Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-09-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
56.exe
Resource
win7-20240708-en
General
-
Target
56.exe
-
Size
147KB
-
MD5
691bc42ad3905fa13d1f088e1aaf07c8
-
SHA1
4747422f504a5b8638a53255905bc759316cdf45
-
SHA256
640d57062a58daf8cde747d115085e323923d5f297fe6e76960c0953a1c75139
-
SHA512
18ec42ef13042539460e20f339a0495c1d87ff3764476fd5dd53197788df4a233879a9c8f709a89915a0f9bca46a3af85cd7b0b7426c2f89620b10ffee506431
-
SSDEEP
3072:U9dUEfLpw3gCidSMFztbGw9Pz5DHrN+Ch:U9d/w3gN/pZH
Malware Config
Extracted
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT
http://golden5a4eqranh7.onion/nSAgMYgN
http://goldeny4vs3nyoht.onion/nSAgMYgN
Signatures
-
Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
-
Renames multiple (254) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 2368 tcmsetup.exe -
Loads dropped DLL 1 IoCs
pid Process 2136 56.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2368 2136 56.exe 30 PID 2136 wrote to memory of 2368 2136 56.exe 30 PID 2136 wrote to memory of 2368 2136 56.exe 30 PID 2136 wrote to memory of 2368 2136 56.exe 30 PID 2136 wrote to memory of 2368 2136 56.exe 30 PID 2136 wrote to memory of 2368 2136 56.exe 30 PID 2136 wrote to memory of 2368 2136 56.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\56.exe"C:\Users\Admin\AppData\Local\Temp\56.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Roaming\{74a294c6-1c72-4146-b16f-35db3952d5ec}\tcmsetup.exe"C:\Users\Admin\AppData\Roaming\{74a294c6-1c72-4146-b16f-35db3952d5ec}\tcmsetup.exe"2⤵
- Executes dropped EXE
PID:2368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
778B
MD5a5d91942d99f98060991f6235ee7cbc2
SHA14a7cefd87f96b9048438aa565e906a2d4bcdad72
SHA2565926f2e9c581c1d75f464976c19afa30d9c04584921adfd272fb0c075328f14a
SHA512adf4b16a2d153d4bbaa2b265d16248cd94642644e1f1d2a6db9dfeba7af192f429e6050d8bdccc95cf9f7b26eb49c8a4ba08f575fc9eacdded3688eb30ed312b
-
Filesize
147KB
MD5691bc42ad3905fa13d1f088e1aaf07c8
SHA14747422f504a5b8638a53255905bc759316cdf45
SHA256640d57062a58daf8cde747d115085e323923d5f297fe6e76960c0953a1c75139
SHA51218ec42ef13042539460e20f339a0495c1d87ff3764476fd5dd53197788df4a233879a9c8f709a89915a0f9bca46a3af85cd7b0b7426c2f89620b10ffee506431