General

  • Target

    1cdaa3c87b640f749452205df24cd3b9338dbfac5a2c73a96ea20f41e9a799e0

  • Size

    85KB

  • Sample

    240922-mxh7xswaml

  • MD5

    5d8487a7c2c353006ad40886b6cd41a0

  • SHA1

    52fff7297a47cd9558f158117886236612c8be86

  • SHA256

    1cdaa3c87b640f749452205df24cd3b9338dbfac5a2c73a96ea20f41e9a799e0

  • SHA512

    fbe625a0c1d7b462f12b4d66acc52df622b3eb6293c549799b0daf95a907b0df292770d8456107a9b1cef5ff1434dde8659aa73715b9fc0cff0586b34e0ea8fc

  • SSDEEP

    1536:Sw6ovd79W0/sZPQ0gSI84xvDiubx6xkccjIe8JH3zra33jLkDAu98KqLQU:ooF7MtZPQteulscjIeWODLkzvq/

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/tB1Yc3Ew http://goldeny4vs3nyoht.onion/tB1Yc3Ew 3. Enter your personal decryption code there: tB1Yc3EwbLHYRapG3RtrhASqXhZjHrao6sYC9i88sPL935dqYHFM3dxB6mhLrEVw2eYfxmvZsoFSaMH3uqu5tqa687iUmGTj
URLs

http://golden5a4eqranh7.onion/tB1Yc3Ew

http://goldeny4vs3nyoht.onion/tB1Yc3Ew

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/xxPnrTJW http://goldeny4vs3nyoht.onion/xxPnrTJW 3. Enter your personal decryption code there: xxPnrTJWyVeCT852bL5BdaemxwdGxxNxJGgeCvxGFEg8irh3HNdWU1ZK2q2n8w5aFtfEvkAnRzgK2X77zTULkCZvGx6kSV6H
URLs

http://golden5a4eqranh7.onion/xxPnrTJW

http://goldeny4vs3nyoht.onion/xxPnrTJW

Targets

    • Target

      56

    • Size

      147KB

    • MD5

      691bc42ad3905fa13d1f088e1aaf07c8

    • SHA1

      4747422f504a5b8638a53255905bc759316cdf45

    • SHA256

      640d57062a58daf8cde747d115085e323923d5f297fe6e76960c0953a1c75139

    • SHA512

      18ec42ef13042539460e20f339a0495c1d87ff3764476fd5dd53197788df4a233879a9c8f709a89915a0f9bca46a3af85cd7b0b7426c2f89620b10ffee506431

    • SSDEEP

      3072:U9dUEfLpw3gCidSMFztbGw9Pz5DHrN+Ch:U9d/w3gN/pZH

    • Seon

      The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    • Renames multiple (243) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks