seon | ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f

General

Target

ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe
Size

79KB
MD5

7d578c616e075d7c5b1939a5a00a5b3d
SHA1

548b72daea1294f665a6bcebcb7e8b274fb7a8a5
SHA256

ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f
SHA512

0f9e5c7dd126b3b48e596247a053f6896f4d38ac4812d908cf87c9df592b02960e4ce6a6ab82854f920c46f9c4543e8b17c785bf469b5b71623af2616329e65d
SSDEEP

1536:/tUknV9M6+ygXCNoNGtmFWZPhV8owtnMQPo9NSw249gdhwA2jeddCL:fCygXkoNGtmQZ5wbAzSm9gdhj2aML

Score

10^/10

seon discovery ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/nU6bstiu http://goldeny4vs3nyoht.onion/nU6bstiu 3. Enter your personal decryption code there: nU6bstiuJqXzkMs6Bg9nTS8x4HJbpaKHtmACqa5dcqMV1uMTVZPJ6Jk3UuUhBr1b4tAn5gigpacSf5dy9mwVRxBjfgB52kda

URLs

http://golden5a4eqranh7.onion/nU6bstiu

http://goldeny4vs3nyoht.onion/nU6bstiu

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Seon family
seon
Renames multiple (262) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2172	wuapp.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2172	2072	ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe	30
PID 2072 wrote to memory of 2172	2072	ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe	30
PID 2072 wrote to memory of 2172	2072	ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe	30
PID 2072 wrote to memory of 2172	2072	ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe	30

C:\Users\Admin\AppData\Local\Temp\ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe
"C:\Users\Admin\AppData\Local\Temp\ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Roaming\{ada16c03-0e3c-4a92-8a0e-6bcb443c4ba1}\wuapp.exe
  "C:\Users\Admin\AppData\Roaming\{ada16c03-0e3c-4a92-8a0e-6bcb443c4ba1}\wuapp.exe"
  2⤵
  - Executes dropped EXE
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
976e3a3598f20b6acab6252261902bea

SHA1
dbcb6f3a3456b33a2be18b4dd83506a092f99567

SHA256
70e32b7555763b4066a4c9658ff7dd574176497e53620a05a046017996c6fde5

SHA512
f24c0370c7059f186f52b36ed24e729ce868e1033f5821b94b0cb42fe10fd26275d9fa0e171054fe63f0d32228ca9c84205edc645453e2e4ca3a0b035b447cb9

Download Submit
\Users\Admin\AppData\Roaming\{ada16c03-0e3c-4a92-8a0e-6bcb443c4ba1}\wuapp.exe

Filesize
79KB

MD5
7d578c616e075d7c5b1939a5a00a5b3d

SHA1
548b72daea1294f665a6bcebcb7e8b274fb7a8a5

SHA256
ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f

SHA512
0f9e5c7dd126b3b48e596247a053f6896f4d38ac4812d908cf87c9df592b02960e4ce6a6ab82854f920c46f9c4543e8b17c785bf469b5b71623af2616329e65d

Download Submit
memory/2072-16-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2072-2-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2072-17-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2072-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2072-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2072-1-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2172-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2172-19-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2172-20-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/2172-21-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/2172-551-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/2172-553-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing