f
SHA1f208cb485a5ec4f06dced2ef1ebdaae6f1169536
SHA256678dc3eb94ad2b51a452d187f2b06731ac4e93f537e14fa2df70861621b10e64
SHA512936e1960fb342c5eee1b6e3e78943c6de67a3174cdc5c057aecd55acf2d5f502740edd75cf0951d158ea93bdd3950d33ba2e868249d5e77d69fdffc0b61591d1
-
Filesize
376KB
MD5e4f748efc25b7274e5835f28dcf81732
SHA147a82db488cd7d975fa8455e29b979e1648a137c
SHA2560419df58d3298533cce4c7a2a4e8a1342ffd7112e706918abac3f92523deedd7
SHA5121e7883cec8f0b351fc4a05d225e405bec6d8cfdec72e08d32ed7d31e3c225f409fd100b7caf8c23211e8676390d06d149d8b5c2b2d22f45c5785b0df41522290
-
Filesize
449KB
MD5c164b709a2af241c6c171e93a9fbf0dd
SHA10e18f6a64a23a3b15535ce5d44ef3e1b18367c83
SHA2567ab7c532d9a36d0346cddf89b0a1717933c728638a252c289fb5983d8e79e2c6
SHA5128f943d2fd84cac2d264379a069dc6025c54b36331b946a910650529cbbb5a4f3ff78c930fb4e5accb37ef91ec3896512ac2339d128376713136b71a4ee9ca073
-
Filesize
613KB
MD564d40073c2b98a69e7ffe997326c9003
SHA1df01111c035fbc7a27d8d19f65de22b4989582a7
SHA256467f466692467f44aa32e40d7f8a597b3d133d1c7977533458371c38a180f1d7
SHA512bf1b4deeb06fb6b80546f0836dc9d1d41683d8758e77087dccf96834a994aaf2e1f0333d3e6ae0f19dcc17462b3d0439c40d42537cf5ab747a7e44e2903254ca
-
Filesize
211KB
MD5bab201c1a2c8e0f99e683591945e7e3d
SHA190e57172d463dcd6df22d2bf96a6b265a7fdec65
SHA25688b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
SHA512d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a