seon | 4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

General

Target

NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe
Size

173KB
MD5

d8f76885ca9af651befe9d9e2d00d340
SHA1

2ce43bf640a3abe3d840ec77d6342c3c141bd74b
SHA256

4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50
SHA512

664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643
SSDEEP

3072:C9dUEfLpw3gCjYbUIazrdwheg+NrXJmT69qz5DcMP9vYw:C9d/w3gaYbUDzrA0dmT6SD/

Score

10^/10

seon ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/wXbEXz8v http://goldeny4vs3nyoht.onion/wXbEXz8v 3. Enter your personal decryption code there: wXbEXz8vq1XjW4qi3vLMTnh2i1yLWix5LG1ZGgJLApxQYnXoohQevJJhyUmgTasWF7NHoASNGVMv9KCurZ9cJG5CVHbYdvV9

URLs

http://golden5a4eqranh7.onion/wXbEXz8v

http://goldeny4vs3nyoht.onion/wXbEXz8v

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Renames multiple (197) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 1 IoCs

Processes:

gpupdate.exe

pid process

2008 gpupdate.exe
Loads dropped DLL 1 IoCs

Processes:

NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe

pid process

1900 NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2008	gpupdate.exe

pid	process
1900	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe

Modifies registry class 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2720 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

2388 rundll32.exe

pid	process
2720	NOTEPAD.EXE

pid	process
2388	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe

description	pid	process	target process
PID 1900 wrote to memory of 2008	1900	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	gpupdate.exe
PID 1900 wrote to memory of 2008	1900	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	gpupdate.exe
PID 1900 wrote to memory of 2008	1900	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	gpupdate.exe
PID 1900 wrote to memory of 2008	1900	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	gpupdate.exe
PID 1900 wrote to memory of 2008	1900	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	gpupdate.exe
PID 1900 wrote to memory of 2008	1900	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	gpupdate.exe
PID 1900 wrote to memory of 2008	1900	NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Roaming\{77a1645b-c6ba-48c7-8bd3-8e50cc4fe291}\gpupdate.exe
  "C:\Users\Admin\AppData\Roaming\{77a1645b-c6ba-48c7-8bd3-8e50cc4fe291}\gpupdate.exe"
  2⤵
  - Executes dropped EXE
  PID:2008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:2720

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\DisconnectStop.iso.wXbEXz8v
1⤵
- Modifies registry class
PID:2544

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SkipHide.bmp.wXbEXz8v
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2388

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ConfirmInvoke.tiff.wXbEXz8v
1⤵
- Modifies registry class
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{77a1645b-c6ba-48c7-8bd3-8e50cc4fe291}\gpupdate.exe

Filesize
173KB

MD5
50b3c5f8423d2d1c89c4f97e951a5a38

SHA1
386ec52dcdb9c7061decb17fc1895a26d962ae18

SHA256
f1925b9d4f0f05f0af82bb9cf36dd415639116cc84643a82089e3eb423d0bad1

SHA512
a94a2543689a310d0d4fe6d473186e0bfc918af1ddad186782c43e254fc09576a80c126bb5c316bf6e452458180a03490b28155d285343476beedc918f2f42a1

Download Submit
C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
ab682ace457bb6caa820cac20fa96f48

SHA1
bf2ed357c5cfbfd48211570e2811bac4f3685998

SHA256
b94160a47525aae851ba7aa20049df02525391fe33c37a313010af54d9730ef8

SHA512
2e74ab44acbe0e08f95b3ff357871b8a0d399008d04ba1d268e9915e9e7c2c3b5b05c80d4a6afc4c4be049003ebc8ae665dbbfb82e5c384426b650c9fb16879d

Download Submit
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
ab682ace457bb6caa820cac20fa96f48

SHA1
bf2ed357c5cfbfd48211570e2811bac4f3685998

SHA256
b94160a47525aae851ba7aa20049df02525391fe33c37a313010af54d9730ef8

SHA512
2e74ab44acbe0e08f95b3ff357871b8a0d399008d04ba1d268e9915e9e7c2c3b5b05c80d4a6afc4c4be049003ebc8ae665dbbfb82e5c384426b650c9fb16879d

Download Submit
\Users\Admin\AppData\Roaming\{77a1645b-c6ba-48c7-8bd3-8e50cc4fe291}\gpupdate.exe

Filesize
173KB

MD5
50b3c5f8423d2d1c89c4f97e951a5a38

SHA1
386ec52dcdb9c7061decb17fc1895a26d962ae18

SHA256
f1925b9d4f0f05f0af82bb9cf36dd415639116cc84643a82089e3eb423d0bad1

SHA512
a94a2543689a310d0d4fe6d473186e0bfc918af1ddad186782c43e254fc09576a80c126bb5c316bf6e452458180a03490b28155d285343476beedc918f2f42a1

Download Submit
memory/1900-0-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/1900-1-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/1900-12-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2008-13-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2008-14-0x00000000001E0000-0x00000000001F1000-memory.dmp

Filesize
68KB

Download
memory/2008-414-0x00000000001E0000-0x00000000001F1000-memory.dmp

Filesize
68KB

Download
memory/2008-415-0x00000000001E0000-0x00000000001F1000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing