Overview
overview
10Static
static
10Malware-da...00.exe
windows7-x64
Malware-da...00.exe
windows10-2004-x64
Malware-da...ws.exe
windows7-x64
6Malware-da...ws.exe
windows10-2004-x64
6Malware-da...as.exe
windows7-x64
1Malware-da...as.exe
windows10-2004-x64
1Malware-da...ck.exe
windows7-x64
1Malware-da...ck.exe
windows10-2004-x64
1Malware-da...V2.exe
windows7-x64
10Malware-da...V2.exe
windows10-2004-x64
10Malware-da...er.exe
windows7-x64
1Malware-da...er.exe
windows10-2004-x64
1Malware-da...an.exe
windows7-x64
1Malware-da...an.exe
windows10-2004-x64
1Malware-da...up.exe
windows7-x64
1Malware-da...up.exe
windows10-2004-x64
1Malware-da...nt.exe
windows7-x64
Malware-da...nt.exe
windows10-2004-x64
Malware-da...ye.exe
windows7-x64
Malware-da...ye.exe
windows10-2004-x64
Malware-da...ry.exe
windows7-x64
10Malware-da...ry.exe
windows10-2004-x64
10Malware-da...op.exe
windows7-x64
7Malware-da...op.exe
windows10-2004-x64
7Analysis
-
max time kernel
23s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 18:16
Behavioral task
behavioral1
Sample
Malware-database-main/000.exe
Resource
win7-20231129-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
Malware-database-main/000.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral3
Sample
Malware-database-main/ChilledWindows.exe
Resource
win7-20240215-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral4
Sample
Malware-database-main/ChilledWindows.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral5
Sample
Malware-database-main/Christmas.exe
Resource
win7-20240220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral6
Sample
Malware-database-main/Christmas.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral7
Sample
Malware-database-main/CookieClickerHack.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
Malware-database-main/CookieClickerHack.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral9
Sample
Malware-database-main/Electron V2.exe
Resource
win7-20240508-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral10
Sample
Malware-database-main/Electron V2.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
16 signatures
150 seconds
Behavioral task
behavioral11
Sample
Malware-database-main/Flasher.exe
Resource
win7-20240508-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral12
Sample
Malware-database-main/Flasher.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral13
Sample
Malware-database-main/MEMZ Trojan.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral14
Sample
Malware-database-main/MEMZ Trojan.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral15
Sample
Malware-database-main/Popup.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
Malware-database-main/Popup.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral17
Sample
Malware-database-main/PowerPoint.exe
Resource
win7-20240215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral18
Sample
Malware-database-main/PowerPoint.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral19
Sample
Malware-database-main/RedEye.exe
Resource
win7-20240220-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral20
Sample
Malware-database-main/RedEye.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
23 signatures
150 seconds
Behavioral task
behavioral21
Sample
Malware-database-main/WannaCry.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral22
Sample
Malware-database-main/WannaCry.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
13 signatures
150 seconds
Behavioral task
behavioral23
Sample
Malware-database-main/butterflyondesktop.exe
Resource
win7-20240508-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral24
Sample
Malware-database-main/butterflyondesktop.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
Malware-database-main/RedEye.exe
-
Size
10.6MB
-
MD5
e9e5596b42f209cc058b55edc2737a80
-
SHA1
f30232697b3f54e58af08421da697262c99ec48b
-
SHA256
9ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305
-
SHA512
e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7
-
SSDEEP
196608:+ahZ5qN3wvdJBiAv1hXx7jeeDt9/wGoyIu+sTvDmQONhL/LslAVyq8rZyA+TXtT4:+w6NAvPAA/Xx3eeDtTD+GDONhL/AlAV8
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" RedEye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2672 NetSh.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe RedEye.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation RedEye.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malware-database-main\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malware-database-main\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Malware-database-main\\RedEye.exe" RedEye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf RedEye.exe File opened for modification C:\autorun.inf RedEye.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\WallPaper = "C:\\redeyebmp.bmp" RedEye.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Nope.txt RedEye.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2684 vssadmin.exe 4444 vssadmin.exe 4864 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1912 RedEye.exe 1912 RedEye.exe 1912 RedEye.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1912 RedEye.exe Token: SeBackupPrivilege 1644 vssvc.exe Token: SeRestorePrivilege 1644 vssvc.exe Token: SeAuditPrivilege 1644 vssvc.exe Token: SeShutdownPrivilege 3444 shutdown.exe Token: SeRemoteShutdownPrivilege 3444 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4276 LogonUI.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1912 wrote to memory of 4864 1912 RedEye.exe 87 PID 1912 wrote to memory of 4864 1912 RedEye.exe 87 PID 1912 wrote to memory of 4444 1912 RedEye.exe 88 PID 1912 wrote to memory of 4444 1912 RedEye.exe 88 PID 1912 wrote to memory of 2684 1912 RedEye.exe 90 PID 1912 wrote to memory of 2684 1912 RedEye.exe 90 PID 1912 wrote to memory of 2672 1912 RedEye.exe 91 PID 1912 wrote to memory of 2672 1912 RedEye.exe 91 PID 1912 wrote to memory of 3444 1912 RedEye.exe 103 PID 1912 wrote to memory of 3444 1912 RedEye.exe 103 -
System policy modification 1 TTPs 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" RedEye.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "4" RedEye.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer RedEye.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware-database-main\RedEye.exe"C:\Users\Admin\AppData\Local\Temp\Malware-database-main\RedEye.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1912 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4864
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4444
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2684
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:2672
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39bf855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2