Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 08:32

General

  • Target

    56.exe

  • Size

    147KB

  • MD5

    691bc42ad3905fa13d1f088e1aaf07c8

  • SHA1

    4747422f504a5b8638a53255905bc759316cdf45

  • SHA256

    640d57062a58daf8cde747d115085e323923d5f297fe6e76960c0953a1c75139

  • SHA512

    18ec42ef13042539460e20f339a0495c1d87ff3764476fd5dd53197788df4a233879a9c8f709a89915a0f9bca46a3af85cd7b0b7426c2f89620b10ffee506431

  • SSDEEP

    3072:U9dUEfLpw3gCidSMFztbGw9Pz5DHrN+Ch:U9d/w3gN/pZH

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/nSAgMYgN http://goldeny4vs3nyoht.onion/nSAgMYgN 3. Enter your personal decryption code there: nSAgMYgNiM1qioN5PV72bR7ADvzErAuNTAYpqjoqsvhH1u3sHPHHDgnsLRgBS4hUL3g5LErNkUTT8QdysS2WdinPB5GiAHo2
URLs

http://golden5a4eqranh7.onion/nSAgMYgN

http://goldeny4vs3nyoht.onion/nSAgMYgN

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

  • Renames multiple (254) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56.exe
    "C:\Users\Admin\AppData\Local\Temp\56.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\AppData\Roaming\{74a294c6-1c72-4146-b16f-35db3952d5ec}\tcmsetup.exe
      "C:\Users\Admin\AppData\Roaming\{74a294c6-1c72-4146-b16f-35db3952d5ec}\tcmsetup.exe"
      2⤵
      • Executes dropped EXE
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

    Filesize

    778B

    MD5

    a5d91942d99f98060991f6235ee7cbc2

    SHA1

    4a7cefd87f96b9048438aa565e906a2d4bcdad72

    SHA256

    5926f2e9c581c1d75f464976c19afa30d9c04584921adfd272fb0c075328f14a

    SHA512

    adf4b16a2d153d4bbaa2b265d16248cd94642644e1f1d2a6db9dfeba7af192f429e6050d8bdccc95cf9f7b26eb49c8a4ba08f575fc9eacdded3688eb30ed312b

  • \Users\Admin\AppData\Roaming\{74a294c6-1c72-4146-b16f-35db3952d5ec}\tcmsetup.exe

    Filesize

    147KB

    MD5

    691bc42ad3905fa13d1f088e1aaf07c8

    SHA1

    4747422f504a5b8638a53255905bc759316cdf45

    SHA256

    640d57062a58daf8cde747d115085e323923d5f297fe6e76960c0953a1c75139

    SHA512

    18ec42ef13042539460e20f339a0495c1d87ff3764476fd5dd53197788df4a233879a9c8f709a89915a0f9bca46a3af85cd7b0b7426c2f89620b10ffee506431

  • memory/2136-1-0x0000000000250000-0x0000000000261000-memory.dmp

    Filesize

    68KB

  • memory/2136-0-0x0000000000240000-0x000000000024C000-memory.dmp

    Filesize

    48KB

  • memory/2136-13-0x0000000000240000-0x000000000024C000-memory.dmp

    Filesize

    48KB

  • memory/2368-14-0x0000000000240000-0x000000000024C000-memory.dmp

    Filesize

    48KB

  • memory/2368-15-0x0000000000250000-0x0000000000261000-memory.dmp

    Filesize

    68KB

  • memory/2368-16-0x0000000000250000-0x0000000000261000-memory.dmp

    Filesize

    68KB

  • memory/2368-531-0x0000000000250000-0x0000000000261000-memory.dmp

    Filesize

    68KB