Overview

overview

10

Static

static

10

2024-02-26...in.exe

windows7-x64

10

2024-02-26...in.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin

  • Size

    227KB

  • Sample

    240226-wbglmscf6s

  • MD5

    b2a478d698a2789ce04d8d54158a7d64

  • SHA1

    49cf775b235dd75dde60a70af385fff93a665e9c

  • SHA256

    a2ef8ef7be1ef11158f7d406e96c240178068b9692ec5e5ce19f9239345ee825

  • SHA512

    6b9b62d1f0610fff7cd79fb10e44a50739405043d168ca240a7bde22eea231ed74f20d77a99b2fe1d65f14581463d0fc0ca61e9fc54ca9e9c6b8ab23d7c746eb

  • SSDEEP

    6144:eia1C9bP2XUJmcCvyr/2H64DQFu/U3buRKlemZ9DnGAefIC8+:eq9bP2Rfo/2a4DQFu/U3buRKlemZ9DnY

Score
10/10
zeppelinevasionransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\!!! YOUR FILES HAVE BEEN ENCRYPTED !!!.TXT

Ransom Note
All your files, including documents, databases, and other crucial data, have been encrypted. I've uploaded some databases and important files from your computers to the cloud. You have 48 hours to get in touch with us and reach an agreement. If you don't contact us by the end of this period, I'll release your data publicly on the dark web. This could damage your company and your partners. We're the only ones capable of restoring your files. To prove that we have a functional decryption tool, we're offering you the chance to decrypt one file for free. You can reach out to us through an anonymous chat. Just follow the provided instructions. 1. Visit https://tox.chat/download.html 2. Download uTox to your computer and launch it. 3. In the bottom left corner of the uTox client, enter my TOX ID A2C27B982A40B101994C392DB1D738D86544C56E1A80443671EE6F21DF4C49602AAB38420FE3 in the Search/Add Friends field. Then click the "+" button and select Add. 4. Please wait for a while, and I will add you. Once added, we can start communicating. Your personal ID: 2F6-A2A-068
URLs

https://tox.chat/download.html

Targets

    • Target

      2024-02-26_b2a478d698a2789ce04d8d54158a7d64_zeppelin

    • Size

      227KB

    • MD5

      b2a478d698a2789ce04d8d54158a7d64

    • SHA1

      49cf775b235dd75dde60a70af385fff93a665e9c

    • SHA256

      a2ef8ef7be1ef11158f7d406e96c240178068b9692ec5e5ce19f9239345ee825

    • SHA512

      6b9b62d1f0610fff7cd79fb10e44a50739405043d168ca240a7bde22eea231ed74f20d77a99b2fe1d65f14581463d0fc0ca61e9fc54ca9e9c6b8ab23d7c746eb

    • SSDEEP

      6144:eia1C9bP2XUJmcCvyr/2H64DQFu/U3buRKlemZ9DnGAefIC8+:eq9bP2Rfo/2a4DQFu/U3buRKlemZ9DnY

    Score
    10/10
    zeppelinevasionransomware

    • Detects Zeppelin payload

    • Zeppelin Ransomware

      Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

      ransomwarezeppelin

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Detects command variations typically used by ransomware

    • Renames multiple (7439) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Stops running service(s)

      evasion

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks