seon | ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f

General

Target

ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe
Size

79KB
MD5

7d578c616e075d7c5b1939a5a00a5b3d
SHA1

548b72daea1294f665a6bcebcb7e8b274fb7a8a5
SHA256

ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f
SHA512

0f9e5c7dd126b3b48e596247a053f6896f4d38ac4812d908cf87c9df592b02960e4ce6a6ab82854f920c46f9c4543e8b17c785bf469b5b71623af2616329e65d
SSDEEP

1536:/tUknV9M6+ygXCNoNGtmFWZPhV8owtnMQPo9NSw249gdhwA2jeddCL:fCygXkoNGtmQZ5wbAzSm9gdhj2aML

Score

10^/10

seon discovery ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/t3oeuyY8 http://goldeny4vs3nyoht.onion/t3oeuyY8 3. Enter your personal decryption code there: t3oeuyY84dxqQZaPLW4pkNsEGzSU2j5m9yhmzVRjXkxRgZuhjWeqtrCzvmrxLR8axM7Uf8hckHEQYWUe6EwfQD7nfRDpKTma

URLs

http://golden5a4eqranh7.onion/t3oeuyY8

http://goldeny4vs3nyoht.onion/t3oeuyY8

Signatures

Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Seon family
seon
Renames multiple (883) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2892	LaunchTM.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LaunchTM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2892	2336	ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe	82
PID 2336 wrote to memory of 2892	2336	ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe	82
PID 2336 wrote to memory of 2892	2336	ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe	82

C:\Users\Admin\AppData\Local\Temp\ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe
"C:\Users\Admin\AppData\Local\Temp\ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Roaming\{902ee964-7302-4567-95c9-7ec9aa334bf3}\LaunchTM.exe
  "C:\Users\Admin\AppData\Roaming\{902ee964-7302-4567-95c9-7ec9aa334bf3}\LaunchTM.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\{902ee964-7302-4567-95c9-7ec9aa334bf3}\LaunchTM.exe

Filesize
79KB

MD5
7d578c616e075d7c5b1939a5a00a5b3d

SHA1
548b72daea1294f665a6bcebcb7e8b274fb7a8a5

SHA256
ec4f0c6f7901565b034991547d42de6f8afd71695fd28a15a4199e72575a8b0f

SHA512
0f9e5c7dd126b3b48e596247a053f6896f4d38ac4812d908cf87c9df592b02960e4ce6a6ab82854f920c46f9c4543e8b17c785bf469b5b71623af2616329e65d

Download Submit
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
5a54b549921613c46771b25f6b1af16f

SHA1
72df4543c72b3d51380e9c568d1e70cfda23cefc

SHA256
687f5a1f3c43fee7c3b0d3cc84c2a8881c775d32c885b11c72a04b69bf112000

SHA512
84be80ecf0f91c5e8c5b78861cdfb55e6661bcf36f646c408b5637b7e4a0b026a11f55e7a30e292907807cbc200d246e1c4f718d6a182ace73975c01b715f7e9

Download Submit
memory/2336-2-0x0000000000B80000-0x0000000000B91000-memory.dmp

Filesize
68KB

Download
memory/2336-1-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2336-15-0x0000000000B80000-0x0000000000B91000-memory.dmp

Filesize
68KB

Download
memory/2336-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2336-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2892-16-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2892-18-0x00000000007B0000-0x00000000007C1000-memory.dmp

Filesize
68KB

Download
memory/2892-17-0x00000000007B0000-0x00000000007C1000-memory.dmp

Filesize
68KB

Download
memory/2892-1790-0x00000000007B0000-0x00000000007C1000-memory.dmp

Filesize
68KB

Download
memory/2892-1791-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2892-1792-0x00000000007B0000-0x00000000007C1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing