Overview

overview

10

Static

static

1c1768c6fa...le.exe

windows7_x64

10

1c1768c6fa...le.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c1768c6fa0a08f053da6a0dedd5cff04471eddb02b4934f280c1d78d61076fe.sample.exe

  • Size

    150KB

  • MD5

    a60b3d8e48f36a9084658fa35a03247e

  • SHA1

    a69e8d4a4f6904d1604d77a0eabf224a8421cc0e

  • SHA256

    1c1768c6fa0a08f053da6a0dedd5cff04471eddb02b4934f280c1d78d61076fe

  • SHA512

    d36c5e354bf22a21e52ada0d747418e223a343a14c4bc68e9dad0ac0dbca15e2ad82b395b9fc5792bc3eb673fd3efd5c1b4796b13cdfb99bd0600fca75b83678

Score
10/10
seonransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/spgHwwjo http://goldeny4vs3nyoht.onion/spgHwwjo 3. Enter your personal decryption code there: spgHwwjoT58uNtJY3KcBeiB8WdZtbGiq7hmwwpFodxGB4Aznd3bYuvongsim1QMhe5mDyiFzQfZUGRvXt9rS9pzKVUD4GrPQ
URLs

http://golden5a4eqranh7.onion/spgHwwjo

http://goldeny4vs3nyoht.onion/spgHwwjo

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c1768c6fa0a08f053da6a0dedd5cff04471eddb02b4934f280c1d78d61076fe.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\1c1768c6fa0a08f053da6a0dedd5cff04471eddb02b4934f280c1d78d61076fe.sample.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Roaming\{a22f20d7-490f-4524-871a-9a30691d5643}\RunLegacyCPLElevated.exe
      "C:\Users\Admin\AppData\Roaming\{a22f20d7-490f-4524-871a-9a30691d5643}\RunLegacyCPLElevated.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      PID:2032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1672-59-0x0000000075971000-0x0000000075973000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1672-64-0x0000000000230000-0x000000000023C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1672-65-0x00000000002C0000-0x00000000002D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2032-66-0x0000000000280000-0x0000000000291000-memory.dmp

    Filesize

    68KB

    Download