Overview

overview

10

Static

static

10

b2bd3de3e5...bb.exe

windows10-2004-x64

10

cd9ccf8681...f7.exe

windows10-2004-x64

10

cobaltstri...de.exe

windows10-2004-x64

10

default.exe

windows10-2004-x64

10

ec4f09f82d...d3.exe

windows10-2004-x64

10

emotet_exe...04.exe

windows10-2004-x64

10

emotet_exe...23.exe

windows10-2004-x64

10

eupdate.exe

windows10-2004-x64

7

f4f47c67be...3f.exe

windows10-2004-x64

10

fb5d110ced...9c.exe

windows10-2004-x64

6

fee15285c3...35.exe

windows10-2004-x64

10

file(1).exe

windows10-2004-x64

1

file.exe

windows10-2004-x64

7

gjMEi6eG.exe

windows10-2004-x64

10

good.exe

windows10-2004-x64

10

hyundai st...1).exe

windows10-2004-x64

10

hyundai st...10.exe

windows10-2004-x64

10

infected d...er.exe

windows10-2004-x64

10

inps_979.xls

windows10-2004-x64

1

june9.dll

windows10-2004-x64

10

mouse_2.exe

windows10-2004-x64

10

oof.exe

windows10-2004-x64

10

openme.exe

windows10-2004-x64

10

ou55sg33s_1.exe

windows10-2004-x64

10

senate.dll

windows10-2004-x64

10

starticon3.exe

windows10-2004-x64

10

update.exe

windows10-2004-x64

10

vir1.xlsx

windows10-2004-x64

1

wwf[1].exe

windows10-2004-x64

10

xNet.dll

windows10-2004-x64

1

전산 및...��.exe

windows10-2004-x64

10

전산 및...�1.exe

windows10-2004-x64

10

Resubmissions

15/04/2025, 17:34

250415-v5ylksypw9 10

15/04/2025, 06:16

250415-g1p7ras1dw 10

14/04/2025, 08:06

250414-jzpwpstxhx 10

14/04/2025, 07:59

250414-jvg1assky4 10

14/04/2025, 07:22

250414-h7g1dss1h1 10

14/04/2025, 07:16

250414-h3xv2s1nv6 10

11/04/2025, 21:39

250411-1h113szzaz 10

01/04/2025, 21:24

250401-z8184awycs 10

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/04/2025, 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    default.exe

  • Size

    211KB

  • MD5

    f42abb7569dbc2ff5faa7e078cb71476

  • SHA1

    04530a6165fc29ab536bab1be16f6b87c46288e6

  • SHA256

    516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

  • SHA512

    3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

  • SSDEEP

    6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score
10/10
zeppelindiscoverypersistenceransomware

Malware Config

Signatures

  • Detects Zeppelin payload 5 IoCs
  • Zeppelin Ransomware

    Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.

    ransomwarezeppelin
  • Zeppelin family
    zeppelin
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\default.exe
    "C:\Users\Admin\AppData\Local\Temp\default.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4156
    • C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2780
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      PID:2496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 2028
        3⤵
        • Program crash
        PID:4380
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2496 -ip 2496
    1⤵
      PID:4968

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
      Filesize

      2KB

      MD5

      b10149ba5773d70283d9316daea3cdd3

      SHA1

      760d232228e1dcec8c6b9d4c41e6d19b7c354b42

      SHA256

      487d20172cc3a0ff81d3aa868bd89d3744516c4a9080cb0cd0704be28d0ab6a1

      SHA512

      55e93afe366e494cb74ec82b3bb3f7a580f4b4dc7a263e222b26fa6aca7a57443f933305ed68ad8e29fb8e238c60d29d6d15e2bccac780d7a031ffa2375275a8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78
      Filesize

      472B

      MD5

      f4342ae66c378e8bdf326aacedc218e7

      SHA1

      a35a2694887af77261d1b00fdbc9f90ef1ddf67f

      SHA256

      c1494237e550c1c3a6e1cd7cfb59aa6689fdb53b89149804e196d8b113e44f2c

      SHA512

      3cac03ad9391b8970cb33835240e9015a2af63553df908403fadcb5567c3ddc0d0b82b969f1e7c4266962457faed09544531a67bc304383070eb1ff4819648c9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      1KB

      MD5

      2021fb5d8d46d97c798610cbb2c65cf2

      SHA1

      92582c6ea00cc921d6715d2eee4b3cee0e7965e4

      SHA256

      fe955d986eb950456f15c248c43f2efee990aa0b90cac648ecfb1436a64c1756

      SHA512

      6ba80ef55ab82c5ef0c1bb346a6528c318c1d053e07bdd5b16251007eb396e7c9d5f31941e0f90643f4fa43867579b60df722131dd209366abc0efeb0c23880b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
      Filesize

      484B

      MD5

      b8cedd83921d71d38aa2cc3d56838812

      SHA1

      9ea93c1fc4e26fa1fa3b9fd20026d2893c199d00

      SHA256

      6290d10052e6c6707dda611580137f7a0a1e7940a38b1be2b5e8033055299402

      SHA512

      95cba2402b7469a0133e263ce59336173c1264079ea5cc6b2033b3a857de0ca10311021fbe5d4a5d66ee5a046d0c5bfd38ef34dec2d237738d9c4b464152ed75

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78
      Filesize

      488B

      MD5

      d337d6dfe44c5cac27a236cd9d05669e

      SHA1

      3441dfff7a93b27e61a0ccae3356ec03077ea54b

      SHA256

      b97929d5dadc276856a47bed6b77791c5a68ede0d659049eb58ecbb1bebfb576

      SHA512

      b5d7e09cd63af59d08f1dab3084aae9cb9f2402dba4f29eb0de1b975dbcc02d720d3fa2f57ed58071333f118950ca7a8fbb9e7b9d1d9b14eafa220ee9d2f5f3a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      309e8cf0dbff5c63c179eb42d2c3c39f

      SHA1

      69e069acd943e67eac0e556eedc70cd2beb1a522

      SHA256

      e324ff5610a96cd5cd23b5948a24f9db8b75125d4ce1944b4797534697f69fc5

      SHA512

      763c38a010b0e92711d01982cc6cd04f59f74cd87ec8e1fe4b1096b0f2e79aa26f085ea367c696383736adabf61409771e7abbdc60fd72fce4ff11b4abcb5c5e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\98N7BPKJ\PDNKIM87.htm
      Filesize

      190B

      MD5

      6ebbeb8c70d5f8ffc3fb501950468594

      SHA1

      c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

      SHA256

      a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

      SHA512

      75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WF5UGHKR\54C4AYU1.htm
      Filesize

      18KB

      MD5

      2ecbd831dd268171871be3a7341717ee

      SHA1

      a1365aa4ddd52cc873c9def7f26aa9848db6434e

      SHA256

      83006c3ef95cac56570e99cbcff4b7e22120eecbea5f1957cdbd7d40a52cb077

      SHA512

      4e5ff688f7a714dbefdd3673d9ea765c5beee762de365d233efd3715e1777ffe0d966c7d382ea0d34b50ce857ad90f14b373adcd7bf43bcc925e8ebc06c882e6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\C53C6457.zeppelin
      Filesize

      1B

      MD5

      93b885adfe0da089cdf634904fd59f71

      SHA1

      5ba93c9db0cff93f52b521d7420e43f6eda2784f

      SHA256

      6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

      SHA512

      b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
      Filesize

      211KB

      MD5

      f42abb7569dbc2ff5faa7e078cb71476

      SHA1

      04530a6165fc29ab536bab1be16f6b87c46288e6

      SHA256

      516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

      SHA512

      3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

      Download Submit

    • memory/528-36-0x00000000001D0000-0x0000000000310000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2496-50-0x0000000000A50000-0x0000000000B90000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2496-51-0x0000000000A50000-0x0000000000B90000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2780-23-0x00000000006A0000-0x00000000006A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4156-42-0x0000000000A50000-0x0000000000B90000-memory.dmp

      Filesize

      1.2MB

      Download