Overview
overview
10Static
static
7Ransomware...er.exe
windows10-2004-x64
8Ransomware/7ev3n.exe
windows10-2004-x64
Ransomware...le.exe
windows10-2004-x64
Ransomware...it.exe
windows10-2004-x64
10Ransomware/Birele.exe
windows10-2004-x64
10Ransomware...r5.exe
windows10-2004-x64
8Ransomware...us.exe
windows10-2004-x64
10Ransomware...er.exe
windows10-2004-x64
10Ransomware...ll.exe
windows10-2004-x64
7Ransomware...ck.exe
windows10-2004-x64
7Ransomware/Dharma.exe
windows10-2004-x64
9Ransomware/Fantom.exe
windows10-2004-x64
10Ransomware...ab.exe
windows10-2004-x64
7Ransomware...ye.exe
windows10-2004-x64
10Ransomware...Eye.js
windows10-2004-x64
10Ransomware...pt.exe
windows10-2004-x64
10Ransomware...en.exe
windows10-2004-x64
8Ransomware...AZ.dll
windows10-2004-x64
3Ransomware...om.exe
windows10-2004-x64
10Ransomware...ya.exe
windows10-2004-x64
10Ransomware...ap.exe
windows10-2004-x64
1Ransomware....A.exe
windows10-2004-x64
6Ransomware...om.exe
windows10-2004-x64
10Ransomware...nt.exe
windows10-2004-x64
Ransomware...ot.exe
windows10-2004-x64
Ransomware/RedEye.exe
windows10-2004-x64
Ransomware...re.exe
windows10-2004-x64
7Ransomware/Rokku.exe
windows10-2004-x64
10Ransomware/Satana.exe
windows10-2004-x64
5Ransomware/Seftad.exe
windows10-2004-x64
6Ransomware...re.exe
windows10-2004-x64
10Ransomware/UIWIX.dll
windows10-2004-x64
1Analysis
-
max time kernel
36s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
03/03/2024, 13:53 UTC
Behavioral task
behavioral1
Sample
Ransomware/$uckyLocker.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral2
Sample
Ransomware/7ev3n.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral3
Sample
Ransomware/Annabelle.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral4
Sample
Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral5
Sample
Ransomware/Birele.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral6
Sample
Ransomware/Cerber5.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral7
Sample
Ransomware/CoronaVirus.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral8
Sample
Ransomware/CryptoLocker.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral9
Sample
Ransomware/CryptoWall.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral10
Sample
Ransomware/DeriaLock.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral11
Sample
Ransomware/Dharma.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral12
Sample
Ransomware/Fantom.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral13
Sample
Ransomware/GandCrab.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral14
Sample
Ransomware/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral15
Sample
Ransomware/GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral16
Sample
Ransomware/InfinityCrypt.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral17
Sample
Ransomware/Krotten.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral18
Sample
Ransomware/Locky.AZ.dll
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral19
Sample
Ransomware/NoMoreRansom.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral20
Sample
Ransomware/NotPetya.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral21
Sample
Ransomware/PetrWrap.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral22
Sample
Ransomware/Petya.A.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral23
Sample
Ransomware/PolyRansom.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral24
Sample
Ransomware/PowerPoint.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral25
Sample
Ransomware/RedBoot.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral26
Sample
Ransomware/RedEye.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral27
Sample
Ransomware/Rensenware.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral28
Sample
Ransomware/Rokku.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral29
Sample
Ransomware/Satana.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral30
Sample
Ransomware/Seftad.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral31
Sample
Ransomware/SporaRansomware.exe
Resource
win10v2004-20240226-uk
windows10-2004-x64
Behavioral task
behavioral32
Sample
Ransomware/UIWIX.dll
Resource
win10v2004-20240226-uk
windows10-2004-x64
Errors
General
-
Target
Ransomware/RedEye.exe
-
Size
10.6MB
-
MD5
e9e5596b42f209cc058b55edc2737a80
-
SHA1
f30232697b3f54e58af08421da697262c99ec48b
-
SHA256
9ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305
-
SHA512
e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7
-
SSDEEP
196608:+ahZ5qN3wvdJBiAv1hXx7jeeDt9/wGoyIu+sTvDmQONhL/LslAVyq8rZyA+TXtT4:+w6NAvPAA/Xx3eeDtTD+GDONhL/AlAV8
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" RedEye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4668 NetSh.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" RedEye.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation RedEye.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\RedEye.exe" RedEye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf RedEye.exe File opened for modification C:\autorun.inf RedEye.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\WallPaper = "C:\\redeyebmp.bmp" RedEye.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Nope.txt RedEye.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2896 vssadmin.exe 2912 vssadmin.exe 660 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "117" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1680 RedEye.exe 1680 RedEye.exe 1680 RedEye.exe 1680 RedEye.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1680 RedEye.exe Token: SeBackupPrivilege 3068 vssvc.exe Token: SeRestorePrivilege 3068 vssvc.exe Token: SeAuditPrivilege 3068 vssvc.exe Token: SeShutdownPrivilege 3272 shutdown.exe Token: SeRemoteShutdownPrivilege 3272 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2488 LogonUI.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2896 1680 RedEye.exe 92 PID 1680 wrote to memory of 2896 1680 RedEye.exe 92 PID 1680 wrote to memory of 660 1680 RedEye.exe 93 PID 1680 wrote to memory of 660 1680 RedEye.exe 93 PID 1680 wrote to memory of 2912 1680 RedEye.exe 95 PID 1680 wrote to memory of 2912 1680 RedEye.exe 95 PID 1680 wrote to memory of 4668 1680 RedEye.exe 96 PID 1680 wrote to memory of 4668 1680 RedEye.exe 96 PID 1680 wrote to memory of 3272 1680 RedEye.exe 103 PID 1680 wrote to memory of 3272 1680 RedEye.exe 103 -
System policy modification 1 TTPs 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "4" RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" RedEye.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" RedEye.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\RedEye.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\RedEye.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1680 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2896
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:660
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2912
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:4668
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39be055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2488
Network
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request253.15.104.51.in-addr.arpaIN PTRResponse
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2