seon | 7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797

General

Target

7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797.exe
Size

79KB
MD5

0ebc107a0fb56d77759a635e9d043228
SHA1

ec7a1e7132f5c3140ff06c542782388576a128f8
SHA256

7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797
SHA512

794eda52f2ff8b10518f59963ce6018b1b954a65bbe662d1b5db761f1ec9828cbdbcdff079fb39f08cf2ae151cdb3cc90c422501ace427637d20f502bffab9fe
SSDEEP

1536:/tUknV9M6+ygXCNoNGtmFWZPhV8owtnMQPo9NSw249gdhwA2jeddMB:fCygXkoNGtmQZ5wbAzSm9gdhj2a6B

Score

10^/10

seon discovery ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/x4UXrJWs http://goldeny4vs3nyoht.onion/x4UXrJWs 3. Enter your personal decryption code there: x4UXrJWshfrokmc5akXWLzgaGFK5fbCxDFyMiQ9tP9jX1wH9eBmbhhHz9dnpeahbipA9fMcHEFj6UsQSoMwmfX73bwaqQ3w5

URLs

http://golden5a4eqranh7.onion/x4UXrJWs

http://goldeny4vs3nyoht.onion/x4UXrJWs

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Seon family
seon
Renames multiple (235) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
3000	winrs.exe

Loads dropped DLL 1 IoCs

pid	Process
2844	7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3000	2844	7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797.exe	30
PID 2844 wrote to memory of 3000	2844	7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797.exe	30
PID 2844 wrote to memory of 3000	2844	7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797.exe	30
PID 2844 wrote to memory of 3000	2844	7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797.exe	30

C:\Users\Admin\AppData\Local\Temp\7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797.exe
"C:\Users\Admin\AppData\Local\Temp\7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Roaming\{00ec0657-94d1-4632-ac3a-2c7ae3a85520}\winrs.exe
  "C:\Users\Admin\AppData\Roaming\{00ec0657-94d1-4632-ac3a-2c7ae3a85520}\winrs.exe"
  2⤵
  - Executes dropped EXE
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
a3d7dfa77c9d9c6ac07fee384cde34c5

SHA1
866667244f32fc3f3130d734cfd723c21de59173

SHA256
ea66180e81cad244290bf356eff416c4f3b9e142b49c29bbdf50fe58ed31d360

SHA512
a5513e870519079a8aede9f6e703918caa88784ef72cf458243c3d722333289272faa23ec586c784e8b1ff1ea17b88f8c0b81cb1bf0ac295076daf4da1db6946

Download Submit
\Users\Admin\AppData\Roaming\{00ec0657-94d1-4632-ac3a-2c7ae3a85520}\winrs.exe

Filesize
79KB

MD5
0ebc107a0fb56d77759a635e9d043228

SHA1
ec7a1e7132f5c3140ff06c542782388576a128f8

SHA256
7ba9adc6a0d487a4748d1a1474b07d359f4695d41841dfc920ff4eada910d797

SHA512
794eda52f2ff8b10518f59963ce6018b1b954a65bbe662d1b5db761f1ec9828cbdbcdff079fb39f08cf2ae151cdb3cc90c422501ace427637d20f502bffab9fe

Download Submit
memory/2844-2-0x00000000001E0000-0x00000000001F1000-memory.dmp

Filesize
68KB

Download
memory/2844-1-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2844-16-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2844-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3000-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3000-19-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/3000-20-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/3000-18-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/3000-499-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/3000-498-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3000-496-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing