Overview
overview
3Static
static
3Zeppy Loader.zip
windows7-x64
1Zeppy Loader.zip
windows10-2004-x64
1Zeppy Load...PC.dll
windows7-x64
1Zeppy Load...PC.dll
windows10-2004-x64
1Zeppy Load...ip.dll
windows7-x64
1Zeppy Load...ip.dll
windows10-2004-x64
1Zeppy Load...on.dll
windows7-x64
1Zeppy Load...on.dll
windows10-2004-x64
1Zeppy Load...V2.zip
windows7-x64
1Zeppy Load...V2.zip
windows10-2004-x64
1Zeppy Load...ny.zip
windows7-x64
1Zeppy Load...ny.zip
windows10-2004-x64
1Zeppy Load...ld.zip
windows7-x64
1Zeppy Load...ld.zip
windows10-2004-x64
1Zeppy Load...ss.dll
windows7-x64
1Zeppy Load...ss.dll
windows10-2004-x64
1Zeppy Load...s.json
windows7-x64
3Zeppy Load...s.json
windows10-2004-x64
3Zeppy Load...er.exe
windows7-x64
1Zeppy Load...er.exe
windows10-2004-x64
1Zeppy Load...er.exe
windows7-x64
1Zeppy Load...er.exe
windows10-2004-x64
1Zeppy Load...er.pdb
windows7-x64
3Zeppy Load...er.pdb
windows10-2004-x64
3Zeppy Load...g.json
windows7-x64
3Zeppy Load...g.json
windows10-2004-x64
3Zeppy Load...rp.dll
windows7-x64
1Zeppy Load...rp.dll
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 15:23
Static task
static1
Behavioral task
behavioral1
Sample
Zeppy Loader.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Zeppy Loader.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Zeppy Loader/DiscordRPC.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Zeppy Loader/DiscordRPC.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Zeppy Loader/DotNetZip.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Zeppy Loader/DotNetZip.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
Zeppy Loader/Newtonsoft.Json.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
Zeppy Loader/Newtonsoft.Json.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
Zeppy Loader/Resources/SpooferV2.zip
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
Zeppy Loader/Resources/SpooferV2.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
Zeppy Loader/Resources/lethalcompany.zip
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
Zeppy Loader/Resources/lethalcompany.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
Zeppy Loader/Resources/pixelworld.zip
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Zeppy Loader/Resources/pixelworld.zip
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
Zeppy Loader/SharpCompress.dll
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
Zeppy Loader/SharpCompress.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
Zeppy Loader/Zeppelins Loader.deps.json
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Zeppy Loader/Zeppelins Loader.deps.json
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
Zeppy Loader/Zeppelins Loader.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
Zeppy Loader/Zeppelins Loader.pdb
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
Zeppy Loader/Zeppelins Loader.pdb
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
Zeppy Loader/Zeppelins Loader.runtimeconfig.json
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
Zeppy Loader/Zeppelins Loader.runtimeconfig.json
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
Zeppy Loader/ZstdSharp.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
Zeppy Loader/ZstdSharp.dll
Resource
win10v2004-20240709-en
General
-
Target
Zeppy Loader/Zeppelins Loader.runtimeconfig.json
-
Size
266B
-
MD5
d8ae75ee64991f91ddf5fa2c72adcc7c
-
SHA1
c8318862e3f8051daed02b9d764e7468cbe4bf86
-
SHA256
6a9ae797b520e700bcb418aa36e945f22d27c86b3aebb393cb7c4462d52e76da
-
SHA512
8907e87ce5c582ada4d391009b015ea9878c3f788a15f327dc7bf147e8a4ac80258e0541f1f35f3e00cb29dfbd55839908595a6941920d68bf7cb8bfdffb4998
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.json rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2868 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2868 AcroRd32.exe 2868 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2296 wrote to memory of 2424 2296 cmd.exe rundll32.exe PID 2296 wrote to memory of 2424 2296 cmd.exe rundll32.exe PID 2296 wrote to memory of 2424 2296 cmd.exe rundll32.exe PID 2424 wrote to memory of 2868 2424 rundll32.exe AcroRd32.exe PID 2424 wrote to memory of 2868 2424 rundll32.exe AcroRd32.exe PID 2424 wrote to memory of 2868 2424 rundll32.exe AcroRd32.exe PID 2424 wrote to memory of 2868 2424 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.runtimeconfig.json"1⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.runtimeconfig.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Zeppy Loader\Zeppelins Loader.runtimeconfig.json"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55bcbf6be283ff73001eb468203ad20e0
SHA128908177788c08242ee5bc9965e5b7f7b5f1fd8b
SHA256fe0558c49c5ded33799255a97a9c9f427e9c9ea8265a3b9cae52c3685f984992
SHA512d5dc2e4b4359e3a740cac4cf5545b79e9346f762912fbb5ed6d2a955df5711f53aa156b05cd421cdf5da5dcd1dba3229a669183a407ab786277a2ec537585b8e