25dc78e4fa56b07dd2a1150add01629ce44df08004b26e6fbeb5a43758cffe18

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zeppy Loader/Zeppelins Loader.deps.json
Size

7KB
MD5

589fe2a1e6f9489608e51e48de8dd96b
SHA1

63217924d89f6d4fa3c3b572718873272b0b8d7b
SHA256

1fdfe06443d2b486454b96348dc32ff7b1bb0a7ee353db511e331cd21dcdcf22
SHA512

e26cecf08a290068aec8dcea0f4042fb6575d5d78fac0ace6e04e8abdf124b05907d47171fbf13f7bbd3296906bd4b5c88979cc71cb721207840d8e9d101a4c6
SSDEEP

96:1B/CSJ8ch73fvZdBpLl+ugoWfKO94IZl9yXQ3g2VdJozKfd7LZmA++thSwFQXVDe:1BKchd5l+u/W99n7Zmr+LSwQyADLp2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2824 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2824 AcroRd32.exe
2824 AcroRd32.exe

pid	process
2824	AcroRd32.exe

pid	process
2824	AcroRd32.exe
2824	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2848 wrote to memory of 2708	2848	cmd.exe	rundll32.exe
PID 2848 wrote to memory of 2708	2848	cmd.exe	rundll32.exe
PID 2848 wrote to memory of 2708	2848	cmd.exe	rundll32.exe
PID 2708 wrote to memory of 2824	2708	rundll32.exe	AcroRd32.exe
PID 2708 wrote to memory of 2824	2708	rundll32.exe	AcroRd32.exe
PID 2708 wrote to memory of 2824	2708	rundll32.exe	AcroRd32.exe
PID 2708 wrote to memory of 2824	2708	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.deps.json"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.deps.json
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.deps.json"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a9d7a612494c9d2c60f14f63ce94b114

SHA1
3392b69f11a53670939dab7356130ccb0e385736

SHA256
e32e04b0c128c628981ccaac2eccfa6a3f0edc2a984e7517ceb44868aa538a7b

SHA512
027a5d1b849c21009f724792c3cb5e3ab7e9f775f935e29434e5fe9546085d0eed83bf742b11f39864afbedd0d4add4b3194a9c4433ffa261af6bbcea0f8c75f

Download Submit