zeppelin | 88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

Resubmissions

03-01-2024 15:08

240103-shylyshgh6 10

03-01-2024 15:05

240103-sf7rvahgf3 10

03-01-2024 15:03

240103-sfclpsfdcq 10

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Size

211KB
MD5

bab201c1a2c8e0f99e683591945e7e3d
SHA1

90e57172d463dcd6df22d2bf96a6b265a7fdec65
SHA256

88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
SHA512

d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
SSDEEP

6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 3 IoCs

resource	yara_rule
behavioral3/files/0x000500000001e96f-6.dat	family_zeppelin
behavioral3/memory/924-13-0x00000000002D0000-0x0000000000410000-memory.dmp	family_zeppelin
behavioral3/memory/4268-15-0x0000000000EE0000-0x0000000001020000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Deletes itself 1 IoCs

pid	Process
4644	notepad.exe

Executes dropped EXE 1 IoCs

pid	Process
4268	smss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4036	4268	WerFault.exe	91

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Token: SeDebugPrivilege	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 4268	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	91
PID 924 wrote to memory of 4268	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	91
PID 924 wrote to memory of 4268	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	91
PID 924 wrote to memory of 4644	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	92
PID 924 wrote to memory of 4644	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	92
PID 924 wrote to memory of 4644	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	92
PID 924 wrote to memory of 4644	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	92
PID 924 wrote to memory of 4644	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	92
PID 924 wrote to memory of 4644	924	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	92

C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  PID:4268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 652
    3⤵
    - Program crash
    PID:4036
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4268 -ip 4268
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
211KB

MD5
bab201c1a2c8e0f99e683591945e7e3d

SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65

SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a

Download Submit
memory/924-13-0x00000000002D0000-0x0000000000410000-memory.dmp

Filesize
1.2MB

Download
memory/4268-15-0x0000000000EE0000-0x0000000001020000-memory.dmp

Filesize
1.2MB

Download
memory/4644-10-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads