Overview

overview

10

Static

static

10

Tear.exe

windows7-x64

10

adochi.exe

windows7-x64

7

autoit.exe

windows7-x64

10

autoit2.exe

windows7-x64

10

autoit3.exe

windows7-x64

10

deviation.exe

windows7-x64

8

encoder.exe

windows7-x64

10

encoder2.exe

windows7-x64

9

encoder3.exe

windows7-x64

10

encoder4.exe

windows7-x64

5

encoder5.exe

windows7-x64

10

erebus.exe

windows7-x64

9

myxaha.exe

windows7-x64

7

$LOCALAPPD...er.exe

windows7-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows7-x64

7

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...om.dll

windows7-x64

5

trucry.exe

windows7-x64

10

wlock.exe

windows7-x64

3

wlock2.exe

windows7-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    encoder5.exe

  • Size

    62KB

  • MD5

    1a6820fec1c45cd9c928533090e7908d

  • SHA1

    9df9d1e4579a0f759db01951ff616019c6c9196e

  • SHA256

    a89591555b9acb65353c2b854e582bc41db2fbc0eda2210b89a877d1862084df

  • SHA512

    c6eed68a0fbdb05bf504676e1c0816660f856ae768b7340678b9d84d909fce267066b2e314148521563309c466fdec7d74f00d1addb1a14abe15163d2203a81a

  • SSDEEP

    768:hK3mGmDuuNXM1KPptWOahoICS4AIA4DZqB87pdMFtb8cmY11f3qrVBUoxygse3l:hK3UDugp88ICS4AR4tA8lCFtb8If6

Score
10/10
seondiscoveryransomwaretrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
SEON RANSOMWARE ver 0.2 all your files has been encrypted There is only way to get your files back: contact with us We accept Bitcoin and other cryptocurrencies Do not try to reinstall operation system on your computer Do not try to decrypt files with third party tools, this can lead to data loss You can decrypt 1 file for free Our contact emails: [email protected] [email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme.hta

Ransom Note
All your documents, photos, databases and other important files have been encrypted and you can't decrypt it yourself. No one but us can return your files. Free decryption utility does not exist. Each file is encrypted with its unique key, cryptography based on elliptic curves, key recovery is impossible. Focus on the problem, follow your instructions and everything will be fine. DON'T PANIC! YOU CAN RETURN ALL YOUR FILES! FREE decrypting as guarantee You can test decryption 1 any file for free (with help our special software " SEON Decryptor "). What to do? First you should write me and i'll send you a special software " SEON Decryptor " (this software needed to decrypt encrypted files). To start the process of decrypting ALL files, you need buy key to the " SEON Decryptor ". Contacts E-Mail: [email protected] E-Mail: [email protected] Attention! Decryption keys are individual, the keys of other users will not work for you Do not try to decrypt files with third party tools, this can lead to data loss Do not try to reinstall operation system on your computer

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Seon family
    seon
  • Renames multiple (244) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\encoder5.exe
    "C:\Users\Admin\AppData\Local\Temp\encoder5.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\mshta.exe
      mshta.exe C:\Users\Admin\AppData\Local\Temp\readme.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\YOUR_FILES_ARE_ENCRYPTED.TXT
    Filesize

    413B

    MD5

    ad9a93a93a3c387f3f63a97a9d927481

    SHA1

    8891ead23e82e15cf283b37a801b44fe2f718fe5

    SHA256

    3a678365cacdb73695b3df18c743b340c6ad801f4caee7985c06798d3894edb4

    SHA512

    dd87fa36210b9053d4b87b7aaf35767619c50700a6e57f5316cc1659711c3ab13736b486727e9fd63be500e27528839274f2f44ec4d0df8b711ebe5bc8decc62

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\readme.hta
    Filesize

    16KB

    MD5

    648ec33ca711ee08410f0cdbbc60325e

    SHA1

    7dd2e502ca3366e090b08565c879371bbb6af028

    SHA256

    83760bdab06a2b3214871d736e8c0705818fc0f668e294d5d0aa3ca1e6ae426b

    SHA512

    3a77d9ac2629bf4c524f8f0178620bda5cc5a1c814a17a6db4a4d8eb5c43c141762204fe593fdb54fe4405f052143c69e8bbc178db9c7846d8ec7b0fe36fe2c8

    Download Submit