ekans | c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac

General

Target

026eb02c34da452f7e5d4289c0be85b0.exe
Size

3.6MB
MD5

026eb02c34da452f7e5d4289c0be85b0
SHA1

cc71d0e6310534b1e4e51d894c811388b72b5812
SHA256

c769d18467a420260b285209c29bff106ccafc279f20dc602b9fc69d4e78c8ac
SHA512

0811f0593a8aed64a6e526f0addc18b9e575df4789d04f08c36a4fa6ad62e14d6a7ce1219972dafaed4a1f44fbddd063b4cb58144b748940a45ae682c208831c
SSDEEP

49152:6w6A5EYjP4F93TagGwmiS4rq+Ei88e76CjzOQmAqaAams:6w6A5EYjP1gPlBK8L3nLaA

Score

10^/10

ekans zebrocy backdoor ransomware trojan

Malware Config

Signatures

Ekans
Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.
ransomware ekans

Ekans Ransomware 6 IoCs

Executable looks like Ekans ICS ransomware sample.

resource	yara_rule
behavioral1/files/0x000a0000000133a9-8.dat	family_ekans
behavioral1/files/0x000a0000000133a9-4.dat	family_ekans
behavioral1/files/0x000a0000000133a9-2.dat	family_ekans
behavioral1/files/0x000a0000000133a9-10.dat	family_ekans
behavioral1/files/0x000a0000000133a9-11.dat	family_ekans
behavioral1/files/0x000a0000000133a9-9.dat	family_ekans

Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
trojan backdoor zebrocy

Zebrocy Go Variant 6 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000133a9-8.dat	Zebrocy
behavioral1/files/0x000a0000000133a9-4.dat	Zebrocy
behavioral1/files/0x000a0000000133a9-2.dat	Zebrocy
behavioral1/files/0x000a0000000133a9-10.dat	Zebrocy
behavioral1/files/0x000a0000000133a9-11.dat	Zebrocy
behavioral1/files/0x000a0000000133a9-9.dat	Zebrocy

Executes dropped EXE 1 IoCs

pid	Process
2984	dump.exe

Loads dropped DLL 5 IoCs

pid	Process
1476	026eb02c34da452f7e5d4289c0be85b0.exe
1476	026eb02c34da452f7e5d4289c0be85b0.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1528	1476	WerFault.exe	27
2644	2984	WerFault.exe	29

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2984	1476	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 1476 wrote to memory of 2984	1476	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 1476 wrote to memory of 2984	1476	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 1476 wrote to memory of 2984	1476	026eb02c34da452f7e5d4289c0be85b0.exe	29
PID 1476 wrote to memory of 1528	1476	026eb02c34da452f7e5d4289c0be85b0.exe	30
PID 1476 wrote to memory of 1528	1476	026eb02c34da452f7e5d4289c0be85b0.exe	30
PID 1476 wrote to memory of 1528	1476	026eb02c34da452f7e5d4289c0be85b0.exe	30
PID 1476 wrote to memory of 1528	1476	026eb02c34da452f7e5d4289c0be85b0.exe	30
PID 2984 wrote to memory of 2644	2984	dump.exe	32
PID 2984 wrote to memory of 2644	2984	dump.exe	32
PID 2984 wrote to memory of 2644	2984	dump.exe	32
PID 2984 wrote to memory of 2644	2984	dump.exe	32

C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe
"C:\Users\Admin\AppData\Local\Temp\026eb02c34da452f7e5d4289c0be85b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\dump.exe
  dump.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 104
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 168
  2⤵
  - Program crash
  PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
384KB

MD5
3e1b99fc7f31c6b9b0322a389a316585

SHA1
f0238f7ef056e3e5d98463227367ec18e1a13b35

SHA256
c1fd78eb866a83abdc53b51c08e89310dc3ac576acd1328b1bdba56e14e47ad0

SHA512
2676e88a7a594c923bd3c34f84616ca3f18e34efbfb3bee4ba750ce6241633164b7d3536782525d802592fc6195df792223b1dc44379567395d3abdbdf07f0c1

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
381KB

MD5
2d123847e1e78589fa74114f2f06bac1

SHA1
7dcd2f48b4cf15cb116ba8abc75b3faeedb5431d

SHA256
4705a9af2c2bd8cd620dadebb68c3b55dc8f181557f1e30d3a991d5dae27fa41

SHA512
788d4d9010a75f74077700c15856a9c4a1bb7eaf51b86446553eaa637c945ff645b25df3fba3eb7bb7108b9d5ac1c11a3566bb498aa445ba51d622238edd9453

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
92KB

MD5
f75c5a2a857f666336dfededdc955076

SHA1
87140fbb4777dbdec29302a14513c83945936e4c

SHA256
9b59165641c41635d7d6af7160bb5dcab211deb1ec7ecbe3fad97657dc2ee098

SHA512
ab7a7833dba4e3d2696e403ccef6bc2cba871aabbbd049b4c76a36a386a683bebc426060226f723ba8b7ca91bdc1f8520ea59a40ee63e5899484bc4ce0d9a87b

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
601KB

MD5
b2940dffce7188d99222dc44b4041028

SHA1
5481de98a1db8abf99cb187bbbb6243e3800b3e8

SHA256
cc24d35bf116b70e84b62887be0c73e3c754ee2f78f6970ed84f48bca64cf399

SHA512
39e4a54407521464f980f539785450b36d49fffc3eaab8e6d9c7ab7b79c643afd5a507302c059e213a978e1e9909bb7dff7b8a6ea664fe9c4d591f2d3df2f165

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
512KB

MD5
feb66e00b5b16a9f34f61a48117254c1

SHA1
cb30a9ff464a1bbed093ae176bffaedf15623864

SHA256
184214ce0fc68de7feb6678f9051e0e18251de3ae1de15a0e80968bbab3754bb

SHA512
16046eca956da552b2ca29519997f1a751d9a1b065f7daf972c7d160125cb6e135bbe8b2ebb899e68b84139a236b427723b371577ea82bc77390e8e841f56314

Download Submit
\Users\Admin\AppData\Local\Temp\dump.exe

Filesize
893KB

MD5
828d5a9dcb938f5d898c4d2215cb2475

SHA1
3b3bb99ab6c06a1985de1979b4dfdee6cbadaba5

SHA256
322b110b99f2f03932d46491bba723b33d174c33988b3edc9724fc174478fe5a

SHA512
2c05082df75c2bd6e2b1552945d0353df16893cd0a3af9cbcfc0b83f2ab77aec763b8aca4c1da08631a037017d54fc8225b54b06bcdd9862be085da6aa19a8e5

Download Submit

Analysis

Sharing