seon | c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184b

General

Target

c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184bN.exe
Size

79KB
MD5

2697ae10cca38a1a00a4a68c19cc8790
SHA1

3b9925f871fdaeab32ee58979d68c0ee63070070
SHA256

c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184b
SHA512

d78692a5808262c2f1ffde68ce3c96ac6bdeb5b2db279d0173059951f951ceecf7188042ab3345e6c594f36123b8708ccce845b229f69beb9a27d9c848ad266a
SSDEEP

1536:/tUknV9M6+ygXCNoNGtmFWZPhV8owtnMQPo9NSw249gdhwA2jeddMJ:fCygXkoNGtmQZ5wbAzSm9gdhj2a6J

Score

10^/10

seon discovery ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/nQDuNjnP http://goldeny4vs3nyoht.onion/nQDuNjnP 3. Enter your personal decryption code there: nQDuNjnPrAnJKJeYjATfJXqLDLMdjLUkFudVp2nncwVSDj5nubYr31RbaYe6MAfYfTZ7Ry9ihWiUGxqLqqQ54RRjiKixUXG5

URLs

http://golden5a4eqranh7.onion/nQDuNjnP

http://goldeny4vs3nyoht.onion/nQDuNjnP

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Seon family
seon
Renames multiple (881) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1640	regedit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
1640	regedit.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1640	2844	c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184bN.exe	82
PID 2844 wrote to memory of 1640	2844	c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184bN.exe	82
PID 2844 wrote to memory of 1640	2844	c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184bN.exe	82

C:\Users\Admin\AppData\Local\Temp\c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184bN.exe
"C:\Users\Admin\AppData\Local\Temp\c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Roaming\{521a331c-c065-45f7-a2ce-be33d459363a}\regedit.exe
  "C:\Users\Admin\AppData\Roaming\{521a331c-c065-45f7-a2ce-be33d459363a}\regedit.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Runs regedit.exe
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{521a331c-c065-45f7-a2ce-be33d459363a}\regedit.exe

Filesize
79KB

MD5
2697ae10cca38a1a00a4a68c19cc8790

SHA1
3b9925f871fdaeab32ee58979d68c0ee63070070

SHA256
c5f08d2817646649d149abcaa60c8e3eb9d28100f4633c0c015ad14282e7184b

SHA512
d78692a5808262c2f1ffde68ce3c96ac6bdeb5b2db279d0173059951f951ceecf7188042ab3345e6c594f36123b8708ccce845b229f69beb9a27d9c848ad266a

Download Submit
C:\Users\Admin\AppData\Roaming\{521a331c-c065-45f7-a2ce-be33d459363a}\regedit.exe

Filesize
79KB

MD5
887610fd895a808af74462290cb920f3

SHA1
7ef5a4d5d6cf2dd1228ef253034eecb1f43686ea

SHA256
176c4e9599a72bf1c9160298f63ec6c4216ea5c5feda032b51ea6def5e6153d1

SHA512
cc192125af26dda33a3fcf337f85ec7e7dab0583d1557be6523f0f5b58adac4964180c10df897c336e610f3c1070f50cc97064eda636ec6e14cd890b6a9c4eb7

Download Submit
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
04cd268a7ce17376ae989587702a727f

SHA1
0d08dcf0e4793b8419fc16cfde642b086fb354c8

SHA256
ba56de0bfee36b644d4002640e4fb5f9de8435fca260e4d1c169d6139792824c

SHA512
0d188bb72dffd257107cd4ee08883d29b0285ed16fcfb138d7180d3fdbb57d3026251d6cdc8928fd84456936ffb5332c719da6e920806bc3967fa3ac35e1cda9

Download Submit
memory/1640-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1640-17-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/1640-18-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/1640-19-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/1640-1787-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/1640-1788-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-2-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2844-15-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2844-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-13-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2844-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-1-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing