{ "Event": { "analysis": "1", "date": "2020-07-01", "extends_uuid": "", "info": "[Threat Intel] EKANS Ransomware: A Malware Targeting OT ICS Systems", "protected": false, "publish_timestamp": "1772426268", "published": true, "threat_level_id": "2", "timestamp": "1772407727", "uuid": "b3a2e79a-cb03-4237-8195-afca0094f074", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Fortinet\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Snake-Ekans\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Component Object Model and Distributed COM - T1175\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disabling Security Tools - T1089\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Execution Guardrails - T1480\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indirect Command Execution - T1202\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Denial of Service - T1498\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Peripheral Device Discovery - T1120\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1063\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Discovery - T1518\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#dff146", "local": false, "name": "IT-impact-ICS", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772248236", "to_ids": false, "type": "link", "uuid": "67f3cbe3-c432-41b4-91e9-9cd5b122d2df", "value": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772348256", "uuid": "8c833fbe-70a5-44d8-abdb-a4b6cbf6a714", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772348256", "to_ids": true, "type": "md5", "uuid": "aacdd1c8-61a8-4430-a725-aab3697a7597", "value": "47ebe9f8f5f73f07d456ec12bb49c75d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772347449", "to_ids": true, "type": "sha1", "uuid": "e53c9815-53ba-4093-9741-80db12b95aff", "value": "45672dc9b2eb6972bef8f930505f0ad57550ca4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772347450", "to_ids": true, "type": "sha256", "uuid": "87ff8d41-8de7-4523-99d3-0ad44f3da6f6", "value": "2ed3e37608e65be8b6e8c59f8c93240bd0efe9a60c08c21f4889c00eb6082d74", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772347232", "to_ids": true, "type": "ssdeep", "uuid": "db68d584-2f36-4943-b9c8-701e5629c074", "value": "24576:9ypcVmmyK+Y8J0r1dpvZlGhiUTPQOMoezwFnKS1yb0zrs7HjeAzgjJENrud9qcju:ecV8Ytr1dhrwierOjeAzBruTqQt02+" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772347232", "to_ids": false, "type": "size-in-bytes", "uuid": "140ad79d-219a-4bc0-839d-c68a3d2aee8c", "value": "3900928" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772347232", "to_ids": true, "type": "vhash", "uuid": "036089b5-b15a-4827-a6ad-5e7f9dc19432", "value": "0360475d5d141az1dtz2017z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772347232", "to_ids": true, "type": "filename", "uuid": "99544e2a-3dff-4c8c-990f-d09900efb28e", "value": "l1c8ia66d.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 15/05/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772347232", "to_ids": false, "type": "text", "uuid": "0b99bd93-e8a7-4bd2-a784-e4bb38036272", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Snake!MSR\nVT Total Detection:57/71\nFirst Submission:2020-05-04T05:32:35.000000+00:00\nLast Submission:2024-06-19T03:16:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772348277", "uuid": "16a79352-e593-4be1-97a2-ddf170d2ee11", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772348277", "to_ids": true, "type": "md5", "uuid": "e5cd7ef2-a7ea-45f6-8bad-a78130010250", "value": "ed3c05bde9f0ea0f1321355b03ac42d0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772347450", "to_ids": true, "type": "sha1", "uuid": "93d080ab-6d8c-4158-b9a3-ae09dcc519dc", "value": "e2e14949d0cbc14cd3893da035cc13b509e70a18", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772347450", "to_ids": true, "type": "sha256", "uuid": "a852069d-6589-44e5-ba95-ae45a701d949", "value": "d4da69e424241c291c173c8b3756639c654432706e7def5025a649730868c4a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772347254", "to_ids": true, "type": "ssdeep", "uuid": "f54b13c9-d943-41a9-b160-a03d310c6436", "value": "49152:NLpNltFlwVK8sD4ZS22aHKjzF/3ODd8L9AKyyXP02+:ntrwkMKfF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772347254", "to_ids": false, "type": "size-in-bytes", "uuid": "f54acf09-7901-49b4-a50e-fa5a920e55fd", "value": "3965952" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772347254", "to_ids": true, "type": "vhash", "uuid": "709d5a08-ff97-4d0e-bdfd-dddc5eae7d35", "value": "0360475d5d141az1dtz2017z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772347254", "to_ids": true, "type": "filename", "uuid": "410c3853-a338-4a12-99dc-d22a3e9061ef", "value": "ntdll.dll" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 26/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772347254", "to_ids": false, "type": "text", "uuid": "72f572e7-04d3-4601-a1dc-a2b60b4846f8", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Snake!MSR\nVT Total Detection:59/72\nFirst Submission:2020-06-08T01:36:39.000000+00:00\nLast Submission:2025-07-03T01:37:58.000000+00:00" } ] } ] } }