buran | 88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

Resubmissions

03-01-2024 15:08

240103-shylyshgh6 10

03-01-2024 15:05

240103-sf7rvahgf3 10

03-01-2024 15:03

240103-sfclpsfdcq 10

Analysis

max time kernel
36s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2024 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Size

211KB
MD5

bab201c1a2c8e0f99e683591945e7e3d
SHA1

90e57172d463dcd6df22d2bf96a6b265a7fdec65
SHA256

88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4
SHA512

d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a
SSDEEP

6144:jia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+zY+:jIMH06cID84DQFu/U3buRKlemZ9DnGAs

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: receivertes@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: receivertes@cock.li Reserved email: receivertes@tutanota.com Your personal ID: 21D-F05-AD0 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

receivertes@cock.li

receivertes@tutanota.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe	family_zeppelin
behavioral3/memory/2800-13-0x00000000000D0000-0x0000000000210000-memory.dmp	family_zeppelin
behavioral3/memory/1744-15-0x0000000000710000-0x0000000000850000-memory.dmp	family_zeppelin
behavioral3/memory/2416-18-0x0000000000710000-0x0000000000850000-memory.dmp	family_zeppelin
behavioral3/memory/1744-4597-0x0000000000710000-0x0000000000850000-memory.dmp	family_zeppelin
behavioral3/memory/2072-8294-0x0000000000710000-0x0000000000850000-memory.dmp	family_zeppelin
behavioral3/memory/2072-14103-0x0000000000710000-0x0000000000850000-memory.dmp	family_zeppelin
behavioral3/memory/2072-24845-0x0000000000710000-0x0000000000850000-memory.dmp	family_zeppelin
behavioral3/memory/2072-26016-0x0000000000710000-0x0000000000850000-memory.dmp	family_zeppelin
behavioral3/memory/1744-26041-0x0000000000710000-0x0000000000850000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (3421) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1680 notepad.exe
Executes dropped EXE 3 IoCs

Processes:

csrss.execsrss.execsrss.exe

pid process

1744 csrss.exe
2072 csrss.exe
2416 csrss.exe

pid	process
1680	notepad.exe

pid	process
1744	csrss.exe
2072	csrss.exe
2416	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe

Drops file in Program Files directory 64 IoCs

Processes:

csrss.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.LEX.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-400.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-72.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-unplated.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.ELM	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\167.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-400_contrast-white.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.ELM	csrss.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.21D-F05-AD0	csrss.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-125_contrast-black.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-125.png	csrss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-125.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-100.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG	csrss.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.21D-F05-AD0	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-125.png	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.execsrss.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Token: SeDebugPrivilege	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
Token: SeDebugPrivilege	1744	csrss.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: 36	2028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: 36	2028	WMIC.exe
Token: SeBackupPrivilege	1736	vssvc.exe
Token: SeRestorePrivilege	1736	vssvc.exe
Token: SeAuditPrivilege	1736	vssvc.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.execsrss.execmd.exe

description	pid	process	target process
PID 2800 wrote to memory of 1744	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	csrss.exe
PID 2800 wrote to memory of 1744	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	csrss.exe
PID 2800 wrote to memory of 1744	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	csrss.exe
PID 2800 wrote to memory of 1680	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2800 wrote to memory of 1680	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2800 wrote to memory of 1680	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2800 wrote to memory of 1680	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2800 wrote to memory of 1680	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 2800 wrote to memory of 1680	2800	2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe	notepad.exe
PID 1744 wrote to memory of 3516	1744	csrss.exe	DllHost.exe
PID 1744 wrote to memory of 3516	1744	csrss.exe	DllHost.exe
PID 1744 wrote to memory of 3516	1744	csrss.exe	DllHost.exe
PID 1744 wrote to memory of 2448	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 2448	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 2448	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 4848	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 4848	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 4848	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 1700	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 1700	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 1700	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 1372	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 1372	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 1372	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 4512	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 4512	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 4512	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 5036	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 5036	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 5036	1744	csrss.exe	cmd.exe
PID 5036 wrote to memory of 2028	5036	cmd.exe	WMIC.exe
PID 5036 wrote to memory of 2028	5036	cmd.exe	WMIC.exe
PID 5036 wrote to memory of 2028	5036	cmd.exe	WMIC.exe
PID 1744 wrote to memory of 2000	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 2000	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 2000	1744	csrss.exe	cmd.exe
PID 1744 wrote to memory of 2072	1744	csrss.exe	csrss.exe
PID 1744 wrote to memory of 2072	1744	csrss.exe	csrss.exe
PID 1744 wrote to memory of 2072	1744	csrss.exe	csrss.exe
PID 1744 wrote to memory of 2416	1744	csrss.exe	csrss.exe
PID 1744 wrote to memory of 2416	1744	csrss.exe	csrss.exe
PID 1744 wrote to memory of 2416	1744	csrss.exe	csrss.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-02_bab201c1a2c8e0f99e683591945e7e3d_zeppelin.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:4848

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 1
3⤵
- Executes dropped EXE
PID:2416

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:3516

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:896

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1680

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js
Filesize
17KB

MD5
9baa224ff61420aa686d29426f346448

SHA1
d40c4cf025dc45163f9301d40b57b8b6dc3995fc

SHA256
09c11094cbdfdf75b6550028d956ea030895b10a8fe052ca586dcc739179cdb0

SHA512
0c9f78906e3d7e503aeba1ac67bb1d752a93f7a7792a01961e132bd989ee7cee4b6a3924676bb73dbd98c56875367e18b78b827cffc03d5d0d48f6b60d83de01

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js
Filesize
18KB

MD5
0c36a61390c5bab928022910725b483e

SHA1
8a8148801ef6a2be8e7fa928f39b273218731a69

SHA256
504f388f8e0f0a276d58ea97ca4ea75d18d956ce02c97e2f0cf9f1a76766f61b

SHA512
c29ddfe4ef0d4fd0a4d1f58532df10541e669aac08a8c3f81fdf7ca6919ab67905475f33206d805207cef60a6bbb9211f70dca16d319938fe822653208ca2699

Download Submit
C:\Program Files\7-Zip\Lang\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Filesize
936B

MD5
70d0d93929b30580caf6dbfa40013609

SHA1
6e504617a6eda649ac53eb775eb9d151be4c6232

SHA256
f144368af6ef7a18fbb5453cb555dd511885d764e68b4e8504274c2cfa2f1b78

SHA512
882413338da7e2dd22339fc9d55ffbead271240c01650fe39a067ad707b4d4947c9e7d49a6ff0b296997f970678d0b99e661998975cb1486dfac40dd74de7b3e

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
Filesize
381KB

MD5
bb06c9944ca4fb561f122533487e0bbe

SHA1
c3fc4b6afa7d7bb07e6127f3df904b860df423ce

SHA256
99fd8f8bfd6b53b8bb4a6e18b5c3d623cff3079810544027e39540f9db2088bf

SHA512
95bb20b3e20cb9575f6354b2ea09d13328fd0d4b9d35c55508c0f9c4cc1313c98957a71f507e4cd19ae243b309dee522680386eba9ad2b3593015b9767037636

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL
Filesize
98KB

MD5
cd12790a005982b59235928343ab3d30

SHA1
2c6b8b1ffd4675c883fcf146f7cfd8665897fc17

SHA256
b61a4918adbb1b59a15e37b7927919ead237e02319af6aa18b0af7a2c56f92f8

SHA512
a966c73720adf1bc82e3dbbb80decb438cea9fbce59a270450edc2b1cb9e01267b72800cd6f370f06ba28049a26e67f508b9d369abd6c45c5678aa638ed7607a

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi
Filesize
384KB

MD5
d3bb3d3bd6c695e2af257a998ea0d06c

SHA1
832d51ebf77a158242a177bbda4a226c071c14e6

SHA256
13c1ab40c2ae657951ea371b6f54b16b2b6af98e29b2e746ec3d5908e59fa350

SHA512
faa1892494fffd4a183ae78fb045b9a789d0c6140a350321671debf9da77682daddbddf58f67255d56c298d036238e968e7fb38536ebe9cfa65a76ae35a63753

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe
Filesize
381KB

MD5
3c75d1b8b777ef234b89f1dfd2f8f3ae

SHA1
d60c9d2817e7617b823089762b88bd3b9eae95e3

SHA256
8c61bebf52dd96a0f09fa81916f845d2ea95449373e59c7d8ee898bfab2fb00e

SHA512
a5d9ae5e73615bb4ceb12c37614d87d975655379be98de455af0dfde297f0c797de8d9c3ae36ea75616dd0cf6585cfaecc90677892bd4ab21b52843972afba26

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo
Filesize
92KB

MD5
0c7186cefd50bd9f10797dd6f2f1e393

SHA1
8833d099f43411a7b376d9d77db4ba16db91589c

SHA256
38f7803cd92fdc89610b577e75a15f2fa28a04e9d26b43ece7b714020d7ed968

SHA512
9636c7166864648c1036f115479cd96222367d4d0901cf39b98b7b97963c0ab1e0661ffa96b5270a93e55de0687c1b7cd62b1404537ec71168cea1f018f39627

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
Filesize
211KB

MD5
bab201c1a2c8e0f99e683591945e7e3d

SHA1
90e57172d463dcd6df22d2bf96a6b265a7fdec65

SHA256
88b121f3b3e95e36a642cfdcb0c80f47e4b286e4dbf79b26c923909f4a4f11a4

SHA512
d65bc6b40aa4843cf6a9889bcf47b42c8f5b5548c377bd57a32cb7e2cbe2851e5904c3e1631ec87005243b8e33ec371f599f60964e5c94c856943a1846cccc2a

Download Submit
C:\Users\Admin\Desktop\ApproveOpen.sql.21D-F05-AD0
Filesize
489KB

MD5
9520ac51cc671b2743109424ad2a8133

SHA1
9bb6316192d8909439b7ef44abc5beccb63b6111

SHA256
aabfa674ecd5c29aa101413c6b958796ca3469c5d08e01a5816d3486e030ff3d

SHA512
26b56556fe333d9d2bab3d5b296382fcda8c75fdf7d2a3f4afdc1d517c54551c7d983c8b3dbbb65b6fdb04f9c53aa89510b72987685577ecae0652662bc52ea7

Download Submit
C:\Users\Admin\Desktop\AssertReset.pptm.21D-F05-AD0
Filesize
662KB

MD5
46f8df1a989ca2b1a54c1da04645d1de

SHA1
f4ede62d90916a479193e46f674ff53968af16d7

SHA256
a856aaf4270f54aede3025eacd388c2dc2894f5c3247208a3fba075f64374dc1

SHA512
6c95cfc3493d06609bbf87dbd4a230b630778384708259a7e1424de3aaa63cc791ccef7640cb166ab813d8a79b366bf8195c36649a1821feda54aada0e782b8f

Download Submit
C:\Users\Admin\Desktop\BlockConfirm.asp.21D-F05-AD0
Filesize
382KB

MD5
5302124ee0866fa6636d0f7dd64fa8d9

SHA1
8edd80a3e25db5798b841a18a591cacf19fffd8e

SHA256
d6b077e0e05d30b3c949de355683bc2d0b722301ffbb05acaa80d7bb9e9dee9d

SHA512
0dd8774156c5adf27d80e39e95fec1b4eb74feb26cbf395c6ccdc023cf098126a9834307dcc56ce272f55186f52885e8a886054295ce92dfc76742b8c5899356

Download Submit
C:\Users\Admin\Desktop\ClearRestore.mpg.21D-F05-AD0
Filesize
377KB

MD5
62be0b69497f16309e85744c48475a22

SHA1
e3e5d3d21abf6166aa5aa76eef6876c3f24daaf5

SHA256
14dba3033a35f90fee1900608dd6c772eec07b463c92c259c6d750824f28a511

SHA512
49aeb29209ef37a3a21b856bf9a5bc356c68fd09806027229331ce42ec45ac61fa8ae5cb211e00676a0d5583d94bdee5b2dab8cc684108dd16f31684173679fb

Download Submit
C:\Users\Admin\Desktop\CloseInvoke.bin.21D-F05-AD0
Filesize
879KB

MD5
a5662bdff0b7017117dc753bc2c12870

SHA1
09c7d482e95c25f88f06e24fb5217f533847e715

SHA256
b7e4e5516a99dcd67553c0fe3a7983dde028d56c07369d6004877c380244c6ad

SHA512
6b0d1cdd20a82d6223c5b9e718781ba4bdb06c85975d0d9e2982965395cdc99d84db2caa70edaa2017b5c6088ac49325989041799b8c5cc08a6e85c6fa92d621

Download Submit
C:\Users\Admin\Desktop\CompleteConvertTo.asp.21D-F05-AD0
Filesize
711KB

MD5
640467f89a90a49e6f82b813aacfd3b5

SHA1
82c893016e948a7d975e5c703d942b7917406a4a

SHA256
d982eafa9d23c60b18147d32bfe94c3e1d4c5b92c09f1ef096d21f9820792a53

SHA512
75254b1c53bd809cbdf793dca8e1654195b17f55e184b200dd21d0fe98244bb85a89d879dce35a2df485d989e01fab44d591a8317535fe421d138e66f2aeb8af

Download Submit
C:\Users\Admin\Desktop\ConnectSwitch.asp.21D-F05-AD0
Filesize
656KB

MD5
83603a335ff004cb069c6fcfa9761c74

SHA1
13905f176789cec527f8ed4db0db306c3f810b1e

SHA256
c88a05e09993438252337caa5468aafc003bb229993f4405152cd020c787c3c2

SHA512
e81d31f80167bc299de8fffb64a891edfc28c97d6a048ec9e5e884b9f4d27811927277627d6d477786f5d7bea7862e4389ccd30acdd569331b86cc4e01ce1a2e

Download Submit
C:\vcredist2010_x86.log.html
Filesize
83KB

MD5
cf88821c29b9dba8074d90a3e7f97a38

SHA1
db07cef18fdf978c6befd35fd7f8a44af24d01fd

SHA256
37be5b66c264825ec78f89eda60ad79a6c711afb13a188c09384dd7013f36b98

SHA512
d7f5de04c6cab01dc8623c599809830b1f0c322fc2faccf5f0f6ed0287f60c7d9c1977f48ebf74a8d2e6f2ee96f91eba5ac8794bb85f68c80c28fa64af305231

Download Submit
memory/896-26040-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1680-10-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1744-4597-0x0000000000710000-0x0000000000850000-memory.dmp

Filesize
1.2MB

Download
memory/1744-15-0x0000000000710000-0x0000000000850000-memory.dmp

Filesize
1.2MB

Download
memory/1744-26041-0x0000000000710000-0x0000000000850000-memory.dmp

Filesize
1.2MB

Download
memory/2072-24845-0x0000000000710000-0x0000000000850000-memory.dmp

Filesize
1.2MB

Download
memory/2072-14103-0x0000000000710000-0x0000000000850000-memory.dmp

Filesize
1.2MB

Download
memory/2072-8294-0x0000000000710000-0x0000000000850000-memory.dmp

Filesize
1.2MB

Download
memory/2072-26016-0x0000000000710000-0x0000000000850000-memory.dmp

Filesize
1.2MB

Download
memory/2416-18-0x0000000000710000-0x0000000000850000-memory.dmp

Filesize
1.2MB

Download
memory/2800-13-0x00000000000D0000-0x0000000000210000-memory.dmp

Filesize
1.2MB

Download