Overview

overview

10

Static

static

10

2024-01-02...in.exe

windows7-x64

10

2024-01-02...in.exe

windows10-1703-x64

10

2024-01-02...in.exe

windows10-2004-x64

10

2024-01-02...in.exe

windows11-21h2-x64

10

Resubmissions

03-01-2024 15:08

240103-shylyshgh6 10

03-01-2024 15:05

240103-sf7rvahgf3 10

03-01-2024 15:03

240103-sfclpsfdcq 10

Analysis

  • max time kernel
    218s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03-01-2024 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

  • Size

    211KB

  • MD5

    bab201c1a2c8e0f99e683591945e7e3d

  • SHA1

    90e57172d463dcd6df22d2bf96a6b265a7fdec65

  • SHA256

    88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

  • SHA512

    d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a

  • SSDEEP

    6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs

Score
10/10
buranzeppelinpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 153-EC4-629 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Buran

    Ransomware-as-a-service based on the VegaLocker family first identified in 2019.

    ransomwareburan
  • Detects Zeppelin payload 13 IoCs
  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (549) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
          PID:1512
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
          3⤵
            PID:1408
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:708
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
              3⤵
                PID:2112
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
                3⤵
                  PID:2052
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
                  3⤵
                    PID:1032
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2852
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      wmic shadowcopy delete
                      4⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2964
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1832
                    • C:\Windows\SysWOW64\vssadmin.exe
                      vssadmin delete shadows /all /quiet
                      4⤵
                      • Interacts with shadow copies
                      PID:112
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
                    3⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    PID:2180
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 1
                    3⤵
                    • Executes dropped EXE
                    PID:2168
                • C:\Windows\SysWOW64\notepad.exe
                  notepad.exe
                  2⤵
                  • Deletes itself
                  PID:1980
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1736

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
                Filesize

                936B

                MD5

                d00f4afced700a1651f8ca9271add4ba

                SHA1

                d4a856f13e1eb4cc0e2f0dc8632fa85326f4958b

                SHA256

                975633cb5cf3a7fe819c2dd4b036c635ecdf4767e7b7ebd095968ea46d54b1ea

                SHA512

                b5be2b9526052b278682fe52eb01d172c7c763f428b17f4b3deddac593e620f9009865f65b14d9cbc881f6a2855a0ce2f1af893ab7b65e1d7fc0b4f9a28fe53b

                Download Submit

              • C:\vcredist2010_x86.log.html
                Filesize

                83KB

                MD5

                a02adad6b1157d1aa80277e2fe20fc67

                SHA1

                abf4049fc5bb83163f6db193e4dceba988c5f9c9

                SHA256

                35c2dcd257bf93bc10a66f9bb58b5074263d8a3be0c9af915bcb5276f734fecb

                SHA512

                cb2f757894cdf990fa93f4e92490207b87d0bdad9b005d0b0f2f950645969e090fa126fe84a1799196653d6241d1ce302982520ddda1d7a28a642c4515d3012b

                Download Submit

              • \Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
                Filesize

                211KB

                MD5

                bab201c1a2c8e0f99e683591945e7e3d

                SHA1

                90e57172d463dcd6df22d2bf96a6b265a7fdec65

                SHA256

                88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

                SHA512

                d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a

                Download Submit

              • memory/1676-23-0x00000000003E0000-0x0000000000520000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1676-257-0x00000000003E0000-0x0000000000520000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1980-19-0x0000000000120000-0x0000000000121000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-16-0x0000000000100000-0x0000000000101000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2104-21-0x0000000000C30000-0x0000000000D70000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2104-2-0x0000000000C30000-0x0000000000D70000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2104-4-0x0000000000C30000-0x0000000000D70000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2168-28-0x00000000003E0000-0x0000000000520000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2180-267-0x00000000003E0000-0x0000000000520000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2180-272-0x00000000003E0000-0x0000000000520000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2180-278-0x00000000003E0000-0x0000000000520000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2180-1892-0x00000000003E0000-0x0000000000520000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2180-1920-0x00000000003E0000-0x0000000000520000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2180-1946-0x00000000003E0000-0x0000000000520000-memory.dmp

                Filesize

                1.2MB

                Download