zeppelin | 88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

Resubmissions

03-01-2024 15:08

240103-shylyshgh6 10

03-01-2024 15:05

240103-sf7rvahgf3 10

03-01-2024 15:03

240103-sfclpsfdcq 10

Analysis

max time kernel
1s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Size

211KB
MD5

bab201c1a2c8e0f99e683591945e7e3d
SHA1

90e57172d463dcd6df22d2bf96a6b265a7fdec65
SHA256

88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
SHA512

d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
SSDEEP

6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs

Score

10^/10

zeppelin persistence ransomware

Malware Config

Signatures

Detects Zeppelin payload 9 IoCs

resource	yara_rule
behavioral2/files/0x000700000001e5df-6.dat	family_zeppelin
behavioral2/memory/556-13-0x0000000000FC0000-0x0000000001100000-memory.dmp	family_zeppelin
behavioral2/memory/3664-15-0x0000000000F30000-0x0000000001070000-memory.dmp	family_zeppelin
behavioral2/memory/4644-18-0x0000000000F30000-0x0000000001070000-memory.dmp	family_zeppelin
behavioral2/memory/3664-5741-0x0000000000F30000-0x0000000001070000-memory.dmp	family_zeppelin
behavioral2/memory/2616-9981-0x0000000000F30000-0x0000000001070000-memory.dmp	family_zeppelin
behavioral2/memory/2616-15647-0x0000000000F30000-0x0000000001070000-memory.dmp	family_zeppelin
behavioral2/memory/3664-26019-0x0000000000F30000-0x0000000001070000-memory.dmp	family_zeppelin
behavioral2/memory/2616-25991-0x0000000000F30000-0x0000000001070000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"
1⤵
- Adds Run key to start application
PID:556
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:3096
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:4484
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:1356
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 1
    3⤵
    PID:4644
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL

Filesize
265KB

MD5
81c4f6a1bea9bf135608fa82b4aa8e7b

SHA1
ae3be1dd71190c6638728c90b159494122935403

SHA256
8b4c52e4deb4c1b89c225f0c565dedcb73b9fc58ab1642f2c7ea440c8d0b119e

SHA512
b8b0c79ab50416e3db1ac9d5d7bc6ec3d85e9acc8d473c8e6f011744de8ee0d4b9e17656e52673c4187beaf1bc88a03ffca22f0b5d8403c077e1e6d2cc77e449

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
211KB

MD5
bab201c1a2c8e0f99e683591945e7e3d

SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65

SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a

Download Submit
memory/224-26018-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/556-13-0x0000000000FC0000-0x0000000001100000-memory.dmp

Filesize
1.2MB

Download
memory/2616-9981-0x0000000000F30000-0x0000000001070000-memory.dmp

Filesize
1.2MB

Download
memory/2616-15647-0x0000000000F30000-0x0000000001070000-memory.dmp

Filesize
1.2MB

Download
memory/2616-25991-0x0000000000F30000-0x0000000001070000-memory.dmp

Filesize
1.2MB

Download
memory/3096-10-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/3664-15-0x0000000000F30000-0x0000000001070000-memory.dmp

Filesize
1.2MB

Download
memory/3664-5741-0x0000000000F30000-0x0000000001070000-memory.dmp

Filesize
1.2MB

Download
memory/3664-26019-0x0000000000F30000-0x0000000001070000-memory.dmp

Filesize
1.2MB

Download
memory/4644-18-0x0000000000F30000-0x0000000001070000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads