Overview

overview

10

Static

static

3

212207f5a1...ef.exe

windows7-x64

10

212207f5a1...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 00:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    212207f5a1eb39c861ff8b080ddcd2ef.exe

  • Size

    3.6MB

  • MD5

    212207f5a1eb39c861ff8b080ddcd2ef

  • SHA1

    4613aa3cba20966b5ce95918893df9e5053d206d

  • SHA256

    cd9c6bafeef092b670ea307caf9cd2aeb234e5232950be1181f24ab41a26a4d1

  • SHA512

    0b341c34f0590e4a4dccc1100db2f83b63241bd8fb8f95a8185fa303a24fa53270a3ab76de5d7f22260545a84ec262c218f2e2ba89f660396c3b837df3b8eaed

  • SSDEEP

    98304:aYhWM7csQQNHTdcf5KsQFHxmKUhgggggggWGqS9xkuDQZt/:aPMfzBdcU7FRahggggggg8S9xgZ9

Score
10/10
ekanszebrocybackdoorransomwaretrojan

Malware Config

Signatures

  • Ekans

    Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.

    ransomwareekans
  • Ekans Ransomware 2 IoCs

    Executable looks like Ekans ICS ransomware sample.

  • Zebrocy

    Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.

    trojanbackdoorzebrocy
  • Zebrocy Go Variant 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\212207f5a1eb39c861ff8b080ddcd2ef.exe
    "C:\Users\Admin\AppData\Local\Temp\212207f5a1eb39c861ff8b080ddcd2ef.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      1.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 104
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    Filesize

    3.1MB

    MD5

    db7e4acad8745252387031ff485571c7

    SHA1

    6f5cbd0321b9095f61a3a27e46a1b5f5a3867e7b

    SHA256

    d66cb6435f78f941125cc790e70732c5156d9ed3ddd78bf06e146b9f0ae440de

    SHA512

    eed0b04cdd76c674f23b9ab2ffee6d9c23b27008daefc1059c2f8e9fb2a6bd6f344ba2a1c0749c3548f3d3e9d4692596ac92b80020c808ffb9e3540d985beb1e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\1.exe
    Filesize

    3.6MB

    MD5

    3168f4d5cdc232eb6d65f5f2af9c249a

    SHA1

    caa8bc43ae9263acb1ab8bbbe2aca1b79b03cfb8

    SHA256

    d39e39d1cab8ed9295f52256df1229997d1f27c7c71939eb29b79cb329a73dc6

    SHA512

    851f969a13eddbf8a58ab41c4f970f0318499e86ff07b9e8b78bc281f00b4ebf76edb55f7d0e1962b230966c2c29f75a97bc7cc3031330b5185e5362732a02c6

    Download Submit