Overview

overview

10

Static

static

fec02d2f54...67.exe

windows7_x64

10

fec02d2f54...67.exe

windows10_x64

10

Analysis

  • max time kernel
    16s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15/05/2021, 05:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267.exe

  • Size

    147KB

  • MD5

    c3d390ed9736f3b0e358d25132f0170e

  • SHA1

    1d9ba08d7cc917287c52540e173f4ddcc34566be

  • SHA256

    fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267

  • SHA512

    5221a2e3dc5324ca553383b4d4621f13b74f8d5cefa29fa4bdcfd448e7092d70ddf63d943f42d525971325f738a8b6bda6afa2af14803e4dbd4fe7478c9a4eed

Score
10/10
seonransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/nTv99py2 http://goldeny4vs3nyoht.onion/nTv99py2 3. Enter your personal decryption code there: nTv99py2KuFGuCdrC4sLfAA88xdTETLyf8MA82aucHjZJUYa4wojhacScprpdmvFEZ6NwKbw6dwMnMdPBKjRpLgZ2woh2Czy
URLs

http://golden5a4eqranh7.onion/nTv99py2

http://goldeny4vs3nyoht.onion/nTv99py2

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267.exe
    "C:\Users\Admin\AppData\Local\Temp\fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Roaming\{d93c1918-e9a0-46af-afa8-1b23579f54bb}\dialer.exe
      "C:\Users\Admin\AppData\Roaming\{d93c1918-e9a0-46af-afa8-1b23579f54bb}\dialer.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      PID:1420

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/748-60-0x0000000075451000-0x0000000075453000-memory.dmp

    Filesize

    8KB

    Download

  • memory/748-66-0x00000000001B0000-0x00000000001BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/748-67-0x00000000001C0000-0x00000000001D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1420-69-0x00000000003C0000-0x00000000003D1000-memory.dmp

    Filesize

    68KB

    Download