buran | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Size

812KB
MD5

5181f541a6d97bab854d5eba326ea7d9
SHA1

16d9967a2658ac765d7acbea18c556b927b810be
SHA256

b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83
SHA512

c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa
SSDEEP

6144:73KIrUL3UE1S5mY5/i+i6thb2/VMpfkgXkJX/h/O11/vMLZ935PFXwz6Ui:DTru3FS5C/VMpfkg2ROs9dSz6

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 827-632-397 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Buran family
buran

Detects Zeppelin payload 13 IoCs

resource	yara_rule
behavioral27/memory/2244-17-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/2232-39-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/2464-47-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/2232-2213-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/1792-2239-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/1792-6066-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/1792-10653-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/1792-15337-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/1792-20366-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/1792-24886-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/1792-28310-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/1792-30191-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin
behavioral27/memory/2232-30229-0x0000000000400000-0x0000000005678000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Zeppelin family
zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7389) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
576	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2232	smss.exe
2464	smss.exe
1792	smss.exe

Loads dropped DLL 1 IoCs

pid	Process
2244	Zeppelin_08_03_2021_813KB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	Zeppelin_08_03_2021_813KB.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\E:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	iplogger.org
10	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00057_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00255_.WMF.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Managua	smss.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105288.WMF.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49B.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SAVE.GIF.827-632-397	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar.827-632-397	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00186_.WMF.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECL.ICO.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\TOOLICON.ICO.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Thule	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301052.WMF.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02051_.WMF.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_K_COL.HXK	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00941_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\REPTWIZ.POC.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox.827-632-397	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.LIC.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00058_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF.827-632-397	smss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1.827-632-397	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185806.WMF.827-632-397	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeppelin_08_03_2021_813KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2916	vssadmin.exe
1440	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	Zeppelin_08_03_2021_813KB.exe
Token: SeDebugPrivilege	2244	Zeppelin_08_03_2021_813KB.exe
Token: SeIncreaseQuotaPrivilege	860	WMIC.exe
Token: SeSecurityPrivilege	860	WMIC.exe
Token: SeTakeOwnershipPrivilege	860	WMIC.exe
Token: SeLoadDriverPrivilege	860	WMIC.exe
Token: SeSystemProfilePrivilege	860	WMIC.exe
Token: SeSystemtimePrivilege	860	WMIC.exe
Token: SeProfSingleProcessPrivilege	860	WMIC.exe
Token: SeIncBasePriorityPrivilege	860	WMIC.exe
Token: SeCreatePagefilePrivilege	860	WMIC.exe
Token: SeBackupPrivilege	860	WMIC.exe
Token: SeRestorePrivilege	860	WMIC.exe
Token: SeShutdownPrivilege	860	WMIC.exe
Token: SeDebugPrivilege	860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	860	WMIC.exe
Token: SeRemoteShutdownPrivilege	860	WMIC.exe
Token: SeUndockPrivilege	860	WMIC.exe
Token: SeManageVolumePrivilege	860	WMIC.exe
Token: 33	860	WMIC.exe
Token: 34	860	WMIC.exe
Token: 35	860	WMIC.exe
Token: SeBackupPrivilege	1936	vssvc.exe
Token: SeRestorePrivilege	1936	vssvc.exe
Token: SeAuditPrivilege	1936	vssvc.exe
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemProfilePrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe
Token: SeProfSingleProcessPrivilege	896	WMIC.exe
Token: SeIncBasePriorityPrivilege	896	WMIC.exe
Token: SeCreatePagefilePrivilege	896	WMIC.exe
Token: SeBackupPrivilege	896	WMIC.exe
Token: SeRestorePrivilege	896	WMIC.exe
Token: SeShutdownPrivilege	896	WMIC.exe
Token: SeDebugPrivilege	896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	896	WMIC.exe
Token: SeRemoteShutdownPrivilege	896	WMIC.exe
Token: SeUndockPrivilege	896	WMIC.exe
Token: SeManageVolumePrivilege	896	WMIC.exe
Token: 33	896	WMIC.exe
Token: 34	896	WMIC.exe
Token: 35	896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	860	WMIC.exe
Token: SeSecurityPrivilege	860	WMIC.exe
Token: SeTakeOwnershipPrivilege	860	WMIC.exe
Token: SeLoadDriverPrivilege	860	WMIC.exe
Token: SeSystemProfilePrivilege	860	WMIC.exe
Token: SeSystemtimePrivilege	860	WMIC.exe
Token: SeProfSingleProcessPrivilege	860	WMIC.exe
Token: SeIncBasePriorityPrivilege	860	WMIC.exe
Token: SeCreatePagefilePrivilege	860	WMIC.exe
Token: SeBackupPrivilege	860	WMIC.exe
Token: SeRestorePrivilege	860	WMIC.exe
Token: SeShutdownPrivilege	860	WMIC.exe
Token: SeDebugPrivilege	860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	860	WMIC.exe
Token: SeRemoteShutdownPrivilege	860	WMIC.exe
Token: SeUndockPrivilege	860	WMIC.exe
Token: SeManageVolumePrivilege	860	WMIC.exe
Token: 33	860	WMIC.exe
Token: 34	860	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2232	2244	Zeppelin_08_03_2021_813KB.exe	32
PID 2244 wrote to memory of 2232	2244	Zeppelin_08_03_2021_813KB.exe	32
PID 2244 wrote to memory of 2232	2244	Zeppelin_08_03_2021_813KB.exe	32
PID 2244 wrote to memory of 2232	2244	Zeppelin_08_03_2021_813KB.exe	32
PID 2244 wrote to memory of 576	2244	Zeppelin_08_03_2021_813KB.exe	33
PID 2244 wrote to memory of 576	2244	Zeppelin_08_03_2021_813KB.exe	33
PID 2244 wrote to memory of 576	2244	Zeppelin_08_03_2021_813KB.exe	33
PID 2244 wrote to memory of 576	2244	Zeppelin_08_03_2021_813KB.exe	33
PID 2244 wrote to memory of 576	2244	Zeppelin_08_03_2021_813KB.exe	33
PID 2244 wrote to memory of 576	2244	Zeppelin_08_03_2021_813KB.exe	33
PID 2244 wrote to memory of 576	2244	Zeppelin_08_03_2021_813KB.exe	33
PID 2232 wrote to memory of 3044	2232	smss.exe	35
PID 2232 wrote to memory of 3044	2232	smss.exe	35
PID 2232 wrote to memory of 3044	2232	smss.exe	35
PID 2232 wrote to memory of 3044	2232	smss.exe	35
PID 2232 wrote to memory of 2860	2232	smss.exe	36
PID 2232 wrote to memory of 2860	2232	smss.exe	36
PID 2232 wrote to memory of 2860	2232	smss.exe	36
PID 2232 wrote to memory of 2860	2232	smss.exe	36
PID 2232 wrote to memory of 644	2232	smss.exe	37
PID 2232 wrote to memory of 644	2232	smss.exe	37
PID 2232 wrote to memory of 644	2232	smss.exe	37
PID 2232 wrote to memory of 644	2232	smss.exe	37
PID 2232 wrote to memory of 2392	2232	smss.exe	38
PID 2232 wrote to memory of 2392	2232	smss.exe	38
PID 2232 wrote to memory of 2392	2232	smss.exe	38
PID 2232 wrote to memory of 2392	2232	smss.exe	38
PID 2232 wrote to memory of 1036	2232	smss.exe	39
PID 2232 wrote to memory of 1036	2232	smss.exe	39
PID 2232 wrote to memory of 1036	2232	smss.exe	39
PID 2232 wrote to memory of 1036	2232	smss.exe	39
PID 2232 wrote to memory of 1712	2232	smss.exe	40
PID 2232 wrote to memory of 1712	2232	smss.exe	40
PID 2232 wrote to memory of 1712	2232	smss.exe	40
PID 2232 wrote to memory of 1712	2232	smss.exe	40
PID 2232 wrote to memory of 1792	2232	smss.exe	41
PID 2232 wrote to memory of 1792	2232	smss.exe	41
PID 2232 wrote to memory of 1792	2232	smss.exe	41
PID 2232 wrote to memory of 1792	2232	smss.exe	41
PID 2232 wrote to memory of 2464	2232	smss.exe	42
PID 2232 wrote to memory of 2464	2232	smss.exe	42
PID 2232 wrote to memory of 2464	2232	smss.exe	42
PID 2232 wrote to memory of 2464	2232	smss.exe	42
PID 3044 wrote to memory of 860	3044	cmd.exe	45
PID 3044 wrote to memory of 860	3044	cmd.exe	45
PID 3044 wrote to memory of 860	3044	cmd.exe	45
PID 3044 wrote to memory of 860	3044	cmd.exe	45
PID 1036 wrote to memory of 2916	1036	cmd.exe	50
PID 1036 wrote to memory of 2916	1036	cmd.exe	50
PID 1036 wrote to memory of 2916	1036	cmd.exe	50
PID 1036 wrote to memory of 2916	1036	cmd.exe	50
PID 1712 wrote to memory of 896	1712	cmd.exe	52
PID 1712 wrote to memory of 896	1712	cmd.exe	52
PID 1712 wrote to memory of 896	1712	cmd.exe	52
PID 1712 wrote to memory of 896	1712	cmd.exe	52
PID 1712 wrote to memory of 1440	1712	cmd.exe	54
PID 1712 wrote to memory of 1440	1712	cmd.exe	54
PID 1712 wrote to memory of 1440	1712	cmd.exe	54
PID 1712 wrote to memory of 1440	1712	cmd.exe	54
PID 2232 wrote to memory of 1040	2232	smss.exe	56
PID 2232 wrote to memory of 1040	2232	smss.exe	56
PID 2232 wrote to memory of 1040	2232	smss.exe	56
PID 2232 wrote to memory of 1040	2232	smss.exe	56
PID 2232 wrote to memory of 1040	2232	smss.exe	56

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Zeppelin_08_03_2021_813KB.exe bcdedit /set shutdown /r /f /t 2
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:896
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1440
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2464
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1040
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\.zeppelin

Filesize
513B

MD5
ca780293975fe54e0ac9932e9df4ceb0

SHA1
6d09fead02517635390d47cdc209e23b4826577f

SHA256
67631134ad4592e9aca132a7aa7fd1c34d7d110c033515893de84383cba55de8

SHA512
527c86e7db2d1cd3a104321b56909eadcf75fb84c59d1128c31c2dcd81fa7deedfedd1e4bc0e37b39557881719cb58e4820180d7dd3fff6baa1f22d26e45fd58

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
24KB

MD5
7565a8cdeae036078cbbc61f0572dffa

SHA1
4666fd214bccdfca324937773bac49acbdc91f04

SHA256
c2584c3e117d0a8627cb9fd2790001a740fa52a1f188596dca4f746c4d3c8ed7

SHA512
bc8711d320771440db5d2d970f14e99e371c73728a6d05bff9d0ae2e19f9dcbde5d0dd385b2de94ea191c1130d784344fba59139554ec845def67d89e3d70f75

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
cc1b1527b652619fec643d39456204d7

SHA1
52df24c71f66c331149e5ec5357be6470ae0cf8f

SHA256
ce99142fdf98b9f04dbdb4cc2bddd00e5de1b8d445c24cb27d60de1b4b2cb21f

SHA512
578fe15ebc5698decbfdc022f07667973b25c0a9f6b54785c2605f970639e6adbc53a251b3cfe9dc22b1ea02f2f77c0a33becfffac9f8f2b76b5c2955fa22e19

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt

Filesize
29KB

MD5
8c9078a1224572710b56cc58c96e4742

SHA1
e192ae1e783674439a9ad13df29a351acc26b6d6

SHA256
eea8a63d71f8d9d7c931f829fea9d1ecc7302d7a83a6e4e77f2a9cdbde81e755

SHA512
5c36009365be6dde0f08681e51dd62bb96f70ea1ef2f4e17fd53ced4653e4c1a8291c057728fea266e51b2eb29a282e53c33521c3018dc5d2421482a64f64e5b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
126KB

MD5
703f5b0991e41bf7ee4bdaa5252e74e9

SHA1
2a2005f79cbd7cfbe49ab324077978079591ed82

SHA256
f54a5fb46542c83c634e22a592e4c8047882a025ae37505265c7a6842fecbc61

SHA512
69696f5cd9b4a5a0a460795b8e7eda06236b636747ec4f7135fa28b958aa470478622bae8e4d346638b28a9d31993229b26066ffc59ebfd50a5ed7689038197d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
79KB

MD5
53d4dee492300ff59694999dd41a80a0

SHA1
3c9b7969d5d6b2ebc1a38d3d02935baf1b223957

SHA256
9ca647fafc5eea3b78484062b880fdd9ea9ad1ccb1e5fb095141231c1c1b453e

SHA512
75fa0ce9411dede8f54883e3a12315036b550409b98a8dbcee0b100e51fae3456e464707f222540595fc9761997aa6984722a19a0849a157907cc5e3ac54a59e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp

Filesize
9KB

MD5
be8d28ec660bd00688c1e4615b82e4f7

SHA1
603681432816f1d5c08fcdf4d197c60699fc7d11

SHA256
0a402ac4f995a52b4405309109a287478d3f97d33a6fc7b8d787899a877631fc

SHA512
c510e197465feb04492d9f27758e55214caeb7da1b0556b88033915f5488d49e23db87ce9dd469efbbfbf00db27f12451663ae2bd9d5b1515489a85aab2dc496

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
79KB

MD5
8b68b9b32966b51ce2be156be5ef8021

SHA1
f366feb3acf50acfeb6ca5eb5651e76ebcd13e50

SHA256
ef45b5103036febcf212ae20960a8bca24735ce4150e4e8e817ac115b6dea519

SHA512
873271c7ba3d12402674a65ddbcc0197ce634a4194b8ee960f79fc982edb7ce2ced637637776c257d49479f41ea5820e0be4c5fa441830e82bde8ef13bd78d0a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
d5930fc524fe54417e07413e434a4c3e

SHA1
e10c296a183e176f3ab2935d902f2eb17730330e

SHA256
a492eee51e83ce617aaf7e5581c742df0ba640d4607083dd18aaf3a81d5a283f

SHA512
a06256692e098d853774240403113e8ea276326f73691bf3eca47737b7615b3003bb53cf8f7b0be324805e7417313518de5e37ec8d7c06a6fbcab78686888416

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
79KB

MD5
647077129a1bcf88e9e82b8151c97e5c

SHA1
17151d5d1182f3abdd404ea00056928d4e1fed37

SHA256
fb15428c8d84b33d259438bdbdf9fff707fe014f0242da60b7e637f415bcfa59

SHA512
6f764d20afcd6bff71a19c9e1e60b9a194e5131a64adf53eedf693a7f8bba37d45f2015e78d999fe7fd9caa8319ef329f84863a454f0949a20afc99ba0b95e97

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
935B

MD5
5bb35a7254409e18be08d37babba7d09

SHA1
db32c8b1fe630c86dae44101b311620ac9502464

SHA256
01a1256435e602d33207ae9db3a47e3f52019c18ac8d97c2af88ff700f9e674d

SHA512
3bc250b200d445181be0a855adc254b2ddebb39fdc6c093aac21a5798122437ff8b32131cdac3581491b234a88e92bf308fea0f4b0232495b9cb0c0dd592f0f1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
8KB

MD5
f6de33f52ef83df6e22c2871f251a93e

SHA1
102060d9064114a75b960a522b0278f2590b7732

SHA256
89a159f56a313aac2d7057aeb77437c96d77e8ddf946457d2318309d0a5f563f

SHA512
25ab3b54a90fea80180096d5c2f553090aedac0cef24ab9e68b1daaf034ad8597a8ae0fc43c57e45e5ceba15aaada4da0b20f35ad27d3abab592699e7d1444d0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
8KB

MD5
00ad13fd5843f15e307127b12921f779

SHA1
51d4d884ee19b4c219c75285bc3a4f78b9a776c7

SHA256
b68fb5ff43b9393cc5c32d16685b7e52381300023fd2eb0cbff8c74d7caf536a

SHA512
28dffd399a16db59d8c243ebde2a0fb6b3aa8e1609898af9065e4edf9bdb401204fc63d4aed96998173a07dda98e7f3d4ffea989481fcb6ac43501df1644a29f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html

Filesize
11KB

MD5
535e879a60421b3f742bcabe4bdce6cf

SHA1
61f023a3b28f9fdf675bf6a71107d3e4b603b1dd

SHA256
e55f12443aa8c43f7cd4eecb21f2781990e6f25485a7368e0ca9f17ae9dbb643

SHA512
71f9e5421a5cb04d4d948f1e11fcd8b9f1a0177a13bd62ede9fdc134819da028e042e796f516cfdb3245d920e01008ce58cc72c67470185634aba61d51d74357

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html

Filesize
11KB

MD5
a016995558b99ffbe6071253eb117b83

SHA1
01b9694f462ed04b2f38162944d4c5a588a506b0

SHA256
b661a9af7741f6d6f86caaeb27f6f233e641edc72a50d184c32effd5beaf5c2c

SHA512
4f6a2d24f0789430af918abf2a6878e0dc054f3fb5f3cb0bd65bc41cdfcefd6509133c7ede87f88d30d814210b43b33289139c6c36e09869e2951b4573d311ab

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

Filesize
11KB

MD5
3e66825a463720728efda3107541a24a

SHA1
65803649ee79259a0f9d4e495f5ca471693770aa

SHA256
835884dd7ad9f0a398df58d2da33453c4205e857b18220dcb4a966929ee58512

SHA512
f45dde9d665db491c3149c5f5785ec9b0cd2059cf3a6eca0b4af4d0258ca84461c4c3081637dc833dbf79b661e7c7db6a97ced8b002ec33ca6349897a286a6fa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
14KB

MD5
ad25d7bd1d4d7939d4e9493abea1a92f

SHA1
4efcf50661f0dc04790f79753196f737f1928b0e

SHA256
916fc8dec384edb7abc400dcc125fdcf99539b14710bf71b391a44f0fbdff9fa

SHA512
e9e4d5f9b74bc9f566f490238a026072de5712a569888c8fdbb205e8c6d3ebd8c0b938d5f3586c6b191760364ed2fdf0fa2c3a2c0d193b01701aee701b829c4e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
586KB

MD5
6fa188076566f6f6a495379d13b3cda9

SHA1
41ca00840572dba4e36d17d3fba2584d5e1b39ac

SHA256
744712c3c826074ce098638cf3678623a59d5c29c5f87f2e9f8835917d3ea164

SHA512
076d3ad4b273a2b4830b137ddd9b1f41aa05509c86592cc9b3d916e5a8e8d5adc54802e921e42753b91cab69cc0e3374ab9c29c202cbb6550bb42cb713de5397

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
41192922e860ff780fc289f4062cea71

SHA1
b31a785f2ceb7dc58d42ea90a5f9b96045948696

SHA256
69474edddf63750a14ce2ee696acbc32f4a54e1d3d5aa8b6a0a53f9e3aa0df89

SHA512
1182702dab01b2c0914778ce6d5d8ce6dd594688b1c8798a15f526db8da43ec2d8806dfc319aefde254eb879d24134e15ddcce72314d22a8d6ad5267e7edb555

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo

Filesize
613KB

MD5
96b207871fdf58d998730f7509a50e31

SHA1
98f4ce8b3b03141e4b11d3d4e5622f3288f5f42a

SHA256
1a7c5f80a89cc9e2dd206f243238eb217556d6a4c9137cfddfedc72213e6bc49

SHA512
118e316c98e7d22d101000d6f8dcf8a96fcf4ca8c1b0fa9566045b44dc2014a95ee5bab09905b1679b6d507e6b9d9761e6330d7f7a888a6cf2d58036aef210f7

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
4bdee2a51c295f01aa35d47ca1efde00

SHA1
4aa81cf10ba83003cfa51bda82a39bf576942f99

SHA256
c3d3b493aeec4df1e3dcb94b6ca63f39b25f941c6a425fe07665e77a53f2b86e

SHA512
d943804bc3f33e2af2bf8156d09c95b5a390298603659503f942a4a89ebb074c89230027fba6268e79d67db4471563e1dd53a57c93c021bf2d5beaf5f8e8a12c

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
607KB

MD5
7f07b31867c40599c87a1db44e6e574a

SHA1
479d3c3f4763f237aace928b29de03422d353a35

SHA256
d66e2617ae9101207dd7c2b9dbca49d74a7a066f005f20ef97055328bea246c5

SHA512
a35c653bc533278278400cd6eb53a20106eaf11719d893083b03dfeda1eb0a9c4b5c1109340d116d1f516dc3f9637a2865d4331f89ab29b9134ee2f0a97a7fb4

Download Submit
C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo

Filesize
594KB

MD5
b6594345255ea0c3a169390f69c4ee50

SHA1
e8bf9be6cf959f8d416a3de80cdf908014d67bed

SHA256
2e415ba17ce1ab858f64bad499e0e9af5b6b6d539407dd09d0d699f799943f06

SHA512
68dfcc1535d0468612987ac076a3c77748b8156dd06eaa02645d4b6a2f3edba8e78d61d6bcbd2090d1e59b7adbede0830590576cc2c320328e702af537d24c16

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
781KB

MD5
095f2610291fbb99c75e5ad3244f5dc4

SHA1
b130216ddccf96669873d77bcc4cdc0ddd840bd1

SHA256
cc8136ccfe6b65d4f51db3c0f52d9d2a64eed49700bb3335c16594a07b37b6e2

SHA512
53a55a86ca92e98a1a9c48d8abc429878206487ff4ac55f707d50f0890eae7c8fbd3f886425ddc7155160dc7fc37abb317ae22a4102272ee7199536a8a4cc129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\QT23XPBC.htm

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\Desktop\BlockStep.txt.827-632-397

Filesize
468KB

MD5
456a9f9c068ddf3376496ea91d9a39b2

SHA1
dc7bf62a8680e22bf31654bf96340499877b061e

SHA256
60040f27d86f0db1a9734b531f119734c6863a3c3e2f839e58e294fd422f47d0

SHA512
428ab920057812ea67043883375749fe36332c7f5b9a5890cfe0e3b4025548e60279d18e8940787afc58ef7b59b37954b7e15afc0ea4e58b949e4725365bb0cf

Download Submit
C:\Users\Admin\Desktop\CheckpointMove.wax.827-632-397

Filesize
357KB

MD5
64b85f4d221eb5c1a0f62c2a6ffc4761

SHA1
da18e09ce2689ce5cd7b18f7a8faf96474c444d6

SHA256
980b5259cfc6aab89a98a233a85cbdcdc9d4108d53ff3de78992f86afcdbbb51

SHA512
b0d0d45af411d2a2e25ac3f8157be7b78c8daa2d3d534fec1bff142c3c5612377613eac71846f6e8aabb2d7d7ee26aa3df5b50f4c52b9fdd55a49a5cec8b2267

Download Submit
C:\Users\Admin\Desktop\ConvertApprove.html.827-632-397

Filesize
446KB

MD5
a4854c9d1751d47f98ea6e22e7751fb1

SHA1
59a6ec3c9ae2cd61c056abcd222cd86156aeabbf

SHA256
493511c509e1625a6fd687cb680110876dc89d76cbf9d14a91302c412a70ed38

SHA512
a635ff5c8daec528e077516549964440dc30c54f94160e1456f7c71b63765ba27ef07225ca3b7f0cdd07600b695c1dde2c1e7f758a67c324cca03336441b97b8

Download Submit
C:\Users\Admin\Desktop\CopyStop.mhtml.827-632-397

Filesize
424KB

MD5
b7fb63c7d5de5af7871087262275cb8c

SHA1
447c2af7f00b89c11c32a7e15aa4a9be9840e9cc

SHA256
4d19b3cdd32617870ca887708d295a350f87166e5217d2e7f308a5b366a9e252

SHA512
20dc9a474e92ebdcb7837bdbcfaa28bb902352bb0afcce1878a0b2111e6f272d718ddfa3bb549f0b4e8b42c61c3f5cd134c3a4caeb443edf0bd7dc5a8a1e9d17

Download Submit
C:\Users\Admin\Desktop\DisconnectUnblock.vbs.827-632-397

Filesize
624KB

MD5
b047cd1eff9e86f05c8626ba9bcd75a0

SHA1
11d1c53fecb87c3f3bbef5dd78fc5e2ff18d6451

SHA256
3a61463e51d263e23cd7c0af197f8f7318ae72393405bff4c68f99321bbf2e8e

SHA512
97305cded161e3099a055d2ce85caebf9dddc5b643ade3dffd0369525d87185c850f869b60e4075716ef12c4250818744c9543fbb456755e18ed84ae7249711f

Download Submit
C:\Users\Admin\Desktop\DismountDisconnect.wmv.827-632-397

Filesize
735KB

MD5
8a8bb7816f8fcce28f0359cc55fd17de

SHA1
cc5974806edb2d49bed6e4fd1d30dc7eae742c33

SHA256
74004ed6604b794b8ea1014709cf3b556196c371a8e7c10694a6ddf08dbdf935

SHA512
777e0dff9b1c620bb487311b60b73442c76fc6281a6953b1b71d2d9333669bdbda8c01dbb3ba13f2501d6bf64ce3570a87b861b854ca1a10f64a0688f514b035

Download Submit
C:\Users\Admin\Desktop\EnableApprove.fon.827-632-397

Filesize
513KB

MD5
8f5825d685c224e810a5525becfae59d

SHA1
85b1ad10c4718dc698e9cf0e3aa6713855875e20

SHA256
d8d5993126b2161138090423c2e9c6dc0300711a3d598e5403dc420ec752a69a

SHA512
f5165fce7aa42d20ad52dd8e2fec8169835313a587d0b1023b3a9302a39d91791510c55c647adae3619c5bcebaac6bfd52b4b76d798ab951e02600d490c66795

Download Submit
C:\Users\Admin\Desktop\GrantExit.iso.827-632-397

Filesize
779KB

MD5
20e33c883fbe4d051de2db7572c97837

SHA1
77cd5b2b295db54f4664177466442e9f753890fa

SHA256
94d88f7cf1ba2c3a4a63a577e371e3923d44da18a4c9240542c5a7fe351332ed

SHA512
665cac738f15eae94760c0b82eabd2d0d6f94b45e33b8c763692846fd408bccc58bdc4dfb00877648056d70bb3311c4aa590352f432b97f8b4063663c87860e3

Download Submit
C:\Users\Admin\Desktop\JoinHide.docm.827-632-397

Filesize
846KB

MD5
7ec9ff58126258060d9cbab325865c9e

SHA1
77bc583e07de0fff49e0ef7e25d53bffa076d695

SHA256
de04a7e33bde35d3f819c17142709be9c77c346fb92be357eae0b3252930083d

SHA512
bfdad857171198956144b961fe3bf522f6a895892150821538146937607021c1801378d2e18d55b5777f63b449bd364950a88af095d2bd7be7a96be2f0e5bc0f

Download Submit
C:\Users\Admin\Desktop\MergeEdit.M2T.827-632-397

Filesize
1.2MB

MD5
b0ceeb7d9517007a5568b7f0456ea1e8

SHA1
f38e571df88c11637dc6d9ad83cf01c0e0d17f75

SHA256
776b09f3777a506cd66dcab33e68e278bb2efd8bb96493a53118a0843a32b374

SHA512
0b2b2cf571d28fa870f6202eb0af8659c1a1767619caf45a9b226950de8770c265507dfb4d94974a1fdb9b5a1156a9c7cf86df50d38f9585dc64e256aa9ec233

Download Submit
C:\Users\Admin\Desktop\MergeSearch.mht.827-632-397

Filesize
335KB

MD5
ecb6e2cef4bc07d3de8ce8a704d8967d

SHA1
2c8b1d32f6a77b10687472dce9b60619caddc5a1

SHA256
908e5ffc22365912df0b231c8b34f8128ccfdf5c876257bf958879793e0eb936

SHA512
57aa5e5c148bda8f17a92b7855984c4f7d94ce57b27000bd5be78889a1efd83b26c1cf981ddd088504550d1eba07574866b75b86f0c2f77259e44577431f6034

Download Submit
C:\Users\Admin\Desktop\NewUninstall.xlsx.827-632-397

Filesize
16KB

MD5
c91c022c1b72d0c041514fb0da351446

SHA1
06ffee1b04ab5ae881435efe58e1492af67d6701

SHA256
883dd114e2f178955f50092f46b98bdc7771f8d4f4691aeb949233cd95d5b74d

SHA512
c438eeb4d960f310af7c54db599de32b58262af98c9a0b7571bd06aa045bd0425b5f411d4448c172727901197f68d676aec68fae494aed7cc407f0d9066e237b

Download Submit
C:\Users\Admin\Desktop\RegisterLock.emf.827-632-397

Filesize
379KB

MD5
7ecbbf9d55b3ca4a48a05deb43ee470c

SHA1
3c5f6c45c815b9117834d3ba762cb08f441875d4

SHA256
1bdc929136c08e6fab3579e848ef94d3faefa2899649771664c992fb11bc41ec

SHA512
2c319901e2e4f8ea769529f70fe93b3a0e8632cd9481ff3dbe884a39275f93f35cdc4c19f247be7d13fd2225a4a4b4ffd900e3b521db2ec74511562683800b58

Download Submit
C:\Users\Admin\Desktop\RemoveUpdate.cr2.827-632-397

Filesize
601KB

MD5
52eab7afa8dca3b0900b100befb743d7

SHA1
bad974ba85877479fa2e7ed7f25e237e463edd70

SHA256
b29bc8e0cbd5e9b334534e28d2a396128b4a23c4bd0fdfdf8c3e3bddc1fccc05

SHA512
01660499ad3cb2227b6f46c8fb500ed2e996121529691b0a726571f09db3ed100d4dc10b809a13b46e5c2ab4795a63872eb0da95ba3eaba99fc64e9311cb605b

Download Submit
C:\Users\Admin\Desktop\RenameImport.mpeg.827-632-397

Filesize
823KB

MD5
04b74d425bdfbf66eb247bd332fc4153

SHA1
1768d85bd59531f19164ef30859d4a03c131343c

SHA256
27a804c90cd9005ab35a70cb11fdb34404ae3596b4cd109430b2680bd085f7e9

SHA512
c53dfac1a01e6a7ccc0767900e55b39d1aff87e8b6d5d7dd15121db1a6ca513c08d2a18b09404185f33e5e1ba72d52897e7cdf7651a9bdf116a8a3efd5795333

Download Submit
C:\Users\Admin\Desktop\RenameInstall.temp.827-632-397

Filesize
690KB

MD5
f89ee3dc25e2d4ba5690a0a1c9ead556

SHA1
40d61b7123265937e5b2a814d611178084187fec

SHA256
e501777fad7f4eafb504ea7d9f1db84f0b72f82dade3eb6e8db165e1aa023620

SHA512
d23307e2f542fb3ff328666408ab6871e592d379db605658b285430f864a4fe921ba975a7251fad0467820ce0be01c5f387f84d89cf612b97c8242742bdd7ba4

Download Submit
C:\Users\Admin\Desktop\RenameRevoke.rar.827-632-397

Filesize
579KB

MD5
d6d98c2382e85bcd314f0deae40dfd6d

SHA1
e9961277d25701b2b6e8bdbec11d64dc27c0d500

SHA256
333412274c57840e86e85b9a28e2f7424080d946da0080fecf9ec954f19d97f8

SHA512
927fca898550b2e2897b9e7ec5904fbdeecfcf6800a2c6342a98a13e83fcd8034aef94fc98b38a5e02bd5197c3131e6f288cf64410259b33d456d1a090cb2c10

Download Submit
C:\Users\Admin\Desktop\RestoreMount.aiff.827-632-397

Filesize
868KB

MD5
d266f027d8f5e920f9f1ac6b9c4a0327

SHA1
a40edef1b1e48fd7198be6e5017ee3ec2fb87bfc

SHA256
fb84fc3bb5fcd711eef6d9863b24d2f4730259332c30da750be47506b89a71dd

SHA512
db02926621839e0fc57ee91d66f2e8fde4232c997e551a54138d2e7dbef318fe7bfe12b88f514d3f161e5c5dd08814147c62881bfe3b762eddc4a1e8b36b2443

Download Submit
C:\Users\Admin\Desktop\SaveImport.xlsm.827-632-397

Filesize
490KB

MD5
8753d548af15f94c42be1b955829480e

SHA1
9a51f1e77f2c89b666d5ec5fac8f68b96c05eaff

SHA256
67556f1c2f7c4a92de3df61a4910fe41e1d50b8d1db85ce8b6f8aeb1a2c95a2d

SHA512
37816c5afb6965028414d9cf8e3036defbbc80a3a00c82c98c098357261f47f2d9012df6b328e19305d92ee14560ec92403364e0115ea5be5bc96db4e94fcebd

Download Submit
C:\Users\Admin\Desktop\SendFind.dotx.827-632-397

Filesize
646KB

MD5
323d989400c5e66f03350e8d2491e9d0

SHA1
3c6ae9002059d41c7875c35fc9e67d784ac7fcc6

SHA256
cb13ad1fac05f66e0461a0faedd11b9dc3a7eccc0f0b81ece2506c87949035fe

SHA512
a6e2f4fd869caa7a215affb04288d9e6e8c38a93a50264ebfff28d45e02c49af0fec52f6d2678b7191f079a60d49f1f1ea0664c5d7e6e78d5cf219f81633c03d

Download Submit
C:\Users\Admin\Desktop\SplitCompare.xlsx.827-632-397

Filesize
13KB

MD5
4a41c11c9bb7cbf5678c701c00f98cdb

SHA1
a0d9861f8a4b04da49d582e99d43859896a9202e

SHA256
d0d5e30b532fb3edb27b66997613c7cc7e16b042fb1eb9a05cac695779710f9f

SHA512
d3b83ed75e58532733a213a03aac117e554578c1f605e8f879f2edf272f88c28c0ee5b33cc409c82e4294c22c1be303c635cbdd7a203611885361de65e38c94b

Download Submit
C:\Users\Admin\Desktop\SplitSubmit.ocx.827-632-397

Filesize
313KB

MD5
ecebf77758a07bff0d2056e85dffadc3

SHA1
f648007874f647d281fc0240c7312521b6f3f531

SHA256
b1d45625f6a87f96213e54fd3b79b0cde2a95995a551acb11e54e9483dfe3621

SHA512
72ffc5dc2f924a65401add107e0e8f3cc9d9464f5d360374f9b557ba269a0a41a28019b89efb73e90ad4f871c7c80123adb1a2072c05c2756c9352daa220751b

Download Submit
C:\Users\Admin\Desktop\SubmitRestore.m1v.827-632-397

Filesize
402KB

MD5
03a81bb7e8fef322483943d3db50ac8c

SHA1
85516d78414f92e3935b11af7a956d9ac1ac7821

SHA256
125751b68d007d93f26f0f1e68278c73f7b7acde6e21ec84504021a438321458

SHA512
83768d61544060157e1f564a3aab0ab70ae8ec9c7b6b71ff7e572265513553bea8a5f154d16f2eb44fa58dae6b349c895e1d078016a0720b9fc46ddddfe0f65a

Download Submit
C:\Users\Admin\Desktop\TestFormat.docm.827-632-397

Filesize
801KB

MD5
9b6d28689a41ac46578de029130f6bb3

SHA1
3dbbf6f1f840017e5f271e59a800be885811dd81

SHA256
c706a705147afa71c20e61637cf5ae4c00d9ea926f061ace121def18795fcee0

SHA512
b775da7cd649dbc896bc9af84330224523d43d1cd10dd1f205b74982e22f19e8e964fb3be86e7a3e61d3b3b4f35ee3260377702bcf74da269ce6c27b84dfd7ca

Download Submit
C:\Users\Admin\Desktop\UnprotectSubmit.dotm.827-632-397

Filesize
712KB

MD5
03f757a747a9e919b21ee719ea51d840

SHA1
175a98a4ecd4f5738695e57c474685987fdb46fc

SHA256
69a3fd522480206c59854b9ca0d5fc867e32fc6191ac7066f526ab45282b37e5

SHA512
ee825fde335faabb007d38c791e451355ee8b35bcf95d8cad538e452531bbdc9956bbb7a59b3c87aaf6f6186fb158a5aa67c8a274cf35858a7268574f7b615a4

Download Submit
C:\Users\Admin\Desktop\UnregisterConvertTo.emz.827-632-397

Filesize
890KB

MD5
f23b545f2278295bc41533735c904dad

SHA1
fb161bae16f3e5cc3dc2815ee6d42ee7547802b5

SHA256
9e54f7dcf4b5b4de254ce522d4d92b248e824efc690899e3c65da3cb7f9e867b

SHA512
e03d0a855505c6e2f3ce78065cc4776714c68f0a8f534b13ed47df7f1e04cb66b403066ca7961a7d1f0a02025300999cb7f0126b358052a6d1861c409058c8b7

Download Submit
C:\Users\Admin\Desktop\WaitAssert.3gpp.827-632-397

Filesize
757KB

MD5
42baed45fd33af287b6f7631d2a94036

SHA1
8a7f996f6364c018d7b65cc3cffe5df055bf94e4

SHA256
854503b6747500791a90becf2dbcf4c06781cfd3a353934c07f62778972ff15d

SHA512
78d04176bb9c7000e34ad177b5f4702032085c83bcfbbd92b2a1751c895fb1dc24b73823d342bb9b92ba4002b12a37fd46a49f3d7b12996c73a09625479bbb06

Download Submit
C:\Users\Admin\Desktop\WaitWatch.ps1.827-632-397

Filesize
668KB

MD5
c328a30e652dcd06fbb537d4bce9fa02

SHA1
46b91a8b254330edc284de04c24f81e678cc80ee

SHA256
71a70beeff9a114fbd12de9886b76182473dbdd213317bb2b25c67d62168276d

SHA512
2b5544abb46d65098434144c0c2c86e32f64fff367a743242fedc6318f0c2926e9b04ee2e369154a61a2e4b3a3891bf248689581faeb6170de6fd039732c355e

Download Submit
C:\Users\Admin\Desktop\WatchPush.html.827-632-397

Filesize
535KB

MD5
0af4827d7f9b5b8aec9dc06fb9cfad15

SHA1
3f1e734198b36a6027c0adf9966164313aac3918

SHA256
e5e6294df09bae0d743de5f97a61f0435a752ec1ad7faeb8fbf6dfa5b0028f24

SHA512
b1ae6af11bc17f6b999fbba8e8c6ceb1dc0d99384b02f0469e57617702651399a76b109cfd9b3a0a07f24ca3c3629793226407fc903ea6d2d77b7f01a2889016

Download Submit
C:\Users\Admin\Desktop\WriteRevoke.xlsx.827-632-397

Filesize
12KB

MD5
90d54197bd23913fa7e53ab9d7a7660d

SHA1
fc5e134a82cf1bc6b14e824bbdb6dcd47c81e196

SHA256
26276f8a8c0232bbddc576375b974b936247f0411bf9e65f2de6aa13ac9e07fe

SHA512
5ceba770e945b7cfc981724e910aba82fdedd54b95a141c2bd49598d00a0aa63c42f0f95abbffd5bcec388d0dc043cb715493d106c1c04f7e3b4514501db38b8

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
db81163aedfab36f58780933e1ae1a1e

SHA1
930a7ff1ce43b6801da0821cb22cd0a075a1112d

SHA256
46f2803c26ed3546c6a12f79d1918f9074634aeee17b562893d321237758c024

SHA512
e19a4ca5b577fd37ece8f1d07ed08bd1777ba3607a12e7aa81f842195bbe4b59270cf22ac742a447af6ac864a8e1a6b645503e6d33598ded91f52353888b5652

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
812KB

MD5
5181f541a6d97bab854d5eba326ea7d9

SHA1
16d9967a2658ac765d7acbea18c556b927b810be

SHA256
b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

SHA512
c282d9d6479c10fcc9fa6f674c901df1f1ad94b9354f6e427a7b445d0efad84efed6d7c29a0bc2a37b5ea07ee9a359f0e922d7c24f061258ae11fe4c44e9e4fa

Download Submit
memory/576-16-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/576-10-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1792-24886-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1792-2239-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1792-30191-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1792-6066-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1792-20366-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1792-15337-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1792-10653-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/1792-28310-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/2232-39-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/2232-2213-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/2232-30229-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/2244-0-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/2244-17-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download
memory/2464-47-0x0000000000400000-0x0000000005678000-memory.dmp

Filesize
82.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads