zeppelin | 821945dd5882aad4181fcb2670a26cc322224f9f677e5df26f7e708ced0ab6a3

General

Target

56f16414e71c5263c57a4ce7733c70b5.exe
Size

217KB
MD5

56f16414e71c5263c57a4ce7733c70b5
SHA1

d74ea238db6e0870422f6dcc4fef83964a380d1a
SHA256

821945dd5882aad4181fcb2670a26cc322224f9f677e5df26f7e708ced0ab6a3
SHA512

a492452c26f6c6d36853edcd13db03645442ea82c761940a1c0f96bc0fab7269fbb99c2e83350ecc06143cb142ddcadc6fce2ea32312440fc985b163b60d46ca
SSDEEP

6144:dC61i972KJmciP8yGw44DQFu/U3buRKlemZ9DnGAe6MTgGkT/+:dK972P/kyGv4DQFu/U3buRKlemZ9DnGm

Score

10^/10

zeppelin ransomware

Malware Config

Signatures

Detects Zeppelin payload 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2148-0-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/2148-14-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/2148-22-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4256-29-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/2148-31-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4136-33-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4136-35-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4136-37-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4136-39-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4136-42-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4136-44-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4136-46-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4136-47-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4136-49-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin
behavioral2/memory/4136-51-0x0000000000BE0000-0x0000000000D22000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

56f16414e71c5263c57a4ce7733c70b5.exe

description	ioc	process
File opened (read-only)	\??\Z:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\X:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\U:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\Q:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\H:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\M:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\J:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\B:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\K:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\V:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\T:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\P:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\O:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\L:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\I:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\G:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\E:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\Y:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\W:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\S:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\R:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\N:	56f16414e71c5263c57a4ce7733c70b5.exe
File opened (read-only)	\??\A:	56f16414e71c5263c57a4ce7733c70b5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 geoiptool.com

flow	ioc
23	geoiptool.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4388	WMIC.exe
Token: SeSecurityPrivilege	4388	WMIC.exe
Token: SeTakeOwnershipPrivilege	4388	WMIC.exe
Token: SeLoadDriverPrivilege	4388	WMIC.exe
Token: SeSystemProfilePrivilege	4388	WMIC.exe
Token: SeSystemtimePrivilege	4388	WMIC.exe
Token: SeProfSingleProcessPrivilege	4388	WMIC.exe
Token: SeIncBasePriorityPrivilege	4388	WMIC.exe
Token: SeCreatePagefilePrivilege	4388	WMIC.exe
Token: SeBackupPrivilege	4388	WMIC.exe
Token: SeRestorePrivilege	4388	WMIC.exe
Token: SeShutdownPrivilege	4388	WMIC.exe
Token: SeDebugPrivilege	4388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4388	WMIC.exe
Token: SeRemoteShutdownPrivilege	4388	WMIC.exe
Token: SeUndockPrivilege	4388	WMIC.exe
Token: SeManageVolumePrivilege	4388	WMIC.exe
Token: 33	4388	WMIC.exe
Token: 34	4388	WMIC.exe
Token: 35	4388	WMIC.exe
Token: 36	4388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4932	WMIC.exe
Token: SeSecurityPrivilege	4932	WMIC.exe
Token: SeTakeOwnershipPrivilege	4932	WMIC.exe
Token: SeLoadDriverPrivilege	4932	WMIC.exe
Token: SeSystemProfilePrivilege	4932	WMIC.exe
Token: SeSystemtimePrivilege	4932	WMIC.exe
Token: SeProfSingleProcessPrivilege	4932	WMIC.exe
Token: SeIncBasePriorityPrivilege	4932	WMIC.exe
Token: SeCreatePagefilePrivilege	4932	WMIC.exe
Token: SeBackupPrivilege	4932	WMIC.exe
Token: SeRestorePrivilege	4932	WMIC.exe
Token: SeShutdownPrivilege	4932	WMIC.exe
Token: SeDebugPrivilege	4932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4932	WMIC.exe
Token: SeRemoteShutdownPrivilege	4932	WMIC.exe
Token: SeUndockPrivilege	4932	WMIC.exe
Token: SeManageVolumePrivilege	4932	WMIC.exe
Token: 33	4932	WMIC.exe
Token: 34	4932	WMIC.exe
Token: 35	4932	WMIC.exe
Token: 36	4932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4388	WMIC.exe
Token: SeSecurityPrivilege	4388	WMIC.exe
Token: SeTakeOwnershipPrivilege	4388	WMIC.exe
Token: SeLoadDriverPrivilege	4388	WMIC.exe
Token: SeSystemProfilePrivilege	4388	WMIC.exe
Token: SeSystemtimePrivilege	4388	WMIC.exe
Token: SeProfSingleProcessPrivilege	4388	WMIC.exe
Token: SeIncBasePriorityPrivilege	4388	WMIC.exe
Token: SeCreatePagefilePrivilege	4388	WMIC.exe
Token: SeBackupPrivilege	4388	WMIC.exe
Token: SeRestorePrivilege	4388	WMIC.exe
Token: SeShutdownPrivilege	4388	WMIC.exe
Token: SeDebugPrivilege	4388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4388	WMIC.exe
Token: SeRemoteShutdownPrivilege	4388	WMIC.exe
Token: SeUndockPrivilege	4388	WMIC.exe
Token: SeManageVolumePrivilege	4388	WMIC.exe
Token: 33	4388	WMIC.exe
Token: 34	4388	WMIC.exe
Token: 35	4388	WMIC.exe
Token: 36	4388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4932	WMIC.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

56f16414e71c5263c57a4ce7733c70b5.execmd.execmd.exe

description	pid	process	target process
PID 2148 wrote to memory of 3336	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 3336	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 3336	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 4452	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 4452	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 4452	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 4536	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 4536	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 4536	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 4400	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 4400	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 4400	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 3464	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 3464	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 3464	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 3696	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 3696	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 3696	2148	56f16414e71c5263c57a4ce7733c70b5.exe	cmd.exe
PID 2148 wrote to memory of 4136	2148	56f16414e71c5263c57a4ce7733c70b5.exe	56f16414e71c5263c57a4ce7733c70b5.exe
PID 2148 wrote to memory of 4136	2148	56f16414e71c5263c57a4ce7733c70b5.exe	56f16414e71c5263c57a4ce7733c70b5.exe
PID 2148 wrote to memory of 4136	2148	56f16414e71c5263c57a4ce7733c70b5.exe	56f16414e71c5263c57a4ce7733c70b5.exe
PID 2148 wrote to memory of 4256	2148	56f16414e71c5263c57a4ce7733c70b5.exe	56f16414e71c5263c57a4ce7733c70b5.exe
PID 2148 wrote to memory of 4256	2148	56f16414e71c5263c57a4ce7733c70b5.exe	56f16414e71c5263c57a4ce7733c70b5.exe
PID 2148 wrote to memory of 4256	2148	56f16414e71c5263c57a4ce7733c70b5.exe	56f16414e71c5263c57a4ce7733c70b5.exe
PID 3336 wrote to memory of 4932	3336	cmd.exe	WMIC.exe
PID 3336 wrote to memory of 4932	3336	cmd.exe	WMIC.exe
PID 3336 wrote to memory of 4932	3336	cmd.exe	WMIC.exe
PID 3696 wrote to memory of 4388	3696	cmd.exe	WMIC.exe
PID 3696 wrote to memory of 4388	3696	cmd.exe	WMIC.exe
PID 3696 wrote to memory of 4388	3696	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5.exe
"C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:4400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  PID:3464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5.exe
  "C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5.exe" -agent 0
  2⤵
  PID:4136
- C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5.exe
  "C:\Users\Admin\AppData\Local\Temp\56f16414e71c5263c57a4ce7733c70b5.exe" -agent 1
  2⤵
  PID:4256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
memory/2148-31-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/2148-14-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/2148-22-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/2148-0-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4136-37-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4136-33-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4136-35-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4136-39-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4136-42-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4136-44-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4136-46-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4136-47-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4136-49-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4136-51-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download
memory/4256-29-0x0000000000BE0000-0x0000000000D22000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads