ekans | c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac

Analysis

max time kernel
148s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 19:58

Target

026eb02c34da452f7e5d4289c0be85b0.exe
Size

3.6MB
MD5

026eb02c34da452f7e5d4289c0be85b0
SHA1

cc71d0e6310534b1e4e51d894c811388b72b5812
SHA256

c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac
SHA512

0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c
SSDEEP

49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA

Score

10^/10

Ekans
Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.
ransomware ekans

Ekans Ransomware 2 IoCs

Executable looks like Ekans ICS ransomware sample.

resource	yara_rule
behavioral2/files/0x000e00000002315f-4.dat	family_ekans
behavioral2/files/0x000e00000002315f-3.dat	family_ekans

Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
trojan backdoor zebrocy

Zebrocy Go Variant 2 IoCs

resource	yara_rule
behavioral2/files/0x000e00000002315f-4.dat	Zebrocy
behavioral2/files/0x000e00000002315f-3.dat	Zebrocy

Executes dropped EXE 1 IoCs

pid	Process
5028	dump.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4728	3812	WerFault.exe	17
1364	5028	WerFault.exe	90

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 5028	3812	026eb02c34da452f7e5d4289c0be85b0.exe	90
PID 3812 wrote to memory of 5028	3812	026eb02c34da452f7e5d4289c0be85b0.exe	90
PID 3812 wrote to memory of 5028	3812	026eb02c34da452f7e5d4289c0be85b0.exe	90

C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe
"C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\dump.exe
  dump.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 276
    3⤵
    - Program crash
    PID:1364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 344
  2⤵
  - Program crash
  PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3812 -ip 3812
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5028 -ip 5028
1⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
1.1MB

MD5
8b4f27e9087c4fb4832046dacd48faa8

SHA1
96b29c5f2155e21aa179fda3cf87ed8657b9255d

SHA256
10e2a4abcac2c924ba61cc3d1dfc9824ce4385c4709936c3c9d550ea9cdfac80

SHA512
84758f2ba7c06a6d71ef12209c6246b89a8ab8e98da0790c3848c6d3ed5b8526c6e39b8ca0e7e7c304cd4b2aa5b2310e13f1a96904e1e47244226a3508b30327

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
388KB

MD5
c2e6cc6c3dc8eb669b3c7b3e17d9e070

SHA1
045116bc9061ef418a966259c37fbac35b75b4fe

SHA256
d61f81756b9e9c363414100326a1d9c9ddc218543757f84307b2066981dde0c6

SHA512
553df6587127463eb7741d2ab1740a557b0e79e029d6b4d7dfd26bc11cb31f799b01a9796551cab980e07bedae83b22db8d905c8ca8946d409b3ec0b96a6bec4

Download Submit