Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
31-12-2023 00:08
General
-
Target
212207f5a1eb39c861ff8b080ddcd2ef.exe
-
Size
3.6MB
-
MD5
212207f5a1eb39c861ff8b080ddcd2ef
-
SHA1
4613aa3cba20966b5ce95918893df9e5053d206d
-
SHA256
cd9c6bafeef092b670ea307caf9cd2aeb234e5232950be1181f24ab41a26a4d1
-
SHA512
0b341c34f0590e4a4dccc1100db2f83b63241bd8fb8f95a8185fa303a24fa53270a3ab76de5d7f22260545a84ec262c218f2e2ba89f660396c3b837df3b8eaed
-
SSDEEP
98304:aYhWM7csQQNHTdcf5KsQFHxmKUhgggggggWGqS9xkuDQZt/:aPMfzBdcU7FRahggggggg8S9xgZ9
Malware Config
Signatures
-
Ekans
Variant of Snake Ransomware. Targets ICS infrastructure, known to have been used against Honda in June 2020.
-
Ekans Ransomware 1 IoCs
Executable looks like Ekans ICS ransomware sample.
-
Zebrocy
Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.
-
Zebrocy Go Variant 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\212207f5a1eb39c861ff8b080ddcd2ef.exe"C:\Users\Admin\AppData\Local\Temp\212207f5a1eb39c861ff8b080ddcd2ef.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe1.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 2763⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4016 -ip 40161⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD53168f4d5cdc232eb6d65f5f2af9c249a
SHA1caa8bc43ae9263acb1ab8bbbe2aca1b79b03cfb8
SHA256d39e39d1cab8ed9295f52256df1229997d1f27c7c71939eb29b79cb329a73dc6
SHA512851f969a13eddbf8a58ab41c4f970f0318499e86ff07b9e8b78bc281f00b4ebf76edb55f7d0e1962b230966c2c29f75a97bc7cc3031330b5185e5362732a02c6