ekans | c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac

Analysis

max time kernel
165s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 03:17

Target

026eb02c34da452f7e5d4289c0be85b0.exe
Size

3.6MB
MD5

026eb02c34da452f7e5d4289c0be85b0
SHA1

cc71d0e6310534b1e4e51d894c811388b72b5812
SHA256

c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac
SHA512

0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c
SSDEEP

49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA

Score

10^/10

Ekans
Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.
ransomware ekans

Ekans Ransomware 2 IoCs

Executable looks like Ekans ICS ransomware sample.

resource	yara_rule
behavioral2/files/0x0007000000023234-3.dat	family_ekans
behavioral2/files/0x0007000000023234-4.dat	family_ekans

Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
trojan backdoor zebrocy

Zebrocy Go Variant 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023234-3.dat	Zebrocy
behavioral2/files/0x0007000000023234-4.dat	Zebrocy

Executes dropped EXE 1 IoCs

pid	Process
5112	dump.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2920	3864	WerFault.exe	87
3604	5112	WerFault.exe	91

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 5112	3864	026eb02c34da452f7e5d4289c0be85b0.exe	91
PID 3864 wrote to memory of 5112	3864	026eb02c34da452f7e5d4289c0be85b0.exe	91
PID 3864 wrote to memory of 5112	3864	026eb02c34da452f7e5d4289c0be85b0.exe	91

C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe
"C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Users\Admin\AppData\Local\Temp\dump.exe
  dump.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 276
    3⤵
    - Program crash
    PID:3604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 320
  2⤵
  - Program crash
  PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3864 -ip 3864
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5112 -ip 5112
1⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
1.1MB

MD5
37775e78c4c6608c1834999fd49a031d

SHA1
1c64fa074ed14ccce23a52f5e5324d5c904505d9

SHA256
dc3f5bc5b4e1a11b0442c66643e3bb0a877f81010f71177a7ebdb3eab8c9689c

SHA512
5b2895c7afa13b4a80127bbebafbeaf84a387d11765df3a4fea249d01af070225f134a5d85f508f74f2ded57df5cbd8fa6d8ac1691fc41722768c89932c4f71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
1001KB

MD5
24ef58a40271eebee1f3bcd85526c7b3

SHA1
890ab27a5e82a909a51ebfb17e733422501233a2

SHA256
5a0775d787312195343796a28f0c27062b9bb2b249c88f8b06d42f293ccb7c41

SHA512
a96506df9dd67eabca8e57314c363271e2cda34ec31cf7b27685b64985cf088bc85135e0fadd12a7515300c0aa4cfbe7f5c04c8cef7ac003442e9b629a70e393

Download Submit