Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 08:32

General

  • Target

    56.exe

  • Size

    147KB

  • MD5

    691bc42ad3905fa13d1f088e1aaf07c8

  • SHA1

    4747422f504a5b8638a53255905bc759316cdf45

  • SHA256

    640d57062a58daf8cde747d115085e323923d5f297fe6e76960c0953a1c75139

  • SHA512

    18ec42ef13042539460e20f339a0495c1d87ff3764476fd5dd53197788df4a233879a9c8f709a89915a0f9bca46a3af85cd7b0b7426c2f89620b10ffee506431

  • SSDEEP

    3072:U9dUEfLpw3gCidSMFztbGw9Pz5DHrN+Ch:U9d/w3gN/pZH

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/sTCXTykX http://goldeny4vs3nyoht.onion/sTCXTykX 3. Enter your personal decryption code there: sTCXTykX4suKWYkhXx5DfnE2SoveLasU7cCNtyNhdyAaXN8QHyuZ2WUTmDSQJHFGzc7uYZFr4ndYHwxf5iLEw1WNuWrWweP8
URLs

http://golden5a4eqranh7.onion/sTCXTykX

http://goldeny4vs3nyoht.onion/sTCXTykX

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

  • Renames multiple (849) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56.exe
    "C:\Users\Admin\AppData\Local\Temp\56.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Users\Admin\AppData\Roaming\{10b06dc9-d0b4-4277-acc0-de2d9d3f13ff}\eudcedit.exe
      "C:\Users\Admin\AppData\Roaming\{10b06dc9-d0b4-4277-acc0-de2d9d3f13ff}\eudcedit.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{10b06dc9-d0b4-4277-acc0-de2d9d3f13ff}\eudcedit.exe

    Filesize

    147KB

    MD5

    691bc42ad3905fa13d1f088e1aaf07c8

    SHA1

    4747422f504a5b8638a53255905bc759316cdf45

    SHA256

    640d57062a58daf8cde747d115085e323923d5f297fe6e76960c0953a1c75139

    SHA512

    18ec42ef13042539460e20f339a0495c1d87ff3764476fd5dd53197788df4a233879a9c8f709a89915a0f9bca46a3af85cd7b0b7426c2f89620b10ffee506431

  • C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

    Filesize

    778B

    MD5

    5fdbfdcba53ea28b9695a1a9cf3f0383

    SHA1

    18a226b38b06c0d14f48515d4fdb67a472270d0d

    SHA256

    9484c544201b630ee71f0d22636812ae0efe613520c1ac18ba6065dd0c0474c8

    SHA512

    979fd3bb488386e3f41831e091b2e2d02030400e40b03e39998b2f311f3d7f7ca43ac184e7dbea97dec91595bcada85d6925a2237f116d1b0ce2688a47f25ed2

  • memory/452-14-0x00000000006E0000-0x00000000006EC000-memory.dmp

    Filesize

    48KB

  • memory/452-15-0x00000000006F0000-0x0000000000701000-memory.dmp

    Filesize

    68KB

  • memory/452-16-0x00000000006F0000-0x0000000000701000-memory.dmp

    Filesize

    68KB

  • memory/452-1720-0x00000000006F0000-0x0000000000701000-memory.dmp

    Filesize

    68KB

  • memory/452-1721-0x00000000006F0000-0x0000000000701000-memory.dmp

    Filesize

    68KB

  • memory/2572-0-0x00000000008A0000-0x00000000008AC000-memory.dmp

    Filesize

    48KB

  • memory/2572-1-0x00000000008B0000-0x00000000008C1000-memory.dmp

    Filesize

    68KB

  • memory/2572-12-0x00000000008A0000-0x00000000008AC000-memory.dmp

    Filesize

    48KB

  • memory/2572-11-0x00000000008B0000-0x00000000008C1000-memory.dmp

    Filesize

    68KB