seon | 4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

Resubmissions

20-10-2023 17:06

231020-vms85sed8t 10

20-10-2023 12:12

231020-pdg7macc75 10

Analysis

max time kernel
117s
max time network
131s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
20-10-2023 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe
Size

173KB
MD5

d8f76885ca9af651befe9d9e2d00d340
SHA1

2ce43bf640a3abe3d840ec77d6342c3c141bd74b
SHA256

4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50
SHA512

664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643
SSDEEP

3072:C9dUEfLpw3gCjYbUIazrdwheg+NrXJmT69qz5DcMP9vYw:C9d/w3gaYbUDzrA0dmT6SD/

Score

10^/10

seon ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/uz6fMdRf http://goldeny4vs3nyoht.onion/uz6fMdRf 3. Enter your personal decryption code there: uz6fMdRfGYHkvoRpSgKCS35RFRFQVtd5AwLxqbizg5Hsj5e8GQskET6DFx1T3iMWa1HSho56TGd7onPG1cLuVsVQ6N8NFfuN

URLs

http://golden5a4eqranh7.onion/uz6fMdRf

http://goldeny4vs3nyoht.onion/uz6fMdRf

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Renames multiple (195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2264	msdt.exe

Loads dropped DLL 1 IoCs

pid	Process
744	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2264	744	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	27
PID 744 wrote to memory of 2264	744	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	27
PID 744 wrote to memory of 2264	744	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	27
PID 744 wrote to memory of 2264	744	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	27

C:\Users\Admin\AppData\Local\Temp\NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Roaming\{ab609d14-3e9d-4197-96db-fcbf644e72bf}\msdt.exe
  "C:\Users\Admin\AppData\Roaming\{ab609d14-3e9d-4197-96db-fcbf644e72bf}\msdt.exe"
  2⤵
  - Executes dropped EXE
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{ab609d14-3e9d-4197-96db-fcbf644e72bf}\msdt.exe

Filesize
173KB

MD5
d8f76885ca9af651befe9d9e2d00d340

SHA1
2ce43bf640a3abe3d840ec77d6342c3c141bd74b

SHA256
4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

SHA512
664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

Download Submit
C:\Users\Admin\AppData\Roaming\{ab609d14-3e9d-4197-96db-fcbf644e72bf}\msdt.exe

Filesize
173KB

MD5
d8f76885ca9af651befe9d9e2d00d340

SHA1
2ce43bf640a3abe3d840ec77d6342c3c141bd74b

SHA256
4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

SHA512
664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

Download Submit
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
387a80d44d87d31a40928087c2f21b50

SHA1
9f608786b27ba8e8c4991d391f02225336ea0207

SHA256
b4ca795e8d3bab241174df226cdb646e4733d9b29fb5d8a2769e6d049c860bd9

SHA512
f1482c0c44ae6794dba7eab3ea3d4c87d2d321d8be03c889af01fd1001d46996205bbe6cd1c570a4e45e5d633360b84b69c7dbc0bdfe0d2b64ce5527890f03ef

Download Submit
\Users\Admin\AppData\Roaming\{ab609d14-3e9d-4197-96db-fcbf644e72bf}\msdt.exe

Filesize
173KB

MD5
d8f76885ca9af651befe9d9e2d00d340

SHA1
2ce43bf640a3abe3d840ec77d6342c3c141bd74b

SHA256
4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

SHA512
664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

Download Submit
memory/744-0-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/744-1-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/744-13-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2264-14-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/2264-16-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/2264-412-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download