Overview

overview

10

Static

static

ba8695d76c...6c.exe

windows7_x64

10

ba8695d76c...6c.exe

windows10_x64

10

Analysis

  • max time kernel
    15s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-05-2021 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba8695d76cbb3b8b6ef1b6a40c8991f5ce2197af6a5c7ac10c08b5de91b56b6c.exe

  • Size

    80KB

  • MD5

    bb346e1f39341855261b4b66a8536370

  • SHA1

    9b14ff82649e7e410deb715e3a440797ddd0bb99

  • SHA256

    ba8695d76cbb3b8b6ef1b6a40c8991f5ce2197af6a5c7ac10c08b5de91b56b6c

  • SHA512

    6328f5219e2a78a2d04a34ecde75e2423c158f3ae8aa9c6facf1ab3cab5d0409dfbebca783647f467c314c5c85b1c5a22740a6c8a2509ecad1611c1dc3e2e4f5

Score
10/10
seonransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/qVgxyw9j http://goldeny4vs3nyoht.onion/qVgxyw9j 3. Enter your personal decryption code there: qVgxyw9jCCbjCvBhHvohvokuNNCSkYki9qvT8yGCuoEztDwPuX62omxsFRiEZdLJopYozwPbEFRsVpModCYKSfdiWCWPsDmw
URLs

http://golden5a4eqranh7.onion/qVgxyw9j

http://goldeny4vs3nyoht.onion/qVgxyw9j

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba8695d76cbb3b8b6ef1b6a40c8991f5ce2197af6a5c7ac10c08b5de91b56b6c.exe
    "C:\Users\Admin\AppData\Local\Temp\ba8695d76cbb3b8b6ef1b6a40c8991f5ce2197af6a5c7ac10c08b5de91b56b6c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Users\Admin\AppData\Roaming\{7ac6e4c1-aabc-4b1c-b0a1-7428e746d03b}\verclsid.exe
      "C:\Users\Admin\AppData\Roaming\{7ac6e4c1-aabc-4b1c-b0a1-7428e746d03b}\verclsid.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      PID:1640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1640-68-0x0000000000240000-0x0000000000251000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1840-60-0x0000000075551000-0x0000000075553000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1840-61-0x00000000001C0000-0x00000000001CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1840-62-0x00000000001D0000-0x00000000001E1000-memory.dmp

    Filesize

    68KB

    Download