Overview

overview

10

Static

static

d0bd999fa2...c3.exe

windows7_x64

10

d0bd999fa2...c3.exe

windows10_x64

10

Analysis

  • max time kernel
    9s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    16-05-2021 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0bd999fa299d848b8c9fb4ad274b0ec229dc21b70e347b9c6c5ba1110624bc3.exe

  • Size

    147KB

  • MD5

    cc3843900bc53a238f326d6ef0bd9aeb

  • SHA1

    4b9a0c763f6217489d385d17b5fb1dc093429720

  • SHA256

    d0bd999fa299d848b8c9fb4ad274b0ec229dc21b70e347b9c6c5ba1110624bc3

  • SHA512

    a3f8d41d55d8a5efc639c7b9563d6d16e43fe8b9acd73ea66f80578b8da612fcf2f121401aad5075e4d7dc39cc745f900f63c24825f021c0489476226e9b39f2

Score
10/10
seonransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/nfbduo7C http://goldeny4vs3nyoht.onion/nfbduo7C 3. Enter your personal decryption code there: nfbduo7CavppVqX1RUTgR9LwEwJcWbWZSLvdD1ECChZ14Wr5HWfRD21qPDvGTy2yEacXGUQKk8bKpivwpTPZGhk936V943nK
URLs

http://golden5a4eqranh7.onion/nfbduo7C

http://goldeny4vs3nyoht.onion/nfbduo7C

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0bd999fa299d848b8c9fb4ad274b0ec229dc21b70e347b9c6c5ba1110624bc3.exe
    "C:\Users\Admin\AppData\Local\Temp\d0bd999fa299d848b8c9fb4ad274b0ec229dc21b70e347b9c6c5ba1110624bc3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Roaming\{d05df4cd-1f49-4789-990f-af4a40b7e0bb}\taskkill.exe
      "C:\Users\Admin\AppData\Roaming\{d05df4cd-1f49-4789-990f-af4a40b7e0bb}\taskkill.exe"
      2⤵
      • Executes dropped EXE
      • Kills process with taskkill
      PID:1196

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1056-59-0x00000000766D1000-0x00000000766D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1056-60-0x0000000000220000-0x000000000022C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1056-61-0x0000000000230000-0x0000000000241000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1196-68-0x0000000000250000-0x0000000000261000-memory.dmp

    Filesize

    68KB

    Download