zeppelin | 88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

Resubmissions

03-01-2024 15:08

240103-shylyshgh6 10

03-01-2024 15:05

240103-sf7rvahgf3 10

03-01-2024 15:03

240103-sfclpsfdcq 10

Analysis

max time kernel
3s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03-01-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Size

211KB
MD5

bab201c1a2c8e0f99e683591945e7e3d
SHA1

90e57172d463dcd6df22d2bf96a6b265a7fdec65
SHA256

88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
SHA512

d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
SSDEEP

6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe	family_zeppelin
behavioral1/memory/2912-18-0x00000000001C0000-0x0000000000300000-memory.dmp	family_zeppelin
behavioral1/memory/2520-23-0x0000000000AC0000-0x0000000000C00000-memory.dmp	family_zeppelin
behavioral1/memory/1792-10269-0x0000000000AC0000-0x0000000000C00000-memory.dmp	family_zeppelin
behavioral1/memory/2728-16317-0x0000000000AC0000-0x0000000000C00000-memory.dmp	family_zeppelin
behavioral1/memory/2728-28286-0x0000000000AC0000-0x0000000000C00000-memory.dmp	family_zeppelin
behavioral1/memory/1792-30147-0x0000000000AC0000-0x0000000000C00000-memory.dmp	family_zeppelin
behavioral1/memory/2728-30111-0x0000000000AC0000-0x0000000000C00000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

3064 notepad.exe
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

1792 explorer.exe
Loads dropped DLL 2 IoCs

Processes:

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

pid process

2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
2912 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

pid	process
3064	notepad.exe

pid	process
1792	explorer.exe

pid	process
2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

944 vssadmin.exe

pid	process
944	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

description	pid	process
Token: SeDebugPrivilege	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Token: SeDebugPrivilege	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

description	pid	process	target process
PID 2912 wrote to memory of 1792	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	explorer.exe
PID 2912 wrote to memory of 1792	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	explorer.exe
PID 2912 wrote to memory of 1792	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	explorer.exe
PID 2912 wrote to memory of 1792	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	explorer.exe
PID 2912 wrote to memory of 3064	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2912 wrote to memory of 3064	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2912 wrote to memory of 3064	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2912 wrote to memory of 3064	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2912 wrote to memory of 3064	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2912 wrote to memory of 3064	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2912 wrote to memory of 3064	2912	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:3064

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
2⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:2592

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 1
3⤵
PID:2520

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
3⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:2668

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1980

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
PID:2516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2840

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:944

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ReceiveResolve.rm.2AD-0BF-9E9
Filesize
668KB

MD5
83128fefb52382fed11765ff1618b86e

SHA1
a0706126d362ac77d532171132303261dfc694f6

SHA256
6f0fc76b240113d7146fd983b88941c7e0c6cb6af4dd26a7b4f00dfd1e96caaa

SHA512
c89c34a7f2d71f8e4c6b68e8624c4276097a2841797a8fc70cf405ef2d6014e242158271b5df16da4afdcf9db6c773a2fefda945b7072955b97378c4ed00554b

Download Submit
C:\Users\Admin\Desktop\RedoUnpublish.jtx.2AD-0BF-9E9
Filesize
485KB

MD5
8e26371340d20809c335c0e371e80b81

SHA1
863bd1c8bcf4dd15ba78eb9fe045af1a86f55898

SHA256
6931ad97cdda8c7dca9fc246f7805f040a15dcc1af74603b8452f3c616c85827

SHA512
985408246694ed9e6c48b63bc559033df1eb7f8955f9c878abe91e701fb47dcbbaa76a3747c6b1f8b0995d1984da1753e5459242968e34ab1007fb6450e1ebc7

Download Submit
C:\Users\Admin\Desktop\RemoveSend.sql.2AD-0BF-9E9
Filesize
741KB

MD5
f99b651fb886933ff103e3a4c1ea72f1

SHA1
a563a6f3edde8c60940015296cbb13f224da9890

SHA256
3b8a3d2e33eb59a99c6af23e3b29583fced198fd0fcedb85e9045fba5109f6e6

SHA512
f2c29c4e805b7fd3c21fb9b50aa0f64d80c70dab31d9d65de0c3c8105c51a016d4978f968af501debba9ab44de06682383e9ade3e00833b7e603650a4bf5d7c3

Download Submit
C:\Users\Admin\Desktop\RemoveStart.midi.2AD-0BF-9E9
Filesize
558KB

MD5
2831ad254605759e5e7840e3aa4335cd

SHA1
a6bd4fdfdf35d3ab024f787eb30769c1bf136e58

SHA256
5ae396223244674a897f77e92972adc99affe9ec3ee36951e1a91f9df6820ffb

SHA512
1ea1ca111f671cbda9340c4af2fa5f295fc03086f218acd0a81d26d6fadd3716c7a002e26812f63b02600306b910292c961369136f78bc12fc21d5837668918e

Download Submit
C:\Users\Admin\Desktop\ResumeImport.MOD.2AD-0BF-9E9
Filesize
339KB

MD5
253dc108b5ed50424ba9d403c954518a

SHA1
5873f409233ceff1facfa6dae230f57c1dab547d

SHA256
b255af7219e88d402baf16533d9100d11981077f8ee0f854b426854cd7a74a9b

SHA512
2e19bcda0ff2a6616d0f54a7ac2f8f6d145bca5d090f23139c41a6bc427955fa8bc483d4aa120e07b7438d06a2e5b222680a3e1490600eaed12fe609befac6db

Download Submit
C:\Users\Admin\Desktop\RevokeEnable.xml.2AD-0BF-9E9
Filesize
759KB

MD5
689214e388ad2063da6b7df6b1378e40

SHA1
a2cfa75435c61b05278571c40911d5431d85c22c

SHA256
5e8bc0ffd79adb9167628df3821c9a50bccf271613558e44ee771e66e43b3dfa

SHA512
28db157b2c546d460c6ca9b707381a1cb2046cdddee05d7ed603cbb88dd57fbac63e6c7468ddca706bec8275f106fb641f23f0da9fcc436df7aa5bd168996108

Download Submit
C:\Users\Admin\Desktop\SendStep.wmf.2AD-0BF-9E9
Filesize
631KB

MD5
5ddc15c5c60b2acfa3980d3ef182191e

SHA1
02158d938c6148eb479166b1a3933a105f1c2092

SHA256
0230b2f8e2f786b8d65acb8701ca64a5defc03742a306378a6a170489d7e80d8

SHA512
baecb0348cd5b09308d5fa7af61f7c1764ae931b46c5b2c9ed1d4030b063250ef7c8d47f3bd5c06f60dc7a4c878f29164aa59f0f411dc2f7a58af212123b3341

Download Submit
C:\Users\Admin\Desktop\SetDeny.mp2.2AD-0BF-9E9
Filesize
266KB

MD5
68f1242582e9506e94c0ae1f40079286

SHA1
183f25216c8e9ca5d1404a6d687147495ea2db67

SHA256
550f955e40b96612614cbbf7990b28bd4b51932899c8fdf24308ab057fa00f96

SHA512
675d57eeda0627a65e6f0f011afa2174871131a85d71d6760821796c9976cdc9eea0fc82f20b9cd50edcc356f20457a93a50eb9bd8f48744b38b0549050b51c7

Download Submit
C:\Users\Admin\Desktop\TestUnpublish.htm.2AD-0BF-9E9
Filesize
595KB

MD5
9930c305c46a195ac79b189e729a855f

SHA1
f208cb485a5ec4f06dced2ef1ebdaae6f1169536

SHA256
678dc3eb94ad2b51a452d187f2b06731ac4e93f537e14fa2df70861621b10e64

SHA512
936e1960fb342c5eee1b6e3e78943c6de67a3174cdc5c057aecd55acf2d5f502740edd75cf0951d158ea93bdd3950d33ba2e868249d5e77d69fdffc0b61591d1

Download Submit
C:\Users\Admin\Desktop\TraceBackup.midi.2AD-0BF-9E9
Filesize
376KB

MD5
e4f748efc25b7274e5835f28dcf81732

SHA1
47a82db488cd7d975fa8455e29b979e1648a137c

SHA256
0419df58d3298533cce4c7a2a4e8a1342ffd7112e706918abac3f92523deedd7

SHA512
1e7883cec8f0b351fc4a05d225e405bec6d8cfdec72e08d32ed7d31e3c225f409fd100b7caf8c23211e8676390d06d149d8b5c2b2d22f45c5785b0df41522290

Download Submit
C:\Users\Admin\Desktop\TraceMerge.vstx.2AD-0BF-9E9
Filesize
449KB

MD5
c164b709a2af241c6c171e93a9fbf0dd

SHA1
0e18f6a64a23a3b15535ce5d44ef3e1b18367c83

SHA256
7ab7c532d9a36d0346cddf89b0a1717933c728638a252c289fb5983d8e79e2c6

SHA512
8f943d2fd84cac2d264379a069dc6025c54b36331b946a910650529cbbb5a4f3ff78c930fb4e5accb37ef91ec3896512ac2339d128376713136b71a4ee9ca073

Download Submit
C:\Users\Admin\Desktop\UndoStep.rtf.2AD-0BF-9E9
Filesize
613KB

MD5
64d40073c2b98a69e7ffe997326c9003

SHA1
df01111c035fbc7a27d8d19f65de22b4989582a7

SHA256
467f466692467f44aa32e40d7f8a597b3d133d1c7977533458371c38a180f1d7

SHA512
bf1b4deeb06fb6b80546f0836dc9d1d41683d8758e77087dccf96834a994aaf2e1f0333d3e6ae0f19dcc17462b3d0439c40d42537cf5ab747a7e44e2903254ca

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
Filesize
211KB

MD5
bab201c1a2c8e0f99e683591945e7e3d

SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65

SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a

Download Submit
memory/1792-10269-0x0000000000AC0000-0x0000000000C00000-memory.dmp

Filesize
1.2MB

Download
memory/1792-30147-0x0000000000AC0000-0x0000000000C00000-memory.dmp

Filesize
1.2MB

Download
memory/1980-30146-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2520-23-0x0000000000AC0000-0x0000000000C00000-memory.dmp

Filesize
1.2MB

Download
memory/2728-28286-0x0000000000AC0000-0x0000000000C00000-memory.dmp

Filesize
1.2MB

Download
memory/2728-16317-0x0000000000AC0000-0x0000000000C00000-memory.dmp

Filesize
1.2MB

Download
memory/2728-30111-0x0000000000AC0000-0x0000000000C00000-memory.dmp

Filesize
1.2MB

Download
memory/2912-18-0x00000000001C0000-0x0000000000300000-memory.dmp

Filesize
1.2MB

Download
memory/3064-11-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3064-16-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads