Resubmissions

20-10-2023 17:06

231020-vms85sed8t 10

20-10-2023 12:12

231020-pdg7macc75 10

General

  • Target

    NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe

  • Size

    173KB

  • Sample

    231020-pdg7macc75

  • MD5

    d8f76885ca9af651befe9d9e2d00d340

  • SHA1

    2ce43bf640a3abe3d840ec77d6342c3c141bd74b

  • SHA256

    4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

  • SHA512

    664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

  • SSDEEP

    3072:C9dUEfLpw3gCjYbUIazrdwheg+NrXJmT69qz5DcMP9vYw:C9d/w3gaYbUDzrA0dmT6SD/

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/uz6fMdRf http://goldeny4vs3nyoht.onion/uz6fMdRf 3. Enter your personal decryption code there: uz6fMdRfGYHkvoRpSgKCS35RFRFQVtd5AwLxqbizg5Hsj5e8GQskET6DFx1T3iMWa1HSho56TGd7onPG1cLuVsVQ6N8NFfuN
URLs

http://golden5a4eqranh7.onion/uz6fMdRf

http://goldeny4vs3nyoht.onion/uz6fMdRf

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/s35o62cJ http://goldeny4vs3nyoht.onion/s35o62cJ 3. Enter your personal decryption code there: s35o62cJGh5Ds48nsHnKHvGweQMtZP6wHGuqcrdYbzCb7bjAq4TznGTBq97TeLD7VERGd9eQRXjwrZMNq9MJuVdfr4X9Nttt
URLs

http://golden5a4eqranh7.onion/s35o62cJ

http://goldeny4vs3nyoht.onion/s35o62cJ

Targets

    • Target

      NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe

    • Size

      173KB

    • MD5

      d8f76885ca9af651befe9d9e2d00d340

    • SHA1

      2ce43bf640a3abe3d840ec77d6342c3c141bd74b

    • SHA256

      4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

    • SHA512

      664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

    • SSDEEP

      3072:C9dUEfLpw3gCjYbUIazrdwheg+NrXJmT69qz5DcMP9vYw:C9d/w3gaYbUDzrA0dmT6SD/

    • Seon

      The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    • Renames multiple (195) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (867) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks