ekans | c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

026eb02c34da452f7e5d4289c0be85b0.exe
Size

3.6MB
MD5

026eb02c34da452f7e5d4289c0be85b0
SHA1

cc71d0e6310534b1e4e51d894c811388b72b5812
SHA256

c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac
SHA512

0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c
SSDEEP

49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA

Score

10^/10

ekans zebrocy backdoor ransomware trojan

Malware Config

Signatures

Ekans
Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.
ransomware ekans

Ekans Ransomware 5 IoCs

Executable looks like Ekans ICS ransomware sample.

resource	yara_rule
behavioral1/files/0x000a000000012233-2.dat	family_ekans
behavioral1/files/0x000a000000012233-8.dat	family_ekans
behavioral1/files/0x000a000000012233-6.dat	family_ekans
behavioral1/files/0x000a000000012233-4.dat	family_ekans
behavioral1/files/0x000a000000012233-9.dat	family_ekans

Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
trojan backdoor zebrocy

Zebrocy Go Variant 5 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012233-2.dat	Zebrocy
behavioral1/files/0x000a000000012233-8.dat	Zebrocy
behavioral1/files/0x000a000000012233-6.dat	Zebrocy
behavioral1/files/0x000a000000012233-4.dat	Zebrocy
behavioral1/files/0x000a000000012233-9.dat	Zebrocy

Executes dropped EXE 1 IoCs

pid	Process
2500	dump.exe

Loads dropped DLL 5 IoCs

pid	Process
3036	026eb02c34da452f7e5d4289c0be85b0.exe
3036	026eb02c34da452f7e5d4289c0be85b0.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2388	3036	WerFault.exe	27
2680	2500	WerFault.exe	29

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2500	3036	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 3036 wrote to memory of 2500	3036	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 3036 wrote to memory of 2500	3036	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 3036 wrote to memory of 2500	3036	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 3036 wrote to memory of 2388	3036	026eb02c34da452f7e5d4289c0be85b0.exe	31
PID 3036 wrote to memory of 2388	3036	026eb02c34da452f7e5d4289c0be85b0.exe	31
PID 3036 wrote to memory of 2388	3036	026eb02c34da452f7e5d4289c0be85b0.exe	31
PID 3036 wrote to memory of 2388	3036	026eb02c34da452f7e5d4289c0be85b0.exe	31
PID 2500 wrote to memory of 2680	2500	dump.exe	32
PID 2500 wrote to memory of 2680	2500	dump.exe	32
PID 2500 wrote to memory of 2680	2500	dump.exe	32
PID 2500 wrote to memory of 2680	2500	dump.exe	32

C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe
"C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\dump.exe
  dump.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 104
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 168
  2⤵
  - Program crash
  PID:2388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
576KB

MD5
4002a90a53220905d98f70eeb682215c

SHA1
57d13180229fb3c04fae616ac26cf92096541605

SHA256
307d1bcf721d4d5d6845cf448ce4063e670454229ac6aea4a741c31e873d07c0

SHA512
37594886de2df54ffa148006a13ffa197ceb600880438bc5849dddef74a0ae4e130d7909d8b5160b44c3a24d416366f31c2b97a474944732491d5381ae0d0c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
472KB

MD5
3efac9f6acd6d01a0448d19478144c1c

SHA1
93e2d14219a6512980f240493528c118bd38d596

SHA256
cd9f1796b523ca9ba9f30191fc34535a117ec1beff026e5d1ebed5169e3a144e

SHA512
c6274e32cd18563e9a117e159bf2177d8b1d130057b62a1a39477cd243c738eb53430066600980e7cb1a2f7fa353f181481fe9ef412105ce20779b0020baa340

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
768KB

MD5
0f1f83ff60b1a0a9f2f8e17f4b7ba954

SHA1
38a6d86cd910775d89fc94a0054570208b4a7cfe

SHA256
5d94bde73c07856efc80424939f55d6916a45caf970192ad3fc0924b62ea2807

SHA512
ff5f0e613dacaa9de03d28929d3f7c316677ea199f2daa80b8772fc33fef3e3e8791a6b5860d206f5d8e5eb37939340e4859b34838604ea3c717e17fb79d04ce

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
704KB

MD5
de9570c9a258c89f7037ae6e10178ea8

SHA1
09980c04d8c1ae67cf9c964fb92fbe80e19c79ca

SHA256
406f4ca901c06c6baee7673fb89b94480adc6566766fd8deddd9f7269a137613

SHA512
4be30fddc892a5f845dddb76110fad20f79420dd459a281d450014982fa30cb753ead65019b254d66d3d955bbc2a6bdbf8bc0abd0d963e90d9f030cd3eebb9fb

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
3.6MB

MD5
cdb98dd2476e88aa64ae9eaaf620fe01

SHA1
5fc5981b9fe0551bcfa9e829ebbbbdc62729ef9c

SHA256
66d013b6fa644e65465e52c644ab7d183fad81239149169e844615240f14c79b

SHA512
618b7cf9e4f04f3b992d4d919fb7cbec2e085edf6610d94c6b981f51df3f6454e39f2d24010d3be2db5fb193a37154bc7372e96bc4bf87e29c062e946bc829a7

Download Submit