Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3RedEye-Ran...on.vbs
windows7-x64
1RedEye-Ran...on.vbs
windows10-2004-x64
1RedEye-Ran...ip.vbs
windows7-x64
1RedEye-Ran...ip.vbs
windows10-2004-x64
1RedEye-Ran...ds.vbs
windows7-x64
1RedEye-Ran...ds.vbs
windows10-2004-x64
1RedEye-Ran...ad.vbs
windows7-x64
1RedEye-Ran...ad.vbs
windows10-2004-x64
1RedEye-Ran...m1.vbs
windows7-x64
1RedEye-Ran...m1.vbs
windows10-2004-x64
1RedEye-Ran...m2.vbs
windows7-x64
1RedEye-Ran...m2.vbs
windows10-2004-x64
1RedEye-Ran...m2.vbs
windows7-x64
1RedEye-Ran...m2.vbs
windows10-2004-x64
1RedEye-Ran...m3.vbs
windows7-x64
1RedEye-Ran...m3.vbs
windows10-2004-x64
1RedEye-Ran...m4.vbs
windows7-x64
1RedEye-Ran...m4.vbs
windows10-2004-x64
1RedEye-Ran...m5.vbs
windows7-x64
1RedEye-Ran...m5.vbs
windows10-2004-x64
1RedEye-Ran...m6.vbs
windows7-x64
1RedEye-Ran...m6.vbs
windows10-2004-x64
1RedEye-Ran...m6.vbs
windows7-x64
1RedEye-Ran...m6.vbs
windows10-2004-x64
1RedEye-Ran...es.vbs
windows7-x64
1RedEye-Ran...es.vbs
windows10-2004-x64
1RedEye-Ran...GE.exe
windows7-x64
1RedEye-Ran...GE.exe
windows10-2004-x64
1RedEye-Ran...ye.exe
windows7-x64
6RedEye-Ran...ye.exe
windows10-2004-x64
1RedEye-Ran...ye.exe
windows7-x64
RedEye-Ran...ye.exe
windows10-2004-x64
Analysis
-
max time kernel
54s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 09:14
Static task
static1
Behavioral task
behavioral1
Sample
RedEye-Ransomware-master/NewRedEye/Classes and Modules/Icon.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral2
Sample
RedEye-Ransomware-master/NewRedEye/Classes and Modules/Icon.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
RedEye-Ransomware-master/NewRedEye/Classes and Modules/Rar-Zip.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral4
Sample
RedEye-Ransomware-master/NewRedEye/Classes and Modules/Rar-Zip.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
RedEye-Ransomware-master/NewRedEye/Classes and Modules/payloads.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral6
Sample
RedEye-Ransomware-master/NewRedEye/Classes and Modules/payloads.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
RedEye-Ransomware-master/NewRedEye/Classes and Modules/spread.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral8
Sample
RedEye-Ransomware-master/NewRedEye/Classes and Modules/spread.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form1.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral10
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form1.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form2.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral12
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form2.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form2.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral14
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form2.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form3.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral16
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form3.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form4.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral18
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form4.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form5.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral20
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form5.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form6.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral22
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form6.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form6.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral24
Sample
RedEye-Ransomware-master/NewRedEye/Forms/Form6.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
RedEye-Ransomware-master/NewRedEye/My Project/Resources.vbs
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral26
Sample
RedEye-Ransomware-master/NewRedEye/My Project/Resources.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
RedEye-Ransomware-master/NewRedEye/Resources/SGE.exe
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral28
Sample
RedEye-Ransomware-master/NewRedEye/Resources/SGE.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
RedEye-Ransomware-master/NewRedEye/Resources/redeye.exe
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral30
Sample
RedEye-Ransomware-master/NewRedEye/Resources/redeye.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
RedEye-Ransomware-master/NewRedEye/obj/Debug/NewRedEye.exe
Resource
win7-20230831-en
windows7-x64
Behavioral task
behavioral32
Sample
RedEye-Ransomware-master/NewRedEye/obj/Debug/NewRedEye.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
Errors
General
-
Target
RedEye-Ransomware-master/NewRedEye/obj/Debug/NewRedEye.exe
-
Size
34.6MB
-
MD5
a16493f64983e95b47f4c23a43b54015
-
SHA1
fa596483355bb89e1c767cf33ea2911633daa574
-
SHA256
8b69a3aa3d2dc1eff7cce69cbd0d7bb8d3c178e218a80f3eae36ea7868ce8892
-
SHA512
7396c831bbe70eba699af2ba749bc428a6fc143d4a27cc547213925514653a152947c70dc161e3f19422094a186ff74a6c04a20f11a164418d42d1ee47fa3938
-
SSDEEP
786432:Zg1mbZFph3NKjsqydxM0Xb96BxTRZSvmrIXAphIh0vxwTjFxOfZdac:ZumbJesqyd+0Xb6xTRUvmkXAfIh3nFkN
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RedEye-Ransomware-master\\NewRedEye\\obj\\Debug\\NewRedEye.exe" NewRedEye.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection NewRedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" NewRedEye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NewRedEye.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NewRedEye.exe Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NewRedEye.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2516 NetSh.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe\Debugger = "RIP" NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe\Debugger = "RIP" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe NewRedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" NewRedEye.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NewRedEye = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RedEye-Ransomware-master\\NewRedEye\\obj\\Debug\\NewRedEye.exe" NewRedEye.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewRedEye = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RedEye-Ransomware-master\\NewRedEye\\obj\\Debug\\NewRedEye.exe" NewRedEye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NewRedEye.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf NewRedEye.exe File opened for modification C:\autorun.inf NewRedEye.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2652 vssadmin.exe 2664 vssadmin.exe 2780 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2164 NewRedEye.exe 2164 NewRedEye.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2164 NewRedEye.exe Token: SeBackupPrivilege 2532 vssvc.exe Token: SeRestorePrivilege 2532 vssvc.exe Token: SeAuditPrivilege 2532 vssvc.exe Token: SeShutdownPrivilege 2156 shutdown.exe Token: SeRemoteShutdownPrivilege 2156 shutdown.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2780 2164 NewRedEye.exe 29 PID 2164 wrote to memory of 2780 2164 NewRedEye.exe 29 PID 2164 wrote to memory of 2780 2164 NewRedEye.exe 29 PID 2164 wrote to memory of 2780 2164 NewRedEye.exe 29 PID 2164 wrote to memory of 2652 2164 NewRedEye.exe 31 PID 2164 wrote to memory of 2652 2164 NewRedEye.exe 31 PID 2164 wrote to memory of 2652 2164 NewRedEye.exe 31 PID 2164 wrote to memory of 2652 2164 NewRedEye.exe 31 PID 2164 wrote to memory of 2664 2164 NewRedEye.exe 34 PID 2164 wrote to memory of 2664 2164 NewRedEye.exe 34 PID 2164 wrote to memory of 2664 2164 NewRedEye.exe 34 PID 2164 wrote to memory of 2664 2164 NewRedEye.exe 34 PID 2164 wrote to memory of 2516 2164 NewRedEye.exe 32 PID 2164 wrote to memory of 2516 2164 NewRedEye.exe 32 PID 2164 wrote to memory of 2516 2164 NewRedEye.exe 32 PID 2164 wrote to memory of 2516 2164 NewRedEye.exe 32 PID 2164 wrote to memory of 2156 2164 NewRedEye.exe 39 PID 2164 wrote to memory of 2156 2164 NewRedEye.exe 39 PID 2164 wrote to memory of 2156 2164 NewRedEye.exe 39 PID 2164 wrote to memory of 2156 2164 NewRedEye.exe 39 -
System policy modification 1 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" NewRedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" NewRedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NewRedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" NewRedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" NewRedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NewRedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NewRedEye.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RedEye-Ransomware-master\NewRedEye\obj\Debug\NewRedEye.exe"C:\Users\Admin\AppData\Local\Temp\RedEye-Ransomware-master\NewRedEye\obj\Debug\NewRedEye.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2780
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2652
-
-
C:\Windows\SysWOW64\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:2516
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2664
-
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1652
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2556
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2