Resubmissions
03-01-2024 15:08
240103-shylyshgh6 1003-01-2024 15:05
240103-sf7rvahgf3 1003-01-2024 15:03
240103-sfclpsfdcq 10Analysis
-
max time kernel
142s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
03-01-2024 15:08
Behavioral task
behavioral1
Sample
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Resource
win11-20231215-en
General
-
Target
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
-
Size
211KB
-
MD5
bab201c1a2c8e0f99e683591945e7e3d
-
SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65
-
SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
-
SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
-
SSDEEP
6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs
Malware Config
Signatures
-
Detects Zeppelin payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe family_zeppelin behavioral2/memory/5084-10-0x00000000012D0000-0x0000000001410000-memory.dmp family_zeppelin behavioral2/memory/3996-12-0x0000000001350000-0x0000000001490000-memory.dmp family_zeppelin -
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes itself 1 IoCs
Processes:
notepad.exepid process 4164 notepad.exe -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 3996 services.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1682406436-2801920780-981986064-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1428 3996 WerFault.exe services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exedescription pid process Token: SeDebugPrivilege 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe Token: SeDebugPrivilege 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exedescription pid process target process PID 5084 wrote to memory of 3996 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe services.exe PID 5084 wrote to memory of 3996 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe services.exe PID 5084 wrote to memory of 3996 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe services.exe PID 5084 wrote to memory of 4164 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe notepad.exe PID 5084 wrote to memory of 4164 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe notepad.exe PID 5084 wrote to memory of 4164 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe notepad.exe PID 5084 wrote to memory of 4164 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe notepad.exe PID 5084 wrote to memory of 4164 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe notepad.exe PID 5084 wrote to memory of 4164 5084 2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 7083⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeFilesize
211KB
MD5bab201c1a2c8e0f99e683591945e7e3d
SHA190e57172d463dcd6df22d2bf96a6b265a7fdec65
SHA25688b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
SHA512d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
-
memory/3996-12-0x0000000001350000-0x0000000001490000-memory.dmpFilesize
1.2MB
-
memory/4164-7-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/5084-10-0x00000000012D0000-0x0000000001410000-memory.dmpFilesize
1.2MB