Overview

overview

10

Static

static

3d8c03ffa5...89.exe

windows7_x64

10

3d8c03ffa5...89.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    16-05-2021 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe

  • Size

    147KB

  • MD5

    b9426017b811a9d3f54171882c63535e

  • SHA1

    dd8ff3a8521f910b31214e08ee438addeae22358

  • SHA256

    3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289

  • SHA512

    d92b5e14f2095bccafafbb6d2fc3c0a1140bc5ac729c1dbe06d31180ed6f6fd326b77f7cf1a91778db7cfee1058d1cd127d44700d541f4eedb7c5e3559e4e06e

Score
10/10
seonransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/uSDebUhP http://goldeny4vs3nyoht.onion/uSDebUhP 3. Enter your personal decryption code there: uSDebUhPE8LYDURwVBdC5kttThPJCSuKXSAtpp6Qwaq4bstisz46cuxRW6VixdQ9Kbge2SJzPf1gGSukAC2dzWPMHXUDp7V2
URLs

http://golden5a4eqranh7.onion/uSDebUhP

http://goldeny4vs3nyoht.onion/uSDebUhP

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe
    "C:\Users\Admin\AppData\Local\Temp\3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Roaming\{1462c841-a0f8-4ff4-89c3-083c28a7ca05}\credwiz.exe
      "C:\Users\Admin\AppData\Roaming\{1462c841-a0f8-4ff4-89c3-083c28a7ca05}\credwiz.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      PID:844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{1462c841-a0f8-4ff4-89c3-083c28a7ca05}\credwiz.exe
    MD5

    79ba697ea830fdb5b51a015b7a001ec7

    SHA1

    fe380018de13cdbc5cf143604ce0f5919398dbf1

    SHA256

    2e55f5c5bba42bb3b8a65e730cc7ee94b5845e1b2599cce1db3a825460657ca1

    SHA512

    222535bce8d3efb0f2f1e71b5181265794423e893af70ce954e2c520beaba88466380c67d509391b33b8bdf0f129c51cabd962e2ca95436747bef9182dcfce7e

    Download Submit

  • \Users\Admin\AppData\Roaming\{1462c841-a0f8-4ff4-89c3-083c28a7ca05}\credwiz.exe
    MD5

    79ba697ea830fdb5b51a015b7a001ec7

    SHA1

    fe380018de13cdbc5cf143604ce0f5919398dbf1

    SHA256

    2e55f5c5bba42bb3b8a65e730cc7ee94b5845e1b2599cce1db3a825460657ca1

    SHA512

    222535bce8d3efb0f2f1e71b5181265794423e893af70ce954e2c520beaba88466380c67d509391b33b8bdf0f129c51cabd962e2ca95436747bef9182dcfce7e

    Download Submit

  • \Users\Admin\AppData\Roaming\{1462c841-a0f8-4ff4-89c3-083c28a7ca05}\credwiz.exe
    MD5

    79ba697ea830fdb5b51a015b7a001ec7

    SHA1

    fe380018de13cdbc5cf143604ce0f5919398dbf1

    SHA256

    2e55f5c5bba42bb3b8a65e730cc7ee94b5845e1b2599cce1db3a825460657ca1

    SHA512

    222535bce8d3efb0f2f1e71b5181265794423e893af70ce954e2c520beaba88466380c67d509391b33b8bdf0f129c51cabd962e2ca95436747bef9182dcfce7e

    Download Submit

  • memory/844-63-0x0000000000000000-mapping.dmp

    Download

  • memory/844-69-0x0000000000230000-0x0000000000241000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1268-60-0x0000000075591000-0x0000000075593000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1268-65-0x0000000000220000-0x000000000022C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1268-67-0x0000000000250000-0x0000000000261000-memory.dmp

    Filesize

    68KB

    Download