Overview

overview

10

Static

static

1

V-removebg...ew.png

windows7-x64

3

V-removebg...ew.png

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    V-removebg-preview.png

  • Size

    28KB

  • Sample

    231105-dnbxtacb55

  • MD5

    fc462405f5f045e51f514f7d1bb655da

  • SHA1

    b3c0e39c11364968c243383789950195e95fefdb

  • SHA256

    c8c7710c055d6fd4a7040d9c699d989a393ad8d960baec3fd652798929052152

  • SHA512

    6e3c64c47afd0ee92db58ef586105deaaa90dfc13f740b2479cec62c24d2729e237dd68c29ed5a8a3f6b2fd617704be793ae6b50e20511449764623eeafa9acf

  • SSDEEP

    768:Tsz7+3ysh2gZ4+a0idR8uDOr3gYwqmMsiEmS2JdW0D1h/3mS4E3:wz7dshPq+wDOrAqKfL81hX53

Score
10/10
metasploitseonbackdoorbootkitpersistenceransomwarespywarestealertrojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/rd41q22U http://goldeny4vs3nyoht.onion/rd41q22U 3. Enter your personal decryption code there: rd41q22U1P1mmdFFcdnhm4r6BDSMKavab3Q2Uh1cf4oxVQ3fEGgCmsamAoj2pkfKNBQbxmT8yhRCUsSrsEjzz5jDQBXkvmoE
URLs

http://golden5a4eqranh7.onion/rd41q22U

http://goldeny4vs3nyoht.onion/rd41q22U

Targets

    • Target

      V-removebg-preview.png

    • Size

      28KB

    • MD5

      fc462405f5f045e51f514f7d1bb655da

    • SHA1

      b3c0e39c11364968c243383789950195e95fefdb

    • SHA256

      c8c7710c055d6fd4a7040d9c699d989a393ad8d960baec3fd652798929052152

    • SHA512

      6e3c64c47afd0ee92db58ef586105deaaa90dfc13f740b2479cec62c24d2729e237dd68c29ed5a8a3f6b2fd617704be793ae6b50e20511449764623eeafa9acf

    • SSDEEP

      768:Tsz7+3ysh2gZ4+a0idR8uDOr3gYwqmMsiEmS2JdW0D1h/3mS4E3:wz7dshPq+wDOrAqKfL81hX53

    Score
    10/10
    metasploitseonbackdoorbootkitpersistenceransomwarespywarestealertrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Seon

      The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

      trojanransomwareseon

    • Renames multiple (93) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks