Overview

overview

10

Static

static

2b71bdf234...5b.exe

windows7_x64

10

2b71bdf234...5b.exe

windows10_x64

10

Analysis

  • max time kernel
    9s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    16-05-2021 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b71bdf234f7031f5ddec877413081be39f01241595c4781798f850598b7965b.exe

  • Size

    80KB

  • MD5

    c6c826418defa98a9da4d42922f05ff5

  • SHA1

    56dfab44b3cbdb510a6c5c439466a18100456dc5

  • SHA256

    2b71bdf234f7031f5ddec877413081be39f01241595c4781798f850598b7965b

  • SHA512

    fda229805746c60dd38b3d9c8be2f2e0e4585bb5e585217660cfbbb5a5952581908e4031b34d3e47bebac2df951710274d1b4ada59474582961cb326281d5d60

Score
10/10
seonransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/rKvSZU2H http://goldeny4vs3nyoht.onion/rKvSZU2H 3. Enter your personal decryption code there: rKvSZU2H1Swp7LKoCXDMGWJNwWGzbJYmr1V8Zt5Kv6xU3x1cdQgxDFvk5H9enNyXdH1M6qC9f56Qk65KQxzuC9Xe1CFHJ4LC
URLs

http://golden5a4eqranh7.onion/rKvSZU2H

http://goldeny4vs3nyoht.onion/rKvSZU2H

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b71bdf234f7031f5ddec877413081be39f01241595c4781798f850598b7965b.exe
    "C:\Users\Admin\AppData\Local\Temp\2b71bdf234f7031f5ddec877413081be39f01241595c4781798f850598b7965b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Roaming\{5f31f8c5-2e51-4285-b413-c75f2f031d77}\tasklist.exe
      "C:\Users\Admin\AppData\Roaming\{5f31f8c5-2e51-4285-b413-c75f2f031d77}\tasklist.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates processes with tasklist
      PID:1516

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1056-60-0x00000000766D1000-0x00000000766D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1056-65-0x0000000000270000-0x000000000027C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1056-66-0x0000000000280000-0x0000000000291000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1516-68-0x00000000002D0000-0x00000000002E1000-memory.dmp

    Filesize

    68KB

    Download