seon | 8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8ab

General

Target

8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe
Size

79KB
MD5

a8f66777bacc19d0ec304b2a5a5e69f0
SHA1

f0805638985fde45bb8024ea1cbd727747d666ea
SHA256

8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8ab
SHA512

90691c21d028f50f854b3ba10ba24523b43f256c45522ba22ff7eabeab430e1b554a800c844fe0357158f21694548184217d0486dcd7f2d370afa4b133006c25
SSDEEP

1536:/tUknV9M6+ygXCNoNGtmFWZPhV8owtnMQPo9NSw249gdhwA2jeddCj:fCygXkoNGtmQZ5wbAzSm9gdhj2aMj

Score

10^/10

seon discovery ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/pGRuG5hc http://goldeny4vs3nyoht.onion/pGRuG5hc 3. Enter your personal decryption code there: pGRuG5hcceawMrXt7T2xRvatJmdeLX3gbGmA3mS855MtycP3dVvLndpaEXf4e9j6zqx2Hix3rEg74mf7FLndKQfvkaKkMP56

URLs

http://golden5a4eqranh7.onion/pGRuG5hc

http://goldeny4vs3nyoht.onion/pGRuG5hc

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Seon family
seon
Renames multiple (847) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
4008	getmac.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 4008	4732	8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe	86
PID 4732 wrote to memory of 4008	4732	8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe	86
PID 4732 wrote to memory of 4008	4732	8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe	86

C:\Users\Admin\AppData\Local\Temp\8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe
"C:\Users\Admin\AppData\Local\Temp\8421ee120052d1929b0f23bc01d4f14a6f215c53859666596478f64a240dd8abN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Roaming\{fc6f6a2b-0864-4a96-a444-ebda6075a439}\getmac.exe
  "C:\Users\Admin\AppData\Roaming\{fc6f6a2b-0864-4a96-a444-ebda6075a439}\getmac.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{fc6f6a2b-0864-4a96-a444-ebda6075a439}\getmac.exe

Filesize
79KB

MD5
e848f9a37f0269e1885694f656f8432b

SHA1
73fe6975fe98774ffbb6ad43b70f4e80122522b9

SHA256
ff3f3f62b0bfd77d16848ca8c26156309dfbd5de6c3752ca19fdb70e839e60ef

SHA512
bc9aad92e3c29b3145e5b277f5546296f4d01e1d523ade82463c438a5e770f747219e5af9e92d4718b2e67a90fe52e76671b043e1c94345539ba0a3edeac2112

Download Submit
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
0fea7f4145e965dedfa5dd8f81108139

SHA1
70b039036747a07fb66ce82580ed3bc4661ee6ad

SHA256
8f056c36a4d29ab763dcdd777c0346306c894160b6494c4fc54dfa5002eb8d00

SHA512
5d9efadd198fa20ab24f850bbd0d372875773772746da8945ad07818208c0b6f8ad0fe252d07f6f84a5df2e67a736a2c8d519b83eff23e2069596508ea5e2549

Download Submit
memory/4008-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4008-17-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/4008-18-0x00000000005A0000-0x00000000005B1000-memory.dmp

Filesize
68KB

Download
memory/4008-19-0x00000000005A0000-0x00000000005B1000-memory.dmp

Filesize
68KB

Download
memory/4008-1719-0x00000000005A0000-0x00000000005B1000-memory.dmp

Filesize
68KB

Download
memory/4008-1721-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4732-2-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/4732-15-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/4732-14-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/4732-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4732-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4732-1-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing