seon | a6ea8e6e28f95bc4fb4adf76204c1566b08a6f50a74babffa4af2711d3ce964f

Analysis

max time kernel
16s
max time network
57s
platform
windows10_x64
resource
win10v20210408
submitted
15-05-2021 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ea8e6e28f95bc4fb4adf76204c1566b08a6f50a74babffa4af2711d3ce964f.exe
Size

146KB
MD5

bea1fce2d104e411f955626ff42cd19c
SHA1

952871073d5229b6e0e80ad3d86afd36a422f220
SHA256

a6ea8e6e28f95bc4fb4adf76204c1566b08a6f50a74babffa4af2711d3ce964f
SHA512

a7312bed3c6abd56694291d34d89fb2cb453fcba169a01fe3569cff1459e3c2f15ec1436280cc7b391bce9a57dac4d68aeef9112db0d2edc1860629a438b36ec

Score

10^/10

seon ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/rHJe5KmQ http://goldeny4vs3nyoht.onion/rHJe5KmQ 3. Enter your personal decryption code there: rHJe5KmQKKKGX9zXN5bvFFGrkoJwKofeyYUXpkb11CDcRpVF4QwpLVtt7RfUk6d92dD4p15HX7fjezeZ1JRk9oVMooCAahQ2

URLs

http://golden5a4eqranh7.onion/rHJe5KmQ

http://goldeny4vs3nyoht.onion/rHJe5KmQ

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon

Executes dropped EXE 1 IoCs

pid	Process
196	InstallAgentUserBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 472 wrote to memory of 196	472	a6ea8e6e28f95bc4fb4adf76204c1566b08a6f50a74babffa4af2711d3ce964f.exe	77
PID 472 wrote to memory of 196	472	a6ea8e6e28f95bc4fb4adf76204c1566b08a6f50a74babffa4af2711d3ce964f.exe	77
PID 472 wrote to memory of 196	472	a6ea8e6e28f95bc4fb4adf76204c1566b08a6f50a74babffa4af2711d3ce964f.exe	77

C:\Users\Admin\AppData\Local\Temp\a6ea8e6e28f95bc4fb4adf76204c1566b08a6f50a74babffa4af2711d3ce964f.exe
"C:\Users\Admin\AppData\Local\Temp\a6ea8e6e28f95bc4fb4adf76204c1566b08a6f50a74babffa4af2711d3ce964f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:472
- C:\Users\Admin\AppData\Roaming\{47111c11-e2ec-4796-9f51-6900e322311d}\InstallAgentUserBroker.exe
  "C:\Users\Admin\AppData\Roaming\{47111c11-e2ec-4796-9f51-6900e322311d}\InstallAgentUserBroker.exe"
  2⤵
  - Executes dropped EXE
  PID:196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-120-0x0000000000870000-0x0000000000881000-memory.dmp

Filesize
68KB

Download
memory/472-114-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/472-115-0x00000000009B0000-0x00000000009C1000-memory.dmp

Filesize
68KB

Download