seon | fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267

General

Target

fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267.exe
Size

147KB
MD5

c3d390ed9736f3b0e358d25132f0170e
SHA1

1d9ba08d7cc917287c52540e173f4ddcc34566be
SHA256

fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267
SHA512

5221a2e3dc5324ca553383b4d4621f13b74f8d5cefa29fa4bdcfd448e7092d70ddf63d943f42d525971325f738a8b6bda6afa2af14803e4dbd4fe7478c9a4eed

Score

10^/10

seon ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/rmTHYwcP http://goldeny4vs3nyoht.onion/rmTHYwcP 3. Enter your personal decryption code there: rmTHYwcPm7FWar376EjDSkDgGb226tohJm2ovZXw2povL7V5WzTP1p6uLJsMwH95gu2VsgnFMNg59r6F4SAQr2SNcwcvnGpV

URLs

http://golden5a4eqranh7.onion/rmTHYwcP

http://goldeny4vs3nyoht.onion/rmTHYwcP

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon

Executes dropped EXE 1 IoCs

Processes:

Fondue.exe

pid	Process
3168	Fondue.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Fondue.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\MoveUpdate.crw => C:\Users\Admin\Pictures\MoveUpdate.crw.rmTHYwcP	Fondue.exe
File renamed	C:\Users\Admin\Pictures\CompressEnter.crw => C:\Users\Admin\Pictures\CompressEnter.crw.rmTHYwcP	Fondue.exe
File renamed	C:\Users\Admin\Pictures\GetBlock.raw => C:\Users\Admin\Pictures\GetBlock.raw.rmTHYwcP	Fondue.exe
File renamed	C:\Users\Admin\Pictures\HideOut.raw => C:\Users\Admin\Pictures\HideOut.raw.rmTHYwcP	Fondue.exe
File renamed	C:\Users\Admin\Pictures\HideTrace.crw => C:\Users\Admin\Pictures\HideTrace.crw.rmTHYwcP	Fondue.exe
File opened for modification	C:\Users\Admin\Pictures\InstallAssert.tiff	Fondue.exe
File renamed	C:\Users\Admin\Pictures\InstallAssert.tiff => C:\Users\Admin\Pictures\InstallAssert.tiff.rmTHYwcP	Fondue.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267.exe

description	pid	Process	procid_target
PID 3904 wrote to memory of 3168	3904	fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267.exe	79
PID 3904 wrote to memory of 3168	3904	fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267.exe	79
PID 3904 wrote to memory of 3168	3904	fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267.exe	79

C:\Users\Admin\AppData\Local\Temp\fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267.exe
"C:\Users\Admin\AppData\Local\Temp\fec02d2f54f1d7421f44ad9cafe2649259e144dc5fcb5bc88a52943362e5b267.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Roaming\{b1ba0ab2-471f-40df-af7c-d7e5e7306fcb}\Fondue.exe
  "C:\Users\Admin\AppData\Roaming\{b1ba0ab2-471f-40df-af7c-d7e5e7306fcb}\Fondue.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  PID:3168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{b1ba0ab2-471f-40df-af7c-d7e5e7306fcb}\Fondue.exe

MD5
670d44f35126f431826d72ae2cf5f7f7

SHA1
ad5cf820e61952b7424d733464f4dc5807d05661

SHA256
07ee0ad543d3ac8c10fda84a34e7ec5b1f3b83b1d227bfd7ce4f2d9b40d929ab

SHA512
4b18405bc4140c2cb03c56f4440fd4133ce5ace58128c396d6b2a8f49888a375e866a9d368cfdb68b1391b5b5264874924ba3dd3f6e7a1448a0d5a8fb2c76db5

Download Submit
C:\Users\Admin\AppData\Roaming\{b1ba0ab2-471f-40df-af7c-d7e5e7306fcb}\Fondue.exe

MD5
670d44f35126f431826d72ae2cf5f7f7

SHA1
ad5cf820e61952b7424d733464f4dc5807d05661

SHA256
07ee0ad543d3ac8c10fda84a34e7ec5b1f3b83b1d227bfd7ce4f2d9b40d929ab

SHA512
4b18405bc4140c2cb03c56f4440fd4133ce5ace58128c396d6b2a8f49888a375e866a9d368cfdb68b1391b5b5264874924ba3dd3f6e7a1448a0d5a8fb2c76db5

Download Submit
memory/3168-114-0x0000000000000000-mapping.dmp

Download
memory/3168-119-0x0000000000430000-0x000000000057A000-memory.dmp

Filesize
1.3MB

Download
memory/3168-120-0x0000000000430000-0x000000000057A000-memory.dmp

Filesize
1.3MB

Download
memory/3904-117-0x00000000004C0000-0x000000000056E000-memory.dmp

Filesize
696KB

Download
memory/3904-118-0x00000000004C0000-0x000000000056E000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads