Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16/05/2021, 01:32
Static task
static1
Behavioral task
behavioral1
Sample
3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe
Resource
win10v20210408
General
-
Target
3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe
-
Size
147KB
-
MD5
b9426017b811a9d3f54171882c63535e
-
SHA1
dd8ff3a8521f910b31214e08ee438addeae22358
-
SHA256
3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289
-
SHA512
d92b5e14f2095bccafafbb6d2fc3c0a1140bc5ac729c1dbe06d31180ed6f6fd326b77f7cf1a91778db7cfee1058d1cd127d44700d541f4eedb7c5e3559e4e06e
Malware Config
Extracted
C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT
http://golden5a4eqranh7.onion/uSDebUhP
http://goldeny4vs3nyoht.onion/uSDebUhP
Signatures
-
Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
-
Executes dropped EXE 1 IoCs
pid Process 844 credwiz.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\GrantSave.png => C:\Users\Admin\Pictures\GrantSave.png.uSDebUhP credwiz.exe File renamed C:\Users\Admin\Pictures\JoinEdit.png => C:\Users\Admin\Pictures\JoinEdit.png.uSDebUhP credwiz.exe File renamed C:\Users\Admin\Pictures\TestUnprotect.png => C:\Users\Admin\Pictures\TestUnprotect.png.uSDebUhP credwiz.exe File renamed C:\Users\Admin\Pictures\UnprotectPush.crw => C:\Users\Admin\Pictures\UnprotectPush.crw.uSDebUhP credwiz.exe -
Loads dropped DLL 2 IoCs
pid Process 1268 3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe 1268 3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1268 wrote to memory of 844 1268 3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe 29 PID 1268 wrote to memory of 844 1268 3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe 29 PID 1268 wrote to memory of 844 1268 3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe 29 PID 1268 wrote to memory of 844 1268 3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe"C:\Users\Admin\AppData\Local\Temp\3d8c03ffa5fb4a6eef11b131a267b2208193f531fd1d0d2cabc392852e9e5289.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Roaming\{1462c841-a0f8-4ff4-89c3-083c28a7ca05}\credwiz.exe"C:\Users\Admin\AppData\Roaming\{1462c841-a0f8-4ff4-89c3-083c28a7ca05}\credwiz.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
PID:844
-