ekans | c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac

General

Target

026eb02c34da452f7e5d4289c0be85b0.exe
Size

3.6MB
MD5

026eb02c34da452f7e5d4289c0be85b0
SHA1

cc71d0e6310534b1e4e51d894c811388b72b5812
SHA256

c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac
SHA512

0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c
SSDEEP

49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA

Score

10^/10

ekans zebrocy backdoor ransomware trojan

Malware Config

Signatures

Ekans
Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.
ransomware ekans

Ekans Ransomware 7 IoCs

Executable looks like Ekans ICS ransomware sample.

resource	yara_rule
behavioral1/files/0x000b000000012242-10.dat	family_ekans
behavioral1/files/0x000b000000012242-9.dat	family_ekans
behavioral1/files/0x000b000000012242-11.dat	family_ekans
behavioral1/files/0x000b000000012242-8.dat	family_ekans
behavioral1/files/0x000b000000012242-6.dat	family_ekans
behavioral1/files/0x000b000000012242-4.dat	family_ekans
behavioral1/files/0x000b000000012242-2.dat	family_ekans

Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
trojan backdoor zebrocy

Zebrocy Go Variant 7 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012242-10.dat	Zebrocy
behavioral1/files/0x000b000000012242-9.dat	Zebrocy
behavioral1/files/0x000b000000012242-11.dat	Zebrocy
behavioral1/files/0x000b000000012242-8.dat	Zebrocy
behavioral1/files/0x000b000000012242-6.dat	Zebrocy
behavioral1/files/0x000b000000012242-4.dat	Zebrocy
behavioral1/files/0x000b000000012242-2.dat	Zebrocy

Executes dropped EXE 1 IoCs

pid	Process
2328	dump.exe

Loads dropped DLL 5 IoCs

pid	Process
356	026eb02c34da452f7e5d4289c0be85b0.exe
356	026eb02c34da452f7e5d4289c0be85b0.exe
2744	WerFault.exe
2744	WerFault.exe
2744	WerFault.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2744	2328	WerFault.exe
2024	356	WerFault.exe	17

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 356 wrote to memory of 2328	356	026eb02c34da452f7e5d4289c0be85b0.exe	28
PID 356 wrote to memory of 2328	356	026eb02c34da452f7e5d4289c0be85b0.exe	28
PID 356 wrote to memory of 2328	356	026eb02c34da452f7e5d4289c0be85b0.exe	28
PID 356 wrote to memory of 2328	356	026eb02c34da452f7e5d4289c0be85b0.exe	28
PID 356 wrote to memory of 2024	356	026eb02c34da452f7e5d4289c0be85b0.exe	26
PID 356 wrote to memory of 2024	356	026eb02c34da452f7e5d4289c0be85b0.exe	26
PID 356 wrote to memory of 2024	356	026eb02c34da452f7e5d4289c0be85b0.exe	26
PID 356 wrote to memory of 2024	356	026eb02c34da452f7e5d4289c0be85b0.exe	26
PID 2328 wrote to memory of 2744	2328	dump.exe	25
PID 2328 wrote to memory of 2744	2328	dump.exe	25
PID 2328 wrote to memory of 2744	2328	dump.exe	25
PID 2328 wrote to memory of 2744	2328	dump.exe	25

C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe
"C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 356 -s 168
  2⤵
  - Program crash
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\dump.exe
  dump.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 104
1⤵
- Loads dropped DLL
- Program crash
PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
190KB

MD5
d91e6145bdfb31da4cdabeadede5165c

SHA1
114b78699ab35b38f2be0d39913f6b08a11ca4be

SHA256
7c64e4bfc938946ef0392a41bffd4caa92c04bf8826938e822a26fc83bcc5ab9

SHA512
845301cafc64936184c63960947be5716def19fe7fad00b3eeb168767b937fd357473e8ae52a99f380a54e75022d515e915569a684172044b9eb39f1f8b21e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
71KB

MD5
1919c9eea59ab41e075f95cb0f3f563c

SHA1
48da4da2c8ac4ce39e4f1e8758cf45a2af909d2b

SHA256
1de35d5af8d28ef60d68c5c20ba87678c3b1a12820603d0857bded599f0619a6

SHA512
2ecca18bb9b9a539da6343c068d460557aa33cda7e27420b0f434039681f956a715f9af70f3adf1f2217704cad7821f3525df606271d9164506178fdb08131e4

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
159KB

MD5
e535570fa9d29f64f750d891e60b9b57

SHA1
54e8b790bf94929e874180f575c5a3864afc9d1d

SHA256
77ccda6f5d1d97f1ae771fd204b4ea6de0a32838ea031ef489bd5d4ac646e31d

SHA512
aa8d7ddce30a1d1500f007d7b84873dd3b412d7c9ca7c4dcf21e55a4d3bc795d20f32109bfa7f2ef2c7df7c21f2d2b7a506328096c9c2c63b4e86b70d05cc0cb

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
45KB

MD5
f372cb7c8a6c4c1f0352bacc690aafaa

SHA1
18ecff35f86064f0312ea6bfc38df299b0e33da6

SHA256
0ee2765677d3850139bdd79fd3ea016bbdf64d8ed1e155b2846060881560c9cb

SHA512
a1c6cd45da67b27e20128c85aac970ccd111befbcb2360ff37cad1f0efc43db9d5dd685935a09b1b90461cdaf534ae4735ffe859da62d1f756ee7bcb90b4a7f4

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
70KB

MD5
18c4063496f7d5678c462f1ee33475ef

SHA1
ec1e206ce134ec3008041d11b5352da815a9fa51

SHA256
dcf37e885232532a347aa5c81b11702d6e6138353e33aa79a6f5c3870e3dd5b7

SHA512
ec895c5a2833e3b43693c01cb1447c431d117d41fe78dd8fd9887d98d390db44543a94eebda3d505e6d3b8b6b43de46145753c86b6f5d1e7747ead1c35e381e0

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
7KB

MD5
2949960dadd0c0c9dc88a9096a4a8479

SHA1
b48ead692da82b2102bd34c4587d991640903611

SHA256
dd7e9f4f3ca57023580108fae20be908f076330c13abdc997a7c3abd373b1b54

SHA512
c0cf33b52b059c8fcfabeac860bacd5fc65c65ee4827974839566de7f05a27216e548c911e2f5c07e9c889d29986f27d3e8cdbb869d1e287967d1ddb4e6a1714

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
89KB

MD5
d998f3fc38d1e6b8498aebfcd7efe26d

SHA1
210fa63ff6ad0a051d7dfff3393b3ee1c633c00b

SHA256
2963f91e9d212ffabe62b24d47ee1d10f303991792c47aec22a4a8baf4f212cc

SHA512
198d79179954b6cdd003f55262e78a17109c8618fb819247db13cdcdff8aa0aa6345d529f3dbef2e80ef27cf87372077026ca9cfff53916eca41ffb8f7fda8ca

Download Submit

Analysis

Sharing