ekans | c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac

Analysis

max time kernel
148s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 14:54

Target

026eb02c34da452f7e5d4289c0be85b0.exe
Size

3.6MB
MD5

026eb02c34da452f7e5d4289c0be85b0
SHA1

cc71d0e6310534b1e4e51d894c811388b72b5812
SHA256

c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac
SHA512

0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c
SSDEEP

49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA

Score

10^/10

Ekans
Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.
ransomware ekans

Ekans Ransomware 2 IoCs

Executable looks like Ekans ICS ransomware sample.

resource	yara_rule
behavioral2/files/0x000e000000023192-4.dat	family_ekans
behavioral2/files/0x000e000000023192-3.dat	family_ekans

Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
trojan backdoor zebrocy

Zebrocy Go Variant 2 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023192-4.dat	Zebrocy
behavioral2/files/0x000e000000023192-3.dat	Zebrocy

Executes dropped EXE 1 IoCs

pid	Process
1308	dump.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2044	1308	WerFault.exe	21
3264	1936	WerFault.exe	14

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1308	1936	026eb02c34da452f7e5d4289c0be85b0.exe	21
PID 1936 wrote to memory of 1308	1936	026eb02c34da452f7e5d4289c0be85b0.exe	21
PID 1936 wrote to memory of 1308	1936	026eb02c34da452f7e5d4289c0be85b0.exe	21

C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe
"C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\dump.exe
  dump.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 276
    3⤵
    - Program crash
    PID:2044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 344
  2⤵
  - Program crash
  PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1936 -ip 1936
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1308 -ip 1308
1⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
122KB

MD5
da5eb128c90d9866663cdc023e947abc

SHA1
62de549183bd5e1ed8552248fd9ceb57219e2f0a

SHA256
7e8d8585cde1222c9ef99ec657837c1cd298097ad467af6a0f3c8697f20d0ece

SHA512
1b3e39ff7eb0413920da06dce365cc47a6764704769bac5cbb7f49f1d57bbbeaa68277958bbcc7db5c8ca68ec67b43b63796b520d19043ec9820044ca345ee91

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
114KB

MD5
eb33679f962d6fb57a38abb2d97befab

SHA1
51fd0014b62348ab91f5b7ca259bd48ad7e72bab

SHA256
c7ceeb2ab7aeecebb9dead9a3f59d42af5fe7576b3d462a04cf3e8003c113de1

SHA512
ba6941bfa117106d53542b0812173936902a4c7357bab9994c8ab08601e36f1324119c5f004085ea8bea3a2c1d200d4155d2fbb3b1afc924e383c2a092cf6dfa

Download Submit