Analysis
-
max time kernel
39s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-06-2022 13:37
Static task
static1
Behavioral task
behavioral1
Sample
filecoder.dmg
Resource
macos-20220504-en
Behavioral task
behavioral2
Sample
flawedammyy.exe
Resource
win7-20220414-en
Behavioral task
behavioral3
Sample
flawedammyy.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral4
Sample
qakbot.dll
Resource
win7-20220414-en
Behavioral task
behavioral5
Sample
qakbot.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral6
Sample
redline.exe
Resource
win7-20220414-en
Behavioral task
behavioral7
Sample
redline.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral8
Sample
seon.exe
Resource
win7-20220414-en
Behavioral task
behavioral9
Sample
seon.exe
Resource
win10v2004-20220414-en
General
-
Target
seon.exe
-
Size
62KB
-
MD5
7d3573bee1a9acd192c50bc72a65ef7a
-
SHA1
8ff77e69046c8cecd4407c536219e6fc1a747af7
-
SHA256
221ab2fabe92b623834e7214d05dbef0cdc2b4399d34721de63e7c32ab5820ea
-
SHA512
dcf3998861c2c1818d05ba526134edddee58bea51d4065ec5d156dfac2d24a63d65df057a1319e0886bdf37a394f82fb4435c0292c3e1f135646623ad3aaf347
Malware Config
Extracted
C:\MSOCache\YOUR_FILES_ARE_ENCRYPTED.TXT
Extracted
C:\Users\Admin\AppData\Local\Temp\readme.hta
Signatures
-
Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ResumeUnpublish.tiff seon.exe File renamed C:\Users\Admin\Pictures\DismountPublish.tif => C:\Users\Admin\Pictures\DismountPublish.tif.FIXT seon.exe File renamed C:\Users\Admin\Pictures\StepProtect.raw => C:\Users\Admin\Pictures\StepProtect.raw.FIXT seon.exe File renamed C:\Users\Admin\Pictures\ConvertFind.tif => C:\Users\Admin\Pictures\ConvertFind.tif.FIXT seon.exe File renamed C:\Users\Admin\Pictures\UpdateBlock.png => C:\Users\Admin\Pictures\UpdateBlock.png.FIXT seon.exe File renamed C:\Users\Admin\Pictures\CompressHide.png => C:\Users\Admin\Pictures\CompressHide.png.FIXT seon.exe File renamed C:\Users\Admin\Pictures\OutCheckpoint.crw => C:\Users\Admin\Pictures\OutCheckpoint.crw.FIXT seon.exe File renamed C:\Users\Admin\Pictures\PublishRead.png => C:\Users\Admin\Pictures\PublishRead.png.FIXT seon.exe File renamed C:\Users\Admin\Pictures\ResumeUnpublish.tiff => C:\Users\Admin\Pictures\ResumeUnpublish.tiff.FIXT seon.exe File renamed C:\Users\Admin\Pictures\UnprotectPop.raw => C:\Users\Admin\Pictures\UnprotectPop.raw.FIXT seon.exe File renamed C:\Users\Admin\Pictures\EnableComplete.crw => C:\Users\Admin\Pictures\EnableComplete.crw.FIXT seon.exe File renamed C:\Users\Admin\Pictures\MeasureSelect.tif => C:\Users\Admin\Pictures\MeasureSelect.tif.FIXT seon.exe File renamed C:\Users\Admin\Pictures\SearchNew.png => C:\Users\Admin\Pictures\SearchNew.png.FIXT seon.exe File renamed C:\Users\Admin\Pictures\BackupConvertFrom.tif => C:\Users\Admin\Pictures\BackupConvertFrom.tif.FIXT seon.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: seon.exe File opened (read-only) \??\E: seon.exe File opened (read-only) \??\G: seon.exe File opened (read-only) \??\I: seon.exe File opened (read-only) \??\T: seon.exe File opened (read-only) \??\A: seon.exe File opened (read-only) \??\H: seon.exe File opened (read-only) \??\J: seon.exe File opened (read-only) \??\K: seon.exe File opened (read-only) \??\M: seon.exe File opened (read-only) \??\N: seon.exe File opened (read-only) \??\O: seon.exe File opened (read-only) \??\U: seon.exe File opened (read-only) \??\W: seon.exe File opened (read-only) \??\B: seon.exe File opened (read-only) \??\L: seon.exe File opened (read-only) \??\R: seon.exe File opened (read-only) \??\Z: seon.exe File opened (read-only) \??\F: seon.exe File opened (read-only) \??\P: seon.exe File opened (read-only) \??\Q: seon.exe File opened (read-only) \??\S: seon.exe File opened (read-only) \??\V: seon.exe File opened (read-only) \??\X: seon.exe File opened (read-only) \??\Y: seon.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 376 wrote to memory of 2028 376 seon.exe 28 PID 376 wrote to memory of 2028 376 seon.exe 28 PID 376 wrote to memory of 2028 376 seon.exe 28 PID 376 wrote to memory of 2028 376 seon.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\seon.exe"C:\Users\Admin\AppData\Local\Temp\seon.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\mshta.exemshta.exe C:\Users\Admin\AppData\Local\Temp\readme.hta2⤵
- Modifies Internet Explorer settings
PID:2028
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5867e488f26e23d94a78cd020a852cf30
SHA129a4b0dc6edae5fbdf6bb13f60029ef4a48c8d29
SHA256da37639b77c11ccfe848ae6457e08eb98521ee01d481a8c7ce5d410576c2e606
SHA5123a30ef7d5adabae108b50060cad992383a8b8d951cbd32c99379a7e7b0a1276fd2a912b0f2f0d4f16e777ef045ba9c5e81f2dfe67bc3e7b04bbe0d69881ac659