Extracted

• • Target

    f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin

  • Size

    212KB

  • MD5

    723825ad69a5d55a1e5ed3d1ee831f0d

  • SHA1

    7e082df63c3de0f8bf9d38edf72ba5268078275a

  • SHA256

    f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb

  • SHA512

    dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78

  • SSDEEP

    6144:tia1gMH2EXtAup5Qnqn64DQFu/U3buRKlemZ9DnGAe+hsO6a+8:tIMHxGe5Qb4DQFu/U3buRKlemZ9DnGAb

  Score

  10^/10

  zeppelinpersistenceransomwarebalaclavadefense_evasionexecutionimpact

  • Balaclava Malware

    Balaclava malware is a ransomware program.

    ransomwarebalaclava

  • Detects Zeppelin payload

  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (3439) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2