Overview

overview

10

Static

static

3

964b5abe39...7d.exe

windows7-x64

10

964b5abe39...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/02/2025, 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    964b5abe3924a2efc07a955cce450291d880fe57be49018446143f9f3dcf0d7d.exe

  • Size

    79KB

  • MD5

    322d73ea4ce5be6637f635125abee0d3

  • SHA1

    7f6f6c2813768a8df111aad1ebec01b43a6517d3

  • SHA256

    964b5abe3924a2efc07a955cce450291d880fe57be49018446143f9f3dcf0d7d

  • SHA512

    27bebd8c71ac842146c8a599e23f76b7b648e59ee1df951e577a15ff8b40140a109566f66efa40e2465fd29a20a89f450404ec0b3a4c253dbf564fbbace1d1ad

  • SSDEEP

    1536:/tUknV9M6+ygXCNoNGtmFWZPhV8owtnMQPo9NSw249gdhwA2jeddBu:fCygXkoNGtmQZ5wbAzSm9gdhj2aPu

Score
10/10
seondiscoveryransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/s15r6kX6 http://goldeny4vs3nyoht.onion/s15r6kX6 3. Enter your personal decryption code there: s15r6kX6Rph4cEsVdUjHzAp9FqtVfeY1Xn8gj95ZjonsHZdTsEMxoWGAAgrpWqyXrA86NFiL4QgEvCK7WR6io459iYJHsuBU
URLs

http://golden5a4eqranh7.onion/s15r6kX6

http://goldeny4vs3nyoht.onion/s15r6kX6

Signatures

  • Seon

    The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

    trojanransomwareseon
  • Seon family
    seon
  • Renames multiple (854) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\964b5abe3924a2efc07a955cce450291d880fe57be49018446143f9f3dcf0d7d.exe
    "C:\Users\Admin\AppData\Local\Temp\964b5abe3924a2efc07a955cce450291d880fe57be49018446143f9f3dcf0d7d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Users\Admin\AppData\Roaming\{38905584-e1cd-4c09-917d-3d1be6754a79}\label.exe
      "C:\Users\Admin\AppData\Roaming\{38905584-e1cd-4c09-917d-3d1be6754a79}\label.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{38905584-e1cd-4c09-917d-3d1be6754a79}\label.exe
    Filesize

    79KB

    MD5

    53d5c3fb96bf1c5d27a45ca35faae395

    SHA1

    767be78e5519f51a333460540501db06f2456624

    SHA256

    ebf3825ecbc6b4f63f042dfb040e82b3abed954d71f527e80ab092692f325fbe

    SHA512

    a371920b3e1f47d1249741a3d46b56238932855c8b87f454fb6946021f9dca551c53037dcf70d6d2081f189f01cd9aa3f4bdc2132fa99471da5a794d78b25e81

    Download Submit

  • C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT
    Filesize

    778B

    MD5

    384d1c60a9a425df067e75da3f792ce2

    SHA1

    e265e9c239dc48c44f12a431ac9603e3a561e5f4

    SHA256

    0d5710ec4fc82189b224e4db154dc1f2185e43259297cc6522efb46d92131905

    SHA512

    6f9b2af7e7470c129d96df3a85b9d71e896270b1c555ff53e94f0d9ed9dfff019acbd8c43a3d781129a320254549a2462ffe9bf170d4fb7b25b5fad5ade22aa4

    Download Submit

  • memory/3688-13-0x00000000005F0000-0x00000000005FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3688-2-0x0000000000600000-0x0000000000611000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3688-14-0x0000000000600000-0x0000000000611000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3688-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3688-12-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3688-1-0x00000000005F0000-0x00000000005FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4760-15-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4760-17-0x0000000000580000-0x000000000058C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4760-18-0x00000000006A0000-0x00000000006B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4760-19-0x00000000006A0000-0x00000000006B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4760-1733-0x00000000006A0000-0x00000000006B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4760-1734-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download