seon | 8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8ab

General

Target

8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe
Size

79KB
MD5

a8f66777bacc19d0ec304b2a5a5e69f0
SHA1

f0805638985fde45bb8024ea1cbd727747d666ea
SHA256

8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8ab
SHA512

90691c21d028f50f854b3ba10ba24523b43f256c45522ba22ff7eabeab430e1b554a800c844fe0357158f21694548184217d0486dcd7f2d370afa4b133006c25
SSDEEP

1536:/tUknV9M6+ygXCNoNGtmFWZPhV8owtnMQPo9NSw249gdhwA2jeddCj:fCygXkoNGtmQZ5wbAzSm9gdhj2aMj

Score

10^/10

seon discovery ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/nZs9ZuNv http://goldeny4vs3nyoht.onion/nZs9ZuNv 3. Enter your personal decryption code there: nZs9ZuNvnFMPNDkhbGbdUgzUP3KgxXiG1vRoVtve6a1wikKsmkpd6agBjWv5i6c768k2wm3538sNzEAHQwsMAyBbTezgZLC4

URLs

http://golden5a4eqranh7.onion/nZs9ZuNv

http://goldeny4vs3nyoht.onion/nZs9ZuNv

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Seon family
seon
Renames multiple (240) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
784	diskpart.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 784	2384	8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe	30
PID 2384 wrote to memory of 784	2384	8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe	30
PID 2384 wrote to memory of 784	2384	8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe	30
PID 2384 wrote to memory of 784	2384	8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe	30

C:\Users\Admin\AppData\Local\Temp\8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe
"C:\Users\Admin\AppData\Local\Temp\8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Roaming\{fbd6bded-912c-4f21-8b46-9316c95bd8cf}\diskpart.exe
  "C:\Users\Admin\AppData\Roaming\{fbd6bded-912c-4f21-8b46-9316c95bd8cf}\diskpart.exe"
  2⤵
  - Executes dropped EXE
  PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{fbd6bded-912c-4f21-8b46-9316c95bd8cf}\diskpart.exe

Filesize
79KB

MD5
a8f66777bacc19d0ec304b2a5a5e69f0

SHA1
f0805638985fde45bb8024ea1cbd727747d666ea

SHA256
8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8ab

SHA512
90691c21d028f50f854b3ba10ba24523b43f256c45522ba22ff7eabeab430e1b554a800c844fe0357158f21694548184217d0486dcd7f2d370afa4b133006c25

Download Submit
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
cb264056128a03108057a1bb95ec8f8b

SHA1
882c3042000549827c8930a25bbe20eb2857fc37

SHA256
19e023023419edd4b2bd41acd593413a0f11ac634acd9299643a985eb6b73f0c

SHA512
b2f0cdf72c15827a254898d6bd9d309763bd84d2e79934ea83c57dcf31b6c656d205131a1f68cbd4ee78eb96a307d7947b3ae7a42a2b629114bc09aa4c4677b2

Download Submit
memory/784-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/784-17-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/784-18-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/784-19-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/784-505-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/784-508-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/784-507-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2384-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2384-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2384-1-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/2384-2-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing