ekans | c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

026eb02c34da452f7e5d4289c0be85b0.exe
Size

3.6MB
MD5

026eb02c34da452f7e5d4289c0be85b0
SHA1

cc71d0e6310534b1e4e51d894c811388b72b5812
SHA256

c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac
SHA512

0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c
SSDEEP

49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA

Score

10^/10

ekans zebrocy backdoor ransomware trojan

Malware Config

Signatures

Ekans
Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.
ransomware ekans

Ekans Ransomware 5 IoCs

Executable looks like Ekans ICS ransomware sample.

resource	yara_rule
behavioral1/files/0x000b000000012185-2.dat	family_ekans
behavioral1/files/0x000b000000012185-4.dat	family_ekans
behavioral1/files/0x000b000000012185-6.dat	family_ekans
behavioral1/files/0x000b000000012185-8.dat	family_ekans
behavioral1/files/0x000b000000012185-9.dat	family_ekans

Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
trojan backdoor zebrocy

Zebrocy Go Variant 5 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012185-2.dat	Zebrocy
behavioral1/files/0x000b000000012185-4.dat	Zebrocy
behavioral1/files/0x000b000000012185-6.dat	Zebrocy
behavioral1/files/0x000b000000012185-8.dat	Zebrocy
behavioral1/files/0x000b000000012185-9.dat	Zebrocy

Executes dropped EXE 1 IoCs

pid	Process
2712	dump.exe

Loads dropped DLL 5 IoCs

pid	Process
3028	026eb02c34da452f7e5d4289c0be85b0.exe
3028	026eb02c34da452f7e5d4289c0be85b0.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2944	3028	WerFault.exe	27
2672	2712	WerFault.exe	29

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2712	3028	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 3028 wrote to memory of 2712	3028	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 3028 wrote to memory of 2712	3028	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 3028 wrote to memory of 2712	3028	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 3028 wrote to memory of 2944	3028	026eb02c34da452f7e5d4289c0be85b0.exe	30
PID 3028 wrote to memory of 2944	3028	026eb02c34da452f7e5d4289c0be85b0.exe	30
PID 3028 wrote to memory of 2944	3028	026eb02c34da452f7e5d4289c0be85b0.exe	30
PID 3028 wrote to memory of 2944	3028	026eb02c34da452f7e5d4289c0be85b0.exe	30
PID 2712 wrote to memory of 2672	2712	dump.exe	32
PID 2712 wrote to memory of 2672	2712	dump.exe	32
PID 2712 wrote to memory of 2672	2712	dump.exe	32
PID 2712 wrote to memory of 2672	2712	dump.exe	32

C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe
"C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\dump.exe
  dump.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 104
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 168
  2⤵
  - Program crash
  PID:2944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
448KB

MD5
5fd6e9b8e28fa14ed3a4b89c08b0995f

SHA1
2c792adb0e9c7c6b0311d9dd88162b4ebca6ada0

SHA256
a4dd3844f8a481e095fbe8fe1794ac2666db66426fbaf3d1fd4d912ee9da29e1

SHA512
46a790cb8225fe94b249f5e7d394cde858f458b92a64934d011524f45be11fcfc74b2010208246157716ce1222a19a7fb4dc535ae30f587a26c0fa6ea0341845

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
512KB

MD5
feb66e00b5b16a9f34f61a48117254c1

SHA1
cb30a9ff464a1bbed093ae176bffaedf15623864

SHA256
184214ce0fc68de7feb6678f9051e0e18251de3ae1de15a0e80968bbab3754bb

SHA512
16046eca956da552b2ca29519997f1a751d9a1b065f7daf972c7d160125cb6e135bbe8b2ebb899e68b84139a236b427723b371577ea82bc77390e8e841f56314

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
2.7MB

MD5
b00586c16e2d8439b345070d97e8978e

SHA1
5c460e2157535c3127ac90d7e39c5165dcd21d84

SHA256
31c186a902b72c8f1208df6f20f0ce041a621d91af83b08ba4699b2b6978f1c1

SHA512
1572b30d1ac9147ed1b869f8fc93f59c356195ff4f079d6e90be64a397d89c8278dac1a884c28d1fee8010c397354492ba986b4891515e0b0b77e3fe7bfddf40

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
1.9MB

MD5
51d31bf0a9f343781f0b22393fe682c7

SHA1
7610e5bd5412caf0d3713cf9a6459abed2c12e6b

SHA256
27d47fdd97f3d86eb32e6e7009d1a8d77687b51b097080917322900d1eab5bd5

SHA512
83587af5553cb1a65273669f5e08ab3ee67e91730ca4a73bf018fa9ecc3449e1d94d0059184eb4621327f2e5ae12d17dbb79d8fa1e1ce65a69ba2faccfce0cbb

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
3.6MB

MD5
cdb98dd2476e88aa64ae9eaaf620fe01

SHA1
5fc5981b9fe0551bcfa9e829ebbbbdc62729ef9c

SHA256
66d013b6fa644e65465e52c644ab7d183fad81239149169e844615240f14c79b

SHA512
618b7cf9e4f04f3b992d4d919fb7cbec2e085edf6610d94c6b981f51df3f6454e39f2d24010d3be2db5fb193a37154bc7372e96bc4bf87e29c062e946bc829a7

Download Submit