25dc78e4fa56b07dd2a1150add01629ce44df08004b26e6fbeb5a43758cffe18

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zeppy Loader/Zeppelins Loader.exe
Size

155KB
MD5

747bdd72cc79d2f5edbdec9b599d0624
SHA1

97a1dad685c7a53703103dabdf1428edb57c8ae3
SHA256

39b328e2d063a39cd1af5701217f4ab4c1c57ac3e57970f21c3a6389b97b08c7
SHA512

c93f7d9ef68d169d3ee514f044bff6f06a26dd8903e8d4c4a5312554bedf985cc1c57e8f3ece62b92a502091bd2d00c4478b94c55eb632a4ef40979095fad8a6
SSDEEP

3072:KcNyhtHjhzN2DSJrm7WWy1fb8jO/rZEt94h9oBxRASWgrst/:KcJeZm7mJCt940BxeS7rst

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d95edeefd9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03461501-45E3-11EF-ACB8-4605CC5911A3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427564551"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000872bc736c7e9d6bbe4a2b1f77d065be99830f6f386ca7d590ef9ac40c6cf5555000000000e80000000020000200000005c42893fbd0aa9bafbcb1faa7cf81a799811362e9872ee2f95bbb08834f4c41e200000008d48135a9be12ea2280df4e752bb78feb45d0f74246fdef3aa79771085c5ef3f40000000991aad4f639e4530211b63e04f59b0da935cd81e041d18f3ed172f1fcaf935e1d3400fab0e53194654dfb1ad9b48403b66f75d95c2246c8f196214cd3b083bc4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000a5257d3520eec0e405fb200835300b407cf421a3bf264c42f0978db170af5e51000000000e800000000200002000000089a1f5a3687267d2d96c69a90108bcf2716f3e21b50d396f98ec616c549a3d4690000000295914ab0ce6b3e224fef9df9a7f900851c1ef4620cb8957ddbf5f2e12ff7c4ceb765acc941556c8bebd9e624bd06064a67a977fcddf96d79bfd9ccf9be573c541e5724eaec604141d2f0ecf00cad982bacb8f8905cae9ed27571e966cae14508369921f691bbd656a5f566f33bac0a24e9f3af73e441e99a2bcbf2bdd8f1b37a0def9dd1e9614679bab1659578087e74000000025bb69f06dcd51e752b39150b638956e2780311170fa93d26ad6024a03d0114ea679561cc8787592ab7fff213a7c3c203732e3708bde52458010f79fd4e76ed3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2812 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2812 iexplore.exe
2812 iexplore.exe
2728 IEXPLORE.EXE
2728 IEXPLORE.EXE
2728 IEXPLORE.EXE
2728 IEXPLORE.EXE

pid	process
2812	iexplore.exe

pid	process
2812	iexplore.exe
2812	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Zeppelins Loader.exeiexplore.exe

description	pid	process	target process
PID 2400 wrote to memory of 2812	2400	Zeppelins Loader.exe	iexplore.exe
PID 2400 wrote to memory of 2812	2400	Zeppelins Loader.exe	iexplore.exe
PID 2400 wrote to memory of 2812	2400	Zeppelins Loader.exe	iexplore.exe
PID 2812 wrote to memory of 2728	2812	iexplore.exe	IEXPLORE.EXE
PID 2812 wrote to memory of 2728	2812	iexplore.exe	IEXPLORE.EXE
PID 2812 wrote to memory of 2728	2812	iexplore.exe	IEXPLORE.EXE
PID 2812 wrote to memory of 2728	2812	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=7.0.7&gui=true
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3fb1c99ec7f9ed71d6202eadf81611f8

SHA1
ca65d69036601aded5be186dd1faa30b43f4651f

SHA256
67966bac675245d8f0263028b79750f7784fc04c0f2a5ea4aa56c687f28f4efa

SHA512
13780347361f57019b82907ee5ec6a1e675d6a879bb50280fad462622aaf2a3f86568f8aa296ec2be217af9a9f266e9a58ccc433fa084b57a47ec13258ee8a37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7dcf28937448d31b319a677333466233

SHA1
91078a4b9088869c925e818edc48e6ffa61d8bce

SHA256
9c5c8e0eb5ac0265869871f5837ef548aa9f80c27e19bed516434bc83e522125

SHA512
be5b2e79189e5af200f3899c81714e5c6f22091a71dd5eed5998603c1d40b1cc5790f79ee4fa87fd58b9626146d96cf2a3f63ce049aa34fd18609390ce53634c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6519f11c78a79d27c7f510a3f9be4208

SHA1
4860200e72cdfc6781dbcb078c564e99b0cc21f0

SHA256
6741c3d0b421bd88b64a7f5a4867b567918937c47c9f89bf9c95fc9b20f16ee8

SHA512
84153a3bfeed0a9b5cdf6ddc7ae4cf092357a1a70784a31c58b52d210d5385eaaf87756b9bed3a4d579bc0707354798d7c5d73aa6a2fa7bf6b902f23ca8c20df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8cb650f17ae5719f21cdfb0d2dc8d328

SHA1
a1c22a251e8b6a2f454f4f2ca3990d1b5ef96acd

SHA256
c5526362ed30ab16cd25b69f55ae2febf03bbfe529d89a6f77dea780a6d24a1e

SHA512
41d1c9479a11e478e418991ea240ddc5300b95b8560e6171210d9e9c524e27ab84039ee850d15b35bfea8af781132d1dc6c8a50995a944328a08a36e5553a290

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c5baf8749c0a772781d5b7bbb7ce87d1

SHA1
2fd7fbad3167a939555a25f28887faffc68fe2cb

SHA256
832847da7f160c82355b717c8b74c5bfc4fa4d7a260e400fba0a761e175faf55

SHA512
d189586ddffd69b86d9e99ee2d163fe9bf3a076268de78c559c8f567e12a023051b9abf99960c76f9ed4cfc7b73aa7f78e6db7b1d47e83864a964b12ca3ae01b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a0264d7a6f79eab5ffb67c54a53441ca

SHA1
a3e295b7f71c15fd06002cf435966e0b76ebad00

SHA256
c177facffe3e2f56eeefa665826c179f5db8f69b3cfda2a6fcfb68b71a8d8405

SHA512
fe513dee0a7e6f803df902dd83ae11341a31c1036663721dac6a5fef239970b5d3cc85d474c27cc2fb587ffb4638b0619b682c533d34ee6c6cf28d30457315a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8c042ae4c44b4f4410c0f3e0c78d555d

SHA1
13ee608cacba0d813ff9e1b1e107f6b20b2573fe

SHA256
5febeab1c03b4b600096de6ff43c183a66e976f1b7e0c1fd378866b037f3f049

SHA512
002c3abdf5cf1df2772da5ef6a107652e22438c3465ce36832d47ed8bc6e35b24edf6da6cfece683a341094c21a925e6e36d423d667c88d42af65960ad4108b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
924bfb1d207efcb21fd706124b0890c5

SHA1
df5f9e445361af4caab3ea66927bb3d59bb50ba3

SHA256
5af9f42ab6aa268d920107d5ced7763fe9b20e65928ff7626d6cc307d32cbb30

SHA512
fdb166b70a49098e5056e8fee8f42922ee80c8e7eb784961200f51ccda97ce15aef3bdb373c10afcba4227efa46d3ff6a851a4cff55d04fac9ef040cce148a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
daf954a04b9c551dadd82c30c1e8c21c

SHA1
44590a47d17aed03ac439d6546b47d797a798e50

SHA256
79970dd373bb3937c536b4612ebce29a369d91754a57644bc630570b11894e83

SHA512
6d110b5607fc37abf2c42553bf44f739c588b0bf030682575f15e11c69f39b6ce05ba3dea7908a2156785c55114c880eea468c8d4bc356815800388f54de1eb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a04ca462c7fd8eefa681789fa0312bd4

SHA1
16ea28c911d346fd48769f7a4593d8479a58d903

SHA256
a03f35ca8d3efffccc58e512ba87b4135636302a1da96118551d29456310c984

SHA512
0f94d71a393e8d1b632b341d72967f36bea80b80d01508bc49a6c98d56feb78c96a687fff3f630ea3434be34dde73f62fc50aa2c377d661974891fce20a6619e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ce2708226d383dbcb6c9320c431a8148

SHA1
ffbf4933491eeb40c6f67a4d0ad2e3c53e929b82

SHA256
9a46ddd54c14a98a53e1c4be2951776ce436147464cc60cab8734647d5870db6

SHA512
cb44775342acec9e7ede144fdee4d24af2f4e719be6cfba2a0d992466396d0bf3d72d17daeb19a46149b29fda44b469b92629dc97361820b1a3a640673a2a192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dd2d692ec99b09a1557a3b2f255b2513

SHA1
d9e37d089e8c457df24e5c4183f768f8c5412811

SHA256
844964c0b3bbfcf2c0a1a36ef3ba550f1f823ad5178a2f93bd9454a009951005

SHA512
f271339c4e39a0503a3a402ae36b6a7ab59d20da75d87ee15e2e9642c187b00676539b041e71ca748dd64439f8ebf00bafed08db5debe2dd7f68fcea4d96ea6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4c308b8590b35ebaf1c4b42e28698d04

SHA1
8225dd90bf1571d07821f243128378930924888d

SHA256
6b0ce7e855c049e1e7d956b099cd54f380670506890e8d84dab47d9ad8a93630

SHA512
69bf8ff80a131b9fc7f9bff5c25e65a4bc0430665680942cf0598b0dfca4e2859e9fc1a7a5b13d9da811173a2112220358dbc408b9deb61582676da8468e9ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3a83ff9372e06c0f026762a8d13ca456

SHA1
b82629c9246c86bd2f221182510177291b228bbb

SHA256
84052d5ceeee1bee5e8c11eee5a1654f0c2cc98c23cd9b501e4b030ffea8afad

SHA512
0f7aadb0449aba5e2105c586d6294ad74d141dad82fd5efa1ec51d26aea16c2207f4da1b0cc7886845257d2ac987eb2aad3089d7eaa7f33b6bf03909a5900d54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
459a559b37c5a7c73f358c7c0cdec9c4

SHA1
987f853f64d793dc90c80f732dbcc5287d61cc83

SHA256
7efa407b8410e842e17eb19af10d1fe8d8ba8510f015c6313503a3eed65f1e92

SHA512
b1e9d6c1b6933ac79aec710ad5dd71746a2491d9fe5269888c5980b94fb2ca717f72da121bf552ad35a36ecf0d1a4155f9acdec5cb125a940971cc7f5e7479dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
72bc0bf38c2d0e0838503b627b07ccf7

SHA1
e4eefc4742ec531c9fc10ff6c12a26e9b57f7ac0

SHA256
3439acc300cfdac958c1e4ef61345ff047313081fc62e0e410c1ab7c982e8ea4

SHA512
2daa1311b8f045bc343178a6b2b68e6858d1417008e0db7ba528f313c975b21314fa52fcc1680ae015026987632dfa8549d58c299f54a227044cdf8b94e99dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA554.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB206.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit