Overview
overview
3Static
static
3Zeppy Loader.zip
windows7-x64
1Zeppy Loader.zip
windows10-2004-x64
1Zeppy Load...PC.dll
windows7-x64
1Zeppy Load...PC.dll
windows10-2004-x64
1Zeppy Load...ip.dll
windows7-x64
1Zeppy Load...ip.dll
windows10-2004-x64
1Zeppy Load...on.dll
windows7-x64
1Zeppy Load...on.dll
windows10-2004-x64
1Zeppy Load...V2.zip
windows7-x64
1Zeppy Load...V2.zip
windows10-2004-x64
1Zeppy Load...ny.zip
windows7-x64
1Zeppy Load...ny.zip
windows10-2004-x64
1Zeppy Load...ld.zip
windows7-x64
1Zeppy Load...ld.zip
windows10-2004-x64
1Zeppy Load...ss.dll
windows7-x64
1Zeppy Load...ss.dll
windows10-2004-x64
1Zeppy Load...s.json
windows7-x64
3Zeppy Load...s.json
windows10-2004-x64
3Zeppy Load...er.exe
windows7-x64
1Zeppy Load...er.exe
windows10-2004-x64
1Zeppy Load...er.exe
windows7-x64
1Zeppy Load...er.exe
windows10-2004-x64
1Zeppy Load...er.pdb
windows7-x64
3Zeppy Load...er.pdb
windows10-2004-x64
3Zeppy Load...g.json
windows7-x64
3Zeppy Load...g.json
windows10-2004-x64
3Zeppy Load...rp.dll
windows7-x64
1Zeppy Load...rp.dll
windows10-2004-x64
1Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 15:23
Static task
static1
Behavioral task
behavioral1
Sample
Zeppy Loader.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Zeppy Loader.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Zeppy Loader/DiscordRPC.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Zeppy Loader/DiscordRPC.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Zeppy Loader/DotNetZip.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Zeppy Loader/DotNetZip.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
Zeppy Loader/Newtonsoft.Json.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
Zeppy Loader/Newtonsoft.Json.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
Zeppy Loader/Resources/SpooferV2.zip
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
Zeppy Loader/Resources/SpooferV2.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
Zeppy Loader/Resources/lethalcompany.zip
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
Zeppy Loader/Resources/lethalcompany.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
Zeppy Loader/Resources/pixelworld.zip
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Zeppy Loader/Resources/pixelworld.zip
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
Zeppy Loader/SharpCompress.dll
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
Zeppy Loader/SharpCompress.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
Zeppy Loader/Zeppelins Loader.deps.json
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Zeppy Loader/Zeppelins Loader.deps.json
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
Zeppy Loader/Zeppelins Loader.pdb
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
Zeppy Loader/Zeppelins Loader.pdb
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
Zeppy Loader/Zeppelins Loader.runtimeconfig.json
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
Zeppy Loader/Zeppelins Loader.runtimeconfig.json
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
Zeppy Loader/ZstdSharp.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
Zeppy Loader/ZstdSharp.dll
Resource
win10v2004-20240709-en
General
-
Target
Zeppy Loader/Zeppelins Loader.deps.json
-
Size
7KB
-
MD5
589fe2a1e6f9489608e51e48de8dd96b
-
SHA1
63217924d89f6d4fa3c3b572718873272b0b8d7b
-
SHA256
1fdfe06443d2b486454b96348dc32ff7b1bb0a7ee353db511e331cd21dcdcf22
-
SHA512
e26cecf08a290068aec8dcea0f4042fb6575d5d78fac0ace6e04e8abdf124b05907d47171fbf13f7bbd3296906bd4b5c88979cc71cb721207840d8e9d101a4c6
-
SSDEEP
96:1B/CSJ8ch73fvZdBpLl+ugoWfKO94IZl9yXQ3g2VdJozKfd7LZmA++thSwFQXVDe:1BKchd5l+u/W99n7Zmr+LSwQyADLp2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.json rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\json_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2824 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2824 AcroRd32.exe 2824 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2848 wrote to memory of 2708 2848 cmd.exe rundll32.exe PID 2848 wrote to memory of 2708 2848 cmd.exe rundll32.exe PID 2848 wrote to memory of 2708 2848 cmd.exe rundll32.exe PID 2708 wrote to memory of 2824 2708 rundll32.exe AcroRd32.exe PID 2708 wrote to memory of 2824 2708 rundll32.exe AcroRd32.exe PID 2708 wrote to memory of 2824 2708 rundll32.exe AcroRd32.exe PID 2708 wrote to memory of 2824 2708 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.deps.json"1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.deps.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.deps.json"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5a9d7a612494c9d2c60f14f63ce94b114
SHA13392b69f11a53670939dab7356130ccb0e385736
SHA256e32e04b0c128c628981ccaac2eccfa6a3f0edc2a984e7517ceb44868aa538a7b
SHA512027a5d1b849c21009f724792c3cb5e3ab7e9f775f935e29434e5fe9546085d0eed83bf742b11f39864afbedd0d4add4b3194a9c4433ffa261af6bbcea0f8c75f