| File name: | Zeppelin.exe |
| Full analysis: | https://app.any.run/tasks/ec2e6901-f875-4254-b6b9-dbcd25e0a9ea |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | March 20, 2025, 11:30:06 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections |
| MD5: | 7A5A9299E4553B64DD43941E515A6FA5 |
| SHA1: | 5BC0F38D2CD4846A8437EB662C7F4F32C5F3249D |
| SHA256: | 7CACA8B1DA2FF2C6B00CDFB40A769516E26D1E8590C9ED9F14B8C9805DBCC09C |
| SSDEEP: | 6144:iTFFKWstKmP1g1urU+6qFo15TdWGEH4sSvsA7od2H8PTmZSNWuhVb/Q4GfcHcIut:iTauWGEH4sSkA7od2H8PTmZSNWuhVb/B |
MALICIOUS
Zeppelin is detected
- Zeppelin.exe (PID: 3884)
- smss.exe (PID: 2136)
Changes the autorun value in the registry
- Zeppelin.exe (PID: 3884)
Deletes shadow copies
- cmd.exe (PID: 5392)
- cmd.exe (PID: 632)
Bypass execution policy to execute commands
- powershell.exe (PID: 6228)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 632)
SUSPICIOUS
Executable content was dropped or overwritten
- Zeppelin.exe (PID: 3884)
Reads security settings of Internet Explorer
- Zeppelin.exe (PID: 3884)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 632)
Application launched itself
- smss.exe (PID: 2136)
Starts itself from another location
- Zeppelin.exe (PID: 3884)
Starts CMD.EXE for commands execution
- smss.exe (PID: 2136)
Executing commands from a ".bat" file
- smss.exe (PID: 2136)
INFO
Create files in a temporary directory
- Zeppelin.exe (PID: 3884)
- smss.exe (PID: 2136)
Creates files or folders in the user directory
- Zeppelin.exe (PID: 3884)
- smss.exe (PID: 1388)
Autorun file from Registry key
- Zeppelin.exe (PID: 3884)
Reads the computer name
- Zeppelin.exe (PID: 3884)
- smss.exe (PID: 2136)
Process checks computer location settings
- Zeppelin.exe (PID: 3884)
Checks supported languages
- Zeppelin.exe (PID: 3884)
- smss.exe (PID: 1388)
- smss.exe (PID: 2136)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 6228)
Compiled with Borland Delphi (YARA)
- smss.exe (PID: 2136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Delphi generic (45.2) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (20.9) |
| .exe | | | Win32 Executable (generic) (14.3) |
| .exe | | | Win16/32 Executable Delphi generic (6.6) |
| .exe | | | Generic Win/DOS Executable (6.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:11:26 12:34:08+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 195072 |
| InitializedDataSize: | 23552 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x31780 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
158
Monitored processes
20
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 632 | "C:\WINDOWS\system32\cmd.exe" /C C:\Users\admin\AppData\Local\Temp\~temp001.bat | C:\Windows\SysWOW64\cmd.exe | — | smss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2147749908 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1164 | "C:\WINDOWS\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no | C:\Windows\SysWOW64\cmd.exe | — | smss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1328 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1388 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0 | C:\Users\admin\AppData\Roaming\Microsoft\Windows\smss.exe | — | smss.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 2088 | "C:\WINDOWS\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\SysWOW64\cmd.exe | — | smss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2136 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start | C:\Users\admin\AppData\Roaming\Microsoft\Windows\smss.exe | Zeppelin.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 2340 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2568 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2600 | "C:\WINDOWS\system32\cmd.exe" /C wbadmin delete catalog -quiet | C:\Windows\SysWOW64\cmd.exe | — | smss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3268 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
8 980
Read events
8 896
Write events
84
Delete events
0
Modification events
| (PID) Process: | (3884) Zeppelin.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Zeppelin |
| Operation: | write | Name: | Process |
Value: p/jxq9mmvdB0f+wgwfHhCJ2shc9uvmwFa83tHOA6kOW1AwGADxxaeg== | |||
| (PID) Process: | (3884) Zeppelin.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | smss.exe |
Value: "C:\Users\admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start | |||
| (PID) Process: | (2136) smss.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Zeppelin\Keys |
| Operation: | write | Name: | Encrypted Private Key |
Value: B6NIViU+FyLgJu3dax4BtUmciMX6LRjIpFgQc6h9I4O7Gigc5++oWy2iJBbSchQyZ0+PdFS0IoOr/zhiHcxKudqQFunFXKw3TDlnGjVG6Ro+D/SsPXw2NiZI+uuf5AzfjOr0sPWMKv/8w+ElYKW2ZjPvt90fZDOEY4BVpO0AAnpmoQmoh4MArb5BFPHX3WzLQvaZfpsHswQ+lrEbhkpovRDUlvTcwlb2rUu1Q4Vb0MAM32HDbhAd5Yx3ThNr+CzXPy9SNmX41TdkwpJfCKek0ZRhBldEAaHrdGXdM0c5RGeRyzix79Bz/RTzqK+q5T9XSv9qqvX7Moa8v0nYceJfLQZkxkLJjJ8vOJMOtWvvWSTsYm1axQLpmRcH2eEECTieGYNvrUuPOu4MHcL4KZLoTVXgtDAh2f5AJgWTsX2iC8YuwYlf7jG/PavAwHidsMhBX/yaA3G6xCm1RFXIfRbRLBczXhZqViiUpXkmvQG+l7uOz47l7VwcsaacZPnh7UikLK1fJqShJilhz/c1UiCwas+xp3l5L0P8arHqKfUef+xrDR7Eior6lUm1XiG4KfYGTHMk/8Gt2hZOkMa9h7cTeAvRVU9JsIBDHMxZliu6iwrkBoV9lWpYbVP72RYfGo+pxarB9FjY4tWN5SX9s6oR2GMv/6BeywwGBROG2XwDhC37N5HGqjZnq+JG6bPRHnLuHUw7Lee+AGdWQhizN1QEpDN2vnmeeFpwu/cmpapvLpnlwlnbAX1h7fb2ctYlnypiobeWPMPEPMFrJXgWGZZ+mVXFTU3NIq7BphuLqfCSxxTox/mU+sM85urEoWsRA/pUZlfMSg55/jsv8qloTBAOZ7yvzYlEf9yRQnAoGD5ZHqIkmAsoCyu6gj0dJIInum8i54EUT+cz0AJmK3GGCGJWtCI7ErdUfnJdV5FT3QSks2i6ASmiMP1HStMZeKWn33sSotyYrq5nw5GY89I3LZZwn9hzUSRxUJXT1VM10HGa7T51NSb6tV4r3H4VyVFFPB77EvbP7zjK5c9Ze4WnP/5X/SaykvnuKOPePS4JlmiCcg6TnLVnQLkL73SzTnLRcPeMs86qgVbUi6kgo5JV1rZ8S572W2+ClSnhzdOdBnDFvQnbziYL2K/1WFS7Q90iEZ7k4M+Tm2WGFY9rne7UukP2jLm0b2F9wIqkdgCgh68QGktDVlpxY+SquUb/pWwsOlHLcAsFHHy12154MzVh4YS0LGwo7P920aKptk8Rw7h0ZS0y1btptuMYwweiTZCG1Ihupp0O4q0NslmHSz6Jm9STmswDGGFbKTozJzvp2Ri+3Z5l3QW0xMzcheFsZQH4Q4JYrKPvBux30Ldf/YMM2q5WzUG7UtdOwNxeqWzSIaptmrjX2u0TFyK5J7CihaP+j327CzM/igsxmVUA7UeBbFGzsD0DXZu+0V8RRtmInp1w/97p9xk4ZfgKyxp8fRZP/wiXHriCFi7u0BEJtnL2h7GnzCEek8FSAADH7xHAhD4MWNturoMWeqmAeQyILIjd7u68WnpUHvFoI3GFe8hDUwP3eczGT3+kadkyyG8xqJ7UbHKRAm+xCGuYPLWIli0tENGDdwoKcKR3QkixYAaw2yhWwWqqhi3X2VkTZZcQQHsGNVOLg/hZHgKgNf98BqkqYZYEV8XFOftp5t6iOZi8qv71JyFK6kIPerEyrsZq2as4vJLPyYyrvKio0XPZQq6ueQosYWFw0w== | |||
| (PID) Process: | (2136) smss.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Zeppelin\Keys |
| Operation: | write | Name: | Public Key |
Value: ozSC7OR/E4tn7qZCFZn1k9e4WnlitMztVRY+Is+lxF4xc3CkauUJBG5Wb3VvzspwYnmWr+AS8vU/w1zMNSZo2mFDZLS6qQn6xcZFVSPMkmlBBJPFATR/qg4IvjD5Miv+pShN+QT7IHDM37YSvJFvJh4qttrO3uDtYatneMv7WHj4w4rLVlVHS3hKWcfKfzqZKUGDvcTfU4hPqMldY4J86kuPAV1inOyoqkKaXkHDjV4v43GJVNMVkyaqzSSakcgLJ/hzdWT0AJmUfyvjY2PaNYZh9DD9wC1MQojvovjTqHY+xQcSTpyBF8LLmFjq0xKxAep+4FrgpZnIV88AlP1Rg5QJJC1fWmvpvYekX4S2N0nywzs7yagvuNSzRGphxY99602brz40lWAnNW/vG2l6Jg== | |||
| (PID) Process: | (2136) smss.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Zeppelin\Paths |
| Operation: | write | Name: | 0 |
Value: C:\ | |||
| (PID) Process: | (1388) smss.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Zeppelin\Log |
| Operation: | write | Name: | 0 |
Value: 2|C:\$Recycle.Bin\S-1-5-18\ | |||
| (PID) Process: | (1388) smss.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Zeppelin\Log |
| Operation: | write | Name: | 0 |
Value: 2|C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1000\ | |||
| (PID) Process: | (1388) smss.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Zeppelin\Log |
| Operation: | write | Name: | 0 |
Value: 2|C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\ | |||
| (PID) Process: | (1388) smss.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Zeppelin\Log |
| Operation: | write | Name: | 0 |
Value: 2|C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-500\ | |||
| (PID) Process: | (1388) smss.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Zeppelin\Log |
| Operation: | write | Name: | 0 |
Value: 2|C:\$Recycle.Bin\ | |||
Executable files
1
Suspicious files
213
Text files
81
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3884 | Zeppelin.exe | C:\Users\admin\AppData\Local\Temp\A869BE81.Zeppelin | binary | |
MD5:93B885ADFE0DA089CDF634904FD59F71 | SHA256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D | |||
| 2136 | smss.exe | C:\Users\admin\AppData\Local\Temp\C26DC0CA.Zeppelin | binary | |
MD5:93B885ADFE0DA089CDF634904FD59F71 | SHA256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D | |||
| 6228 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_r2eacwci.0b1.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1388 | smss.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\.Zeppelin | text | |
MD5:8BFF8F7EC2DEE0630915C750011B1BAD | SHA256:ACA5C1161A85A45D36EAF2BCEEFF54A0D668BC04957B91F49665FE2A52857EF3 | |||
| 2136 | smss.exe | C:\Users\admin\AppData\Local\Temp\~temp001.bat | text | |
MD5:E6545CCB3660F88529716ED4E647C713 | SHA256:E802BF0C4481BEF693D4D1F307ABA48301E330D3728DD46A4EC97C4A96B4D4A7 | |||
| 6228 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b2rihrpq.yre.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3884 | Zeppelin.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\smss.exe | executable | |
MD5:7A5A9299E4553B64DD43941E515A6FA5 | SHA256:7CACA8B1DA2FF2C6B00CDFB40A769516E26D1E8590C9ED9F14B8C9805DBCC09C | |||
| 1388 | smss.exe | C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT | binary | |
MD5:780E9A90D08143E787372448D4BA28A6 | SHA256:BABECE92E739B672BB0D2EDB02451F6E99FBF943CAA7B0C0C1C75FA98B66F9F0 | |||
| 1388 | smss.exe | C:\bootTel.dat | binary | |
MD5:73036D5AB97845968496164C9465BA76 | SHA256:103D2015E92B3963A160DCEEA3C31025CA93E750A583DFF83728DC1F738E0BDD | |||
| 1388 | smss.exe | C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\.Zeppelin | text | |
MD5:8BFF8F7EC2DEE0630915C750011B1BAD | SHA256:ACA5C1161A85A45D36EAF2BCEEFF54A0D668BC04957B91F49665FE2A52857EF3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
11
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.185:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6112 | backgroundTaskHost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
6132 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
6132 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.48.23.185:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1616 | RUXIMICS.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 40.126.32.68:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
arc.msn.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |