Overview

overview

10

Static

static

3

NEAS.d8f76...JC.exe

windows7-x64

10

NEAS.d8f76...JC.exe

windows10-2004-x64

10

Resubmissions

20-10-2023 17:06

231020-vms85sed8t 10

20-10-2023 12:12

231020-pdg7macc75 10

Analysis

  • max time kernel
    141s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2023 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe

  • Size

    173KB

  • MD5

    d8f76885ca9af651befe9d9e2d00d340

  • SHA1

    2ce43bf640a3abe3d840ec77d6342c3c141bd74b

  • SHA256

    4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

  • SHA512

    664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

  • SSDEEP

    3072:C9dUEfLpw3gCjYbUIazrdwheg+NrXJmT69qz5DcMP9vYw:C9d/w3gaYbUDzrA0dmT6SD/

Score
10/10
seonransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/s35o62cJ http://goldeny4vs3nyoht.onion/s35o62cJ 3. Enter your personal decryption code there: s35o62cJGh5Ds48nsHnKHvGweQMtZP6wHGuqcrdYbzCb7bjAq4TznGTBq97TeLD7VERGd9eQRXjwrZMNq9MJuVdfr4X9Nttt
URLs

http://golden5a4eqranh7.onion/s35o62cJ

http://goldeny4vs3nyoht.onion/s35o62cJ

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Renames multiple (867) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\AppData\Roaming\{94b5e318-cf2c-45a5-95a0-afc4f62b2814}\poqexec.exe
      "C:\Users\Admin\AppData\Roaming\{94b5e318-cf2c-45a5-95a0-afc4f62b2814}\poqexec.exe"
      2⤵
      • Executes dropped EXE
      PID:4704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{94b5e318-cf2c-45a5-95a0-afc4f62b2814}\poqexec.exe
    Filesize

    173KB

    MD5

    d8f76885ca9af651befe9d9e2d00d340

    SHA1

    2ce43bf640a3abe3d840ec77d6342c3c141bd74b

    SHA256

    4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

    SHA512

    664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

    Download Submit

  • C:\Users\Admin\AppData\Roaming\{94b5e318-cf2c-45a5-95a0-afc4f62b2814}\poqexec.exe
    Filesize

    173KB

    MD5

    d8f76885ca9af651befe9d9e2d00d340

    SHA1

    2ce43bf640a3abe3d840ec77d6342c3c141bd74b

    SHA256

    4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

    SHA512

    664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

    Download Submit

  • C:\Users\Admin\AppData\Roaming\{94b5e318-cf2c-45a5-95a0-afc4f62b2814}\poqexec.exe
    Filesize

    173KB

    MD5

    d8f76885ca9af651befe9d9e2d00d340

    SHA1

    2ce43bf640a3abe3d840ec77d6342c3c141bd74b

    SHA256

    4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

    SHA512

    664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

    Download Submit

  • C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT
    Filesize

    778B

    MD5

    d4e06762515380109e95dbad1c484a5f

    SHA1

    e3aa4f60881298fb6c7e733df7e2f9f6b0619d73

    SHA256

    423d2ff5cf6b3603f9fd8454e84525883921f8546c8f31a4583125af6dbdf303

    SHA512

    1c00d97162202f0483db1f33e43d49cfd6b40cdc6854dab5582ea7ce4e6d9e496f5d5350a2ccc4283f31738705e1be1a2494c6903e97708b0a9397945e50a8cc

    Download Submit

  • memory/2120-0-0x00000000005D0000-0x00000000005DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2120-1-0x00000000006F0000-0x0000000000701000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2120-11-0x00000000006F0000-0x0000000000701000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4704-13-0x00000000006A0000-0x00000000006AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4704-14-0x0000000002060000-0x0000000002071000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4704-15-0x0000000002060000-0x0000000002071000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4704-853-0x0000000002060000-0x0000000002071000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4704-1756-0x0000000002060000-0x0000000002071000-memory.dmp

    Filesize

    68KB

    Download