seon | 00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b

General

Target

00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe
Size

150KB
MD5

dcabfb6eb919767fa14b71f2bfdcbe00
SHA1

c598d24b226f8188924f6e34f1aa86e890c64229
SHA256

00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b
SHA512

d06fa847be6f4f48413200d0a1d21f271cff464e975b8687308cda9bf4a2bcd522f3b9c511465f6cd24f37a05bc322545504b138437f673307dda4c6dcb9f871

Score

10^/10

seon ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/wjDgEumz http://goldeny4vs3nyoht.onion/wjDgEumz 3. Enter your personal decryption code there: wjDgEumzYZPnJhkjLiEd8zqaz8sggxcyupBUjkpyeKfgRwbNsVK3G6gjww62zVxoquZqBUqymn11FRuecf2mgEA5DJHfaQJB

URLs

http://golden5a4eqranh7.onion/wjDgEumz

http://goldeny4vs3nyoht.onion/wjDgEumz

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon

Executes dropped EXE 1 IoCs

Processes:

ReAgentc.exe

pid	Process
896	ReAgentc.exe

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ReAgentc.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\StartResolve.tiff => C:\Users\Admin\Pictures\StartResolve.tiff.wjDgEumz	ReAgentc.exe
File renamed	C:\Users\Admin\Pictures\WatchStart.tiff => C:\Users\Admin\Pictures\WatchStart.tiff.wjDgEumz	ReAgentc.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteBlock.tiff	ReAgentc.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromStop.raw => C:\Users\Admin\Pictures\ConvertFromStop.raw.wjDgEumz	ReAgentc.exe
File renamed	C:\Users\Admin\Pictures\HideStart.crw => C:\Users\Admin\Pictures\HideStart.crw.wjDgEumz	ReAgentc.exe
File renamed	C:\Users\Admin\Pictures\ShowGrant.tiff => C:\Users\Admin\Pictures\ShowGrant.tiff.wjDgEumz	ReAgentc.exe
File opened for modification	C:\Users\Admin\Pictures\StartResolve.tiff	ReAgentc.exe
File opened for modification	C:\Users\Admin\Pictures\WatchStart.tiff	ReAgentc.exe
File renamed	C:\Users\Admin\Pictures\CompleteBlock.tiff => C:\Users\Admin\Pictures\CompleteBlock.tiff.wjDgEumz	ReAgentc.exe
File renamed	C:\Users\Admin\Pictures\FindDismount.crw => C:\Users\Admin\Pictures\FindDismount.crw.wjDgEumz	ReAgentc.exe
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff	ReAgentc.exe

Loads dropped DLL 1 IoCs

Processes:

00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe

pid	Process
1708	00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe

description	pid	Process	procid_target
PID 1708 wrote to memory of 896	1708	00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe	27
PID 1708 wrote to memory of 896	1708	00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe	27
PID 1708 wrote to memory of 896	1708	00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe	27
PID 1708 wrote to memory of 896	1708	00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe	27

C:\Users\Admin\AppData\Local\Temp\00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe
"C:\Users\Admin\AppData\Local\Temp\00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Roaming\{76e82db8-9bd1-438e-8504-5d4b09d55ce6}\ReAgentc.exe
  "C:\Users\Admin\AppData\Roaming\{76e82db8-9bd1-438e-8504-5d4b09d55ce6}\ReAgentc.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{76e82db8-9bd1-438e-8504-5d4b09d55ce6}\ReAgentc.exe

Filesize
150KB

MD5
dac279978b71b5c2fe2ac4c75609c5cb

SHA1
997a63511ffbabdd651eb3661eede767d6f76e94

SHA256
2b400a855ecfa7894f4f623522b103c010e31d334fd444c6137f98320b6f3686

SHA512
82db3f7e2116fbbacacb03cf6e91a0e1d9e7c330bc3bc8406011b17528b4cc7c95ed4aa24fdcc4ee677924c97b3dcab46bc6599303e5c6be6c09023b78c67802

Download Submit
\Users\Admin\AppData\Roaming\{76e82db8-9bd1-438e-8504-5d4b09d55ce6}\ReAgentc.exe

Filesize
150KB

MD5
dac279978b71b5c2fe2ac4c75609c5cb

SHA1
997a63511ffbabdd651eb3661eede767d6f76e94

SHA256
2b400a855ecfa7894f4f623522b103c010e31d334fd444c6137f98320b6f3686

SHA512
82db3f7e2116fbbacacb03cf6e91a0e1d9e7c330bc3bc8406011b17528b4cc7c95ed4aa24fdcc4ee677924c97b3dcab46bc6599303e5c6be6c09023b78c67802

Download Submit
memory/896-56-0x0000000000000000-mapping.dmp

Download
memory/896-61-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/1708-54-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download
memory/1708-57-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/1708-60-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads