Overview

overview

10

Static

static

591e7f5eb1...8b.exe

windows7_x64

10

591e7f5eb1...8b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    188s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe

  • Size

    62KB

  • MD5

    eb5d62f37c2a7cdd355b483d06ff7278

  • SHA1

    e21b853bd54e1305f3c0d0eb6f8da52b70b0d722

  • SHA256

    591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b

  • SHA512

    80c377cfe3f707bb118740b98f2a04f8e3700394ff7519e09f04a861a2ed91e516337d729526c4203f41c87ffd2de9f6542a9f0986d73f7fec4e32740adfc4b3

Score
10/10
seonransomwaretrojan

Malware Config

Extracted

Path

C:\odt\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
SEON RANSOMWARE ver 0.2 all your files has been encrypted There is only way to get your files back: contact with us We accept Bitcoin and other cryptocurrencies Do not try to reinstall operation system on your computer Do not try to decrypt files with third party tools, this can lead to data loss You can decrypt 1 file for free Our contact emails: [email protected] [email protected]

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe
    "C:\Users\Admin\AppData\Local\Temp\591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Windows\SysWOW64\mshta.exe
      mshta.exe C:\Users\Admin\AppData\Local\Temp\readme.hta
      2⤵
        PID:4656

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads