Overview

overview

10

Static

static

3

NEAS.d8f76...JC.exe

windows7-x64

10

NEAS.d8f76...JC.exe

windows10-2004-x64

10

Resubmissions

20-10-2023 17:06

231020-vms85sed8t 10

20-10-2023 12:12

231020-pdg7macc75 10

Analysis

  • max time kernel
    140s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2023 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe

  • Size

    173KB

  • MD5

    d8f76885ca9af651befe9d9e2d00d340

  • SHA1

    2ce43bf640a3abe3d840ec77d6342c3c141bd74b

  • SHA256

    4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

  • SHA512

    664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

  • SSDEEP

    3072:C9dUEfLpw3gCjYbUIazrdwheg+NrXJmT69qz5DcMP9vYw:C9d/w3gaYbUDzrA0dmT6SD/

Score
10/10
seonransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/xQsN7xb9 http://goldeny4vs3nyoht.onion/xQsN7xb9 3. Enter your personal decryption code there: xQsN7xb9RN2hV1wGv2XnRsz8hpvZVuazYLpbVkXp17QQo3VR2oVoT3iZfQwAdick2mtvbeQ4dEdFbv1HooGRk21ThAftz38J
URLs

http://golden5a4eqranh7.onion/xQsN7xb9

http://goldeny4vs3nyoht.onion/xQsN7xb9

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Renames multiple (736) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.d8f76885ca9af651befe9d9e2d00d340_JC.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Roaming\{f0f50074-c2a7-4f4e-914b-7489d0e958ff}\eventvwr.exe
      "C:\Users\Admin\AppData\Roaming\{f0f50074-c2a7-4f4e-914b-7489d0e958ff}\eventvwr.exe"
      2⤵
      • Executes dropped EXE
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{f0f50074-c2a7-4f4e-914b-7489d0e958ff}\eventvwr.exe
    Filesize

    173KB

    MD5

    d8f76885ca9af651befe9d9e2d00d340

    SHA1

    2ce43bf640a3abe3d840ec77d6342c3c141bd74b

    SHA256

    4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

    SHA512

    664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

    Download Submit

  • C:\Users\Admin\AppData\Roaming\{f0f50074-c2a7-4f4e-914b-7489d0e958ff}\eventvwr.exe
    Filesize

    173KB

    MD5

    d8f76885ca9af651befe9d9e2d00d340

    SHA1

    2ce43bf640a3abe3d840ec77d6342c3c141bd74b

    SHA256

    4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

    SHA512

    664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

    Download Submit

  • C:\Users\Admin\AppData\Roaming\{f0f50074-c2a7-4f4e-914b-7489d0e958ff}\eventvwr.exe
    Filesize

    173KB

    MD5

    d8f76885ca9af651befe9d9e2d00d340

    SHA1

    2ce43bf640a3abe3d840ec77d6342c3c141bd74b

    SHA256

    4a4c61d929d49cd5fce4872754993a9bd570566ca2b16d114f3664d86e09eb50

    SHA512

    664d62084bf14b877fe97257c11aebbfaece26dd9053c190eda59bf25b9c01b5b97763a4d157946cdabdaaeecedb8f67c2e7b763190fbd973a342a50fa81b643

    Download Submit

  • C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT
    Filesize

    778B

    MD5

    ad36f0aeb91deb04cc9c4cb53036fe84

    SHA1

    733801fe7735315731a95171f23acb5b050d2ccc

    SHA256

    465792e723f4f7fc2b0b272edf85262e8d95a2ffe5e8b541ad3fbb42ca08c215

    SHA512

    7df2fd538fd8f75974505ca228bba905d9aa82d6dd5b74f8a9740bec48ca373377e80790de006379daaa206cb32a2305918cb6d273b31153650ce6552ffae4a0

    Download Submit

  • memory/2772-16-0x00000000006B0000-0x00000000006C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2772-14-0x00000000006A0000-0x00000000006AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2772-15-0x00000000006B0000-0x00000000006C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2772-882-0x00000000006B0000-0x00000000006C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2772-1495-0x00000000006B0000-0x00000000006C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3516-13-0x0000000000480000-0x000000000048C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3516-12-0x00000000009F0000-0x0000000000A01000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3516-1-0x00000000009F0000-0x0000000000A01000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3516-0-0x0000000000480000-0x000000000048C000-memory.dmp

    Filesize

    48KB

    Download