Overview
overview
3Static
static
3Zeppy Loader.zip
windows7-x64
1Zeppy Loader.zip
windows10-2004-x64
1Zeppy Load...PC.dll
windows7-x64
1Zeppy Load...PC.dll
windows10-2004-x64
1Zeppy Load...ip.dll
windows7-x64
1Zeppy Load...ip.dll
windows10-2004-x64
1Zeppy Load...on.dll
windows7-x64
1Zeppy Load...on.dll
windows10-2004-x64
1Zeppy Load...V2.zip
windows7-x64
1Zeppy Load...V2.zip
windows10-2004-x64
1Zeppy Load...ny.zip
windows7-x64
1Zeppy Load...ny.zip
windows10-2004-x64
1Zeppy Load...ld.zip
windows7-x64
1Zeppy Load...ld.zip
windows10-2004-x64
1Zeppy Load...ss.dll
windows7-x64
1Zeppy Load...ss.dll
windows10-2004-x64
1Zeppy Load...s.json
windows7-x64
3Zeppy Load...s.json
windows10-2004-x64
3Zeppy Load...er.exe
windows7-x64
1Zeppy Load...er.exe
windows10-2004-x64
1Zeppy Load...er.exe
windows7-x64
1Zeppy Load...er.exe
windows10-2004-x64
1Zeppy Load...er.pdb
windows7-x64
3Zeppy Load...er.pdb
windows10-2004-x64
3Zeppy Load...g.json
windows7-x64
3Zeppy Load...g.json
windows10-2004-x64
3Zeppy Load...rp.dll
windows7-x64
1Zeppy Load...rp.dll
windows10-2004-x64
1Analysis
-
max time kernel
102s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 15:23
Static task
static1
Behavioral task
behavioral1
Sample
Zeppy Loader.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Zeppy Loader.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Zeppy Loader/DiscordRPC.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Zeppy Loader/DiscordRPC.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Zeppy Loader/DotNetZip.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Zeppy Loader/DotNetZip.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
Zeppy Loader/Newtonsoft.Json.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
Zeppy Loader/Newtonsoft.Json.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
Zeppy Loader/Resources/SpooferV2.zip
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
Zeppy Loader/Resources/SpooferV2.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
Zeppy Loader/Resources/lethalcompany.zip
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
Zeppy Loader/Resources/lethalcompany.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
Zeppy Loader/Resources/pixelworld.zip
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Zeppy Loader/Resources/pixelworld.zip
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
Zeppy Loader/SharpCompress.dll
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
Zeppy Loader/SharpCompress.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
Zeppy Loader/Zeppelins Loader.deps.json
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Zeppy Loader/Zeppelins Loader.deps.json
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
Zeppy Loader/Zeppelins Loader.pdb
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
Zeppy Loader/Zeppelins Loader.pdb
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
Zeppy Loader/Zeppelins Loader.runtimeconfig.json
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
Zeppy Loader/Zeppelins Loader.runtimeconfig.json
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
Zeppy Loader/ZstdSharp.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
Zeppy Loader/ZstdSharp.dll
Resource
win10v2004-20240709-en
General
-
Target
Zeppy Loader/Zeppelins Loader.pdb
-
Size
21KB
-
MD5
1e70bf9785f355cd8aa642586b512205
-
SHA1
91357d439acd05f2c65b00729f8aa793860bcfdf
-
SHA256
2c48472c8bbb6ae2e9c3eeef2179505d4571238a498341b34c6fb644a3dcad09
-
SHA512
829eb9768bf655ded1ada34360ceca277aca70cf82b79e34f01b1200c4165cbfa2898b7e9b4f1613e61905837e21d848069e4df8985709d49f6dbb1f142aa1ba
-
SSDEEP
384:mWKbN/1ObtYm1nB+hOaZXkZ5a9tedxhzL7qO4q1Q2baPfPHzftmSPH9DZRUxxNhp:Eh1SthCchTr1Q2bIrUxZGSw37lNz+
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pdb\ = "pdb_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pdb rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2376 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2376 AcroRd32.exe 2376 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2540 wrote to memory of 652 2540 cmd.exe rundll32.exe PID 2540 wrote to memory of 652 2540 cmd.exe rundll32.exe PID 2540 wrote to memory of 652 2540 cmd.exe rundll32.exe PID 652 wrote to memory of 2376 652 rundll32.exe AcroRd32.exe PID 652 wrote to memory of 2376 652 rundll32.exe AcroRd32.exe PID 652 wrote to memory of 2376 652 rundll32.exe AcroRd32.exe PID 652 wrote to memory of 2376 652 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.pdb"1⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.pdb2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.pdb"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53865f4e28cd37bc268b0800bf1e40b82
SHA1422bdb7084a5243a1794a5b304bc60fa17c3f7c9
SHA2567acab54d80e086c67d1e923d629cfcb1b8fe44e7aeeaea0c2f2bd491bb252375
SHA512b0804119cef2ea07747cf843fc786a504e87c702fb346b70819abb113542168af78a2632ffcdf72bba7f0e16f4fac33e241769676cc25d040cfbffbcc625bf11