Overview
overview
10Static
static
10Tear.exe
windows7-x64
10Tear.exe
windows10-2004-x64
10adochi.exe
windows7-x64
7adochi.exe
windows10-2004-x64
7autoit.exe
windows7-x64
10autoit.exe
windows10-2004-x64
6autoit2.exe
windows7-x64
10autoit2.exe
windows10-2004-x64
10autoit3.exe
windows7-x64
10autoit3.exe
windows10-2004-x64
10deviation.exe
windows7-x64
8deviation.exe
windows10-2004-x64
8encoder.exe
windows7-x64
10encoder.exe
windows10-2004-x64
10encoder2.exe
windows7-x64
9encoder2.exe
windows10-2004-x64
encoder3.exe
windows7-x64
10encoder3.exe
windows10-2004-x64
10encoder4.exe
windows7-x64
5encoder4.exe
windows10-2004-x64
5encoder5.exe
windows7-x64
10encoder5.exe
windows10-2004-x64
10erebus.exe
windows7-x64
9erebus.exe
windows10-2004-x64
7myxaha.exe
windows7-x64
7myxaha.exe
windows10-2004-x64
7$LOCALAPPD...er.exe
windows7-x64
7$LOCALAPPD...er.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 00:24
Behavioral task
behavioral1
Sample
Tear.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Tear.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
adochi.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
adochi.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
autoit.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
autoit.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
autoit2.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
autoit2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
autoit3.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
autoit3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
deviation.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
deviation.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
encoder.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
encoder.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
encoder2.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
encoder2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
encoder3.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
encoder3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
encoder4.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
encoder4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
encoder5.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
encoder5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
erebus.exe
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
erebus.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
myxaha.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
myxaha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
encoder5.exe
-
Size
62KB
-
MD5
1a6820fec1c45cd9c928533090e7908d
-
SHA1
9df9d1e4579a0f759db01951ff616019c6c9196e
-
SHA256
a89591555b9acb65353c2b854e582bc41db2fbc0eda2210b89a877d1862084df
-
SHA512
c6eed68a0fbdb05bf504676e1c0816660f856ae768b7340678b9d84d909fce267066b2e314148521563309c466fdec7d74f00d1addb1a14abe15163d2203a81a
-
SSDEEP
768:hK3mGmDuuNXM1KPptWOahoICS4AIA4DZqB87pdMFtb8cmY11f3qrVBUoxygse3l:hK3UDugp88ICS4AR4tA8lCFtb8If6
Malware Config
Extracted
C:\MSOCache\All Users\YOUR_FILES_ARE_ENCRYPTED.TXT
Extracted
C:\Users\Admin\AppData\Local\Temp\readme.hta
Signatures
-
Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
-
Seon family
-
Renames multiple (259) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: encoder5.exe File opened (read-only) \??\B: encoder5.exe File opened (read-only) \??\G: encoder5.exe File opened (read-only) \??\H: encoder5.exe File opened (read-only) \??\I: encoder5.exe File opened (read-only) \??\L: encoder5.exe File opened (read-only) \??\P: encoder5.exe File opened (read-only) \??\U: encoder5.exe File opened (read-only) \??\V: encoder5.exe File opened (read-only) \??\A: encoder5.exe File opened (read-only) \??\F: encoder5.exe File opened (read-only) \??\K: encoder5.exe File opened (read-only) \??\N: encoder5.exe File opened (read-only) \??\O: encoder5.exe File opened (read-only) \??\X: encoder5.exe File opened (read-only) \??\Y: encoder5.exe File opened (read-only) \??\Z: encoder5.exe File opened (read-only) \??\E: encoder5.exe File opened (read-only) \??\J: encoder5.exe File opened (read-only) \??\S: encoder5.exe File opened (read-only) \??\T: encoder5.exe File opened (read-only) \??\W: encoder5.exe File opened (read-only) \??\D: encoder5.exe File opened (read-only) \??\Q: encoder5.exe File opened (read-only) \??\R: encoder5.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language encoder5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1764 wrote to memory of 1672 1764 encoder5.exe 32 PID 1764 wrote to memory of 1672 1764 encoder5.exe 32 PID 1764 wrote to memory of 1672 1764 encoder5.exe 32 PID 1764 wrote to memory of 1672 1764 encoder5.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\encoder5.exe"C:\Users\Admin\AppData\Local\Temp\encoder5.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\mshta.exemshta.exe C:\Users\Admin\AppData\Local\Temp\readme.hta2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
413B
MD5ad9a93a93a3c387f3f63a97a9d927481
SHA18891ead23e82e15cf283b37a801b44fe2f718fe5
SHA2563a678365cacdb73695b3df18c743b340c6ad801f4caee7985c06798d3894edb4
SHA512dd87fa36210b9053d4b87b7aaf35767619c50700a6e57f5316cc1659711c3ab13736b486727e9fd63be500e27528839274f2f44ec4d0df8b711ebe5bc8decc62
-
Filesize
16KB
MD5648ec33ca711ee08410f0cdbbc60325e
SHA17dd2e502ca3366e090b08565c879371bbb6af028
SHA25683760bdab06a2b3214871d736e8c0705818fc0f668e294d5d0aa3ca1e6ae426b
SHA5123a77d9ac2629bf4c524f8f0178620bda5cc5a1c814a17a6db4a4d8eb5c43c141762204fe593fdb54fe4405f052143c69e8bbc178db9c7846d8ec7b0fe36fe2c8