Analysis
-
max time kernel
23s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
02-03-2024 20:19
General
-
Target
Ransomware/Golden Eyes - via unikey.exe
-
Size
1.3MB
-
MD5
3f6bfaa577b7be13705f41cc5b6cb1eb
-
SHA1
0a9cd77276ac62848eeb1c428cf9f05c0e0ec69c
-
SHA256
21780731ba0394eaa38254960f445321f2ca10450623855d8e2f1d6e30481022
-
SHA512
9f02e7fc31f7fe3ebebebc4b38f49cd885f91b5bc3ee0b7c0cb2f19f2e8f983aebf671197471b61f624dbc13183bac66f8c19d50fb3a501c269ea3d1a9029ce1
-
SSDEEP
24576:/7blFG2wAhxKw0cDJ/ztH6NtCsL96AEwZIOd++kD4mRkdqbhm:/75o2FfKwT1/x2btFtsTD4mRkdqbhm
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Detect Neshta payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 9 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\Golden Eyes - via unikey.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\Golden Eyes - via unikey.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-LUIH6.tmp\Golden Eyes - via unikey.tmp"C:\Users\Admin\AppData\Local\Temp\is-LUIH6.tmp\Golden Eyes - via unikey.tmp" /SL5="$3013A,1108802,57344,C:\Users\Admin\AppData\Local\Temp\Ransomware\Golden Eyes - via unikey.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\UniKey\UniKeyNT.exe"C:\Program Files (x86)\UniKey\UniKeyNT.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\0.exe"C:\Users\Admin\AppData\Roaming\0.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\0.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\0.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5c334ce3247368841e6282c078226fbcc
SHA1fc5cb3ac82652c669c60064d7e6bd9ddd61d5018
SHA2567122af33638fedfa5b64b8b842b673d9fcff38717c084ade91ce02127eecaa27
SHA512af59d804b9f49b8b9d53018cfa7b2167fb8ff2e260976c533248a17a15a379f4d3a60b8821252eb13aac2924c09c6531a4532dd76b71c74069291a1b7a3e0e61
-
Filesize
1.5MB
MD5c96a34fe3bc94fd13e27d2fe0a92b891
SHA10221468b27cd5fb976e27ccb13b21ff46e20f253
SHA2560a4923ada2dde5e10035b969f0a11bd0a6d2bdf7310facee43fd8c1e2c3a2035
SHA5128ea137840a4ef3e1c60ceb04cd04e4feca6f3aa5d9e04cdb6a7310bfc91412da8a513336eee3ae29e6efddcc5588611074f3dff0fb3c42559a32399ff39ba5c7
-
Filesize
1.1MB
MD5eb0ce9528ad0866b06181cbddcda6e1b
SHA1f671dd4527ff84345c86a9b3d269a8d7ae441cae
SHA256bb6671d31fde6d2edaca80d4a4fce6a7da6ea095435f8da64130be1bcbb4d2c6
SHA51243205bd06ee5e48d7a81c76f002eace1496a9368051d69d02e51e70944469e9b759991c436956fa61e8ec770ccafc6fe12b9375287ad45527500704e7fcf485e
-
Filesize
298KB
MD5cd1f4a8294d46c2ddbc42402fcdda48d
SHA1ad93ce20d8f03021bc83e291efbac6eba985d742
SHA256dfabdf7fe2b1d78cf7ee3fda4d2d632897e312ad97a85f1023a8be3468e08d14
SHA512698296a3f3701c40b4edc5f47e596492deeb610536ca9713543ae964eb8c02b8ca2a9972ea9cb89722087dbdeb043e92e09fe5a94815cb79d9484d331b41cf17
-
Filesize
468KB
MD5d1b828691ede80adb614a8faccab8129
SHA1f39843416ab6aa99a6050759368881e12710fa89
SHA256f6236d5ff2545e19fa4d47c6f713cb1001b8cd8d822f76825f8ee7acbc00de1a
SHA51286f5a4a4775a42f6526dbda3659863a2c9d09ce1ebd9d38356f3b997272262a83d3db99bc45082de4acb5d6ce7f7c3016402d7c22f0990a1c3b352d2446243ff
-
Filesize
413KB
MD569b8fa92c31af91481d178e5fe9a0531
SHA1b9b7f628410ba88df34a7df75115d3d84299f88e
SHA25663e96f546924daf0b72f00fe6ba062c138c430a6fef244bbf1082b508c2850b7
SHA512ca73c90dfe3e10fa677c689f80a39c50ae85f8bac780c22bc32d141ec6f9cc586a0d03637ceb01808c39209c5425a7475577bb669a73bf679fc108c903607f0e
-
Filesize
402KB
MD578ff1dc3b787d4e0d2c8d1e310b9e819
SHA18a88f567d0ece11461b9c87d30380cb9970c8256
SHA25615efa5185539c5be15783962acd80e2898991edaaefd0d7cc1b8b90fd792a081
SHA512a6ae48725e7d587bd93dc09313b6bd2ce6708cc447f0a8059ccba830f90f18a487c7a60045971f86e41a43c63adeda44370262f26b9bc9f3d0eed685e185a72c
-
Filesize
254KB
MD5e068ee33b5e9cb317c1af7cecc1bacb5
SHA1ef3d2563fa3e29c1be76a149ff91398ab9987775
SHA256b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690
SHA5120dbed2b5019050a84b0e3590a49a713a51ab231d73796b4754afe731690d35fdc47f04f13e29235a25f5ffcb05433c0e2e00841143a916cbb132d432cded7b10
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
707KB
MD5e855aa3d49e306053bc550d5adb0a7f1
SHA1433579e3d6ef0be4917a6958dd48fb2ed8d1b8c8
SHA2567e5df69e1ff541e19e4294e054626efd0cf1b42fecc4613a527ea194ae345d09
SHA512abfdec298118f3739d2f04fff29a3ab27b0aafc281a9a59025504b800b51788503d8680e4fb869fe540242f95a85458a40cc32300bef5739638c6746e814cf62
-
Filesize
2.5MB
MD5201dcd5346af5b4fb06dd80e9d7b3421
SHA151fd23198bec506f070190212df840c99542db63
SHA256f48fa0c225bd5836320aa3900f9a8e09bc322c397b3947c1a24848c78563f9ac
SHA5124954e67409be9e7edc2a75fdb34d1ecc6c077823e4003bfe2b5a63a9478fa32ceae91e5dc113fac339699b0c1bab79c0a95c93f8ce1d3b95149ab8c406fcd4f5
-
Filesize
1.6MB
MD55a564959199adde147d71e75cfdae0c6
SHA166b6b1a57d6a3223c43f35f9ecba56d9e0bba56d
SHA256d29fe5a366aa3c99a22894f98e568c436395d734750af8ccf7139ad901a85650
SHA512bfb07b6dcb7274be7717cbf87dd27ce88aaf676ef46811e140e0f10007732a19a41501f07855ee51d4605142e430273a5dd9d672e030def375a2132948f16ca5
-
Filesize
1.4MB
MD5a65581c1e18c3c53e81ba8a27e359b03
SHA14112e4a8dc54fa0d15fcc3b805077145f3bb46e2
SHA25653fbc916c925f2572fcc239a48890aa62708fee022566cded9a3af1beacdeb14
SHA5129e2aefd9c5c4022e77007094b54cb974de7947a5bc611b1ef8d80cc6fc67fee955aa165a441364e0f34d6f2027bba62a2f1edea52392584d095206c757be5973
-
Filesize
428KB
MD5ef5eed7319ab9ed99d93d1d64ea1d0a8
SHA191bd4e67e88ee3434be86ac93f42ed740aab3318
SHA2569be9b130d233c4ee4a10bbf607c801dbdbe814f60d1030b314534391e2b68e88
SHA512be115c7daf21240ab8e3989fec30bf22ab55c395b9250d0478d446776c8d3541bca0e43377eed38ceb152f50316bf34b1772c4d92273025ef6d13488bfc29aec
-
Filesize
696KB
MD504a1b00d46a802459527119cad1fb7ae
SHA1a922d4c13955add25b6c53bf8963331c0909a508
SHA2564d169d681a716ef2e3645113ac48d3a8d19477c6922bc5047191a0cc60f64860
SHA512144ddbad8d936c6d3a23ecacccea866d61ad39e471e11376077bac1c8a537a7a26b567867559d026d2aa34ab146aa1e78b5da997ac3fa07d29e24b2608534f5d
-
Filesize
88KB
-
Filesize
104KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
760KB
-
Filesize
760KB
-
Filesize
4KB