Overview

overview

10

Static

static

3

c5f08d2817...bN.exe

windows7-x64

10

c5f08d2817...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    05/02/2025, 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184bN.exe

  • Size

    79KB

  • MD5

    2697ae10cca38a1a00a4a68c19cc8790

  • SHA1

    3b9925f871fdaeab32ee58979d68c0ee63070070

  • SHA256

    c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184b

  • SHA512

    d78692a5808262c2f1ffde68ce3c96ac6bdeb5b2db279d0173059951f951ceecf7188042ab3345e6c594f36123b8708ccce845b229f69beb9a27d9c848ad266a

  • SSDEEP

    1536:/tUknV9M6+ygXCNoNGtmFWZPhV8owtnMQPo9NSw249gdhwA2jeddMJ:fCygXkoNGtmQZ5wbAzSm9gdhj2a6J

Score
10/10
seondiscoveryransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/tdXGi7Ge http://goldeny4vs3nyoht.onion/tdXGi7Ge 3. Enter your personal decryption code there: tdXGi7GexfZJeiHrJVyxVzAS5PgQqQyHYKxmq4SLAvKG6NZCBRAmzxR4eNAZxPRJJBfkHuktNQwaTmEm2jk2dNhtxVw3bCC8
URLs

http://golden5a4eqranh7.onion/tdXGi7Ge

http://goldeny4vs3nyoht.onion/tdXGi7Ge

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Seon family
    seon
  • Renames multiple (194) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184bN.exe
    "C:\Users\Admin\AppData\Local\Temp\c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184bN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Users\Admin\AppData\Roaming\{23dbc494-0665-4f57-950e-6316add9f720}\LocationNotifications.exe
      "C:\Users\Admin\AppData\Roaming\{23dbc494-0665-4f57-950e-6316add9f720}\LocationNotifications.exe"
      2⤵
      • Executes dropped EXE
      PID:604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT
    Filesize

    778B

    MD5

    d65842ffae355499f26c970868bb3d34

    SHA1

    b79707cf413ddd4d114105e28eedb2a62fa0858d

    SHA256

    5a7894f5d00fa1c1f4d5605c05b42274b6eddacae472dcbd1aee836461a1de02

    SHA512

    bf9977a4272351cb49f358f374f8f04d3a303bcdc354638990e40ec4ab593efef6093ba74886865a506de602c5fbc104b6058403791730e89a8c44a48b167199

    Download Submit

  • \Users\Admin\AppData\Roaming\{23dbc494-0665-4f57-950e-6316add9f720}\LocationNotifications.exe
    Filesize

    79KB

    MD5

    c095b6cf352dfd3958c4419186c602de

    SHA1

    c76ff34c41ccb241cdc2cb8852b51ba3c03fb1ee

    SHA256

    d02de5b4c56fd789b94025d0e81750abaec5036b6862785f1092f5a0dda3c8d7

    SHA512

    aef08b4a202d8d40a80d70c7cb73fbd301b4c13bdc2205ad758414f5e75090f33ed8f8672d8a012d5699c6ff65d6a1a1d5264878c1f85c51affc5c609209b17f

    Download Submit

  • memory/604-19-0x0000000000230000-0x000000000023C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/604-18-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/604-20-0x0000000000240000-0x0000000000251000-memory.dmp

    Filesize

    68KB

    Download

  • memory/604-21-0x0000000000240000-0x0000000000251000-memory.dmp

    Filesize

    68KB

    Download

  • memory/604-415-0x0000000000240000-0x0000000000251000-memory.dmp

    Filesize

    68KB

    Download

  • memory/604-416-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2576-2-0x0000000000240000-0x0000000000251000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2576-10-0x00000000002E0000-0x000000000030C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2576-17-0x0000000000230000-0x000000000023C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2576-16-0x0000000000240000-0x0000000000251000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2576-15-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2576-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2576-1-0x0000000000230000-0x000000000023C000-memory.dmp

    Filesize

    48KB

    Download