Overview

overview

10

Static

static

00d109a581...3b.exe

windows7_x64

10

00d109a581...3b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    11s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe

  • Size

    150KB

  • MD5

    dcabfb6eb919767fa14b71f2bfdcbe00

  • SHA1

    c598d24b226f8188924f6e34f1aa86e890c64229

  • SHA256

    00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b

  • SHA512

    d06fa847be6f4f48413200d0a1d21f271cff464e975b8687308cda9bf4a2bcd522f3b9c511465f6cd24f37a05bc322545504b138437f673307dda4c6dcb9f871

Score
10/10
seonransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/pR3XdmDW http://goldeny4vs3nyoht.onion/pR3XdmDW 3. Enter your personal decryption code there: pR3XdmDWvRvn4wuzfZG8eDzXyhJv5nEaD5NG5PVKtrFK3e1DjVVgaUJ7nvmPVqcZPsXhuiskQ9YhRsN53CdG23qVQ9ZhLnbx
URLs

http://golden5a4eqranh7.onion/pR3XdmDW

http://goldeny4vs3nyoht.onion/pR3XdmDW

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe
    "C:\Users\Admin\AppData\Local\Temp\00d109a581d9757f77f149aa0766398946a4a4c82dfe7fb85435c784faa93a3b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Roaming\{2cced1e9-2196-4ac1-befd-d9cea61de264}\diskpart.exe
      "C:\Users\Admin\AppData\Roaming\{2cced1e9-2196-4ac1-befd-d9cea61de264}\diskpart.exe"
      2⤵
      • Executes dropped EXE
      PID:4752

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{2cced1e9-2196-4ac1-befd-d9cea61de264}\diskpart.exe
    Filesize

    150KB

    MD5

    9e981fdf4c7ee7f20856d1b2bd154439

    SHA1

    a35de3a48083ab9ce8c4a5ebdf3aa2d72fe6d5cd

    SHA256

    d448e94028d1e2450174ec7e6cc80b9db6bbba23703faa276761d8c2b660df0e

    SHA512

    520ab8d054fd2c0b331b25f8bf63f27fa67fd03ea915709ae9b21abf3768be8556b11ec3775340a034a011b6b0b7cd4ad2d1864603d01fc54bf43810d6ccfed8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\{2cced1e9-2196-4ac1-befd-d9cea61de264}\diskpart.exe
    Filesize

    150KB

    MD5

    9e981fdf4c7ee7f20856d1b2bd154439

    SHA1

    a35de3a48083ab9ce8c4a5ebdf3aa2d72fe6d5cd

    SHA256

    d448e94028d1e2450174ec7e6cc80b9db6bbba23703faa276761d8c2b660df0e

    SHA512

    520ab8d054fd2c0b331b25f8bf63f27fa67fd03ea915709ae9b21abf3768be8556b11ec3775340a034a011b6b0b7cd4ad2d1864603d01fc54bf43810d6ccfed8

    Download Submit

  • memory/4752-130-0x0000000000000000-mapping.dmp

    Download

  • memory/4752-133-0x0000000000440000-0x000000000044C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4752-134-0x0000000002070000-0x0000000002081000-memory.dmp

    Filesize

    68KB

    Download