Analysis
-
max time kernel
33s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 22:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/JackDoesMalwares/trojan-leaks/raw/refs/heads/main/TheEye-x64.exe
Resource
win7-20240903-en
Errors
General
-
Target
https://github.com/JackDoesMalwares/trojan-leaks/raw/refs/heads/main/TheEye-x64.exe
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,, C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ASP.NETWebAdminFiles\\Security\\Users\\App_LocalResources\\Resources\\theeye.exe" TheEye-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\Microsoft\\Protect\\Defender\\windef.exe" TheEye-x64.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TheEye-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TheEye-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TheEye-x64.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocks application from running via registry modification 7 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" TheEye-x64.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun TheEye-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\powershell = "powershell.exe" TheEye-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\taskkill = "taskkill.exe" TheEye-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ProcessHacker = "ProcessHacker.exe" TheEye-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\msconfig = "msconfig.exe" TheEye-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\procexp = "procexp.exe" TheEye-x64.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" TheEye-x64.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 1224 TheEye-x64.exe 3008 CHLogOn.exe 236 wcmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1224 TheEye-x64.exe 1224 TheEye-x64.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x0033000000019377-1315.dat agile_net behavioral1/memory/1224-1318-0x0000000000A80000-0x0000000001C52000-memory.dmp agile_net -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TheEye-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TheEye-x64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 24 raw.githubusercontent.com 25 raw.githubusercontent.com 26 raw.githubusercontent.com 27 raw.githubusercontent.com 30 raw.githubusercontent.com 22 raw.githubusercontent.com 23 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\oobe\info\backgrounds\backgroundDefault.jpg cmd.exe File opened for modification C:\Windows\System32\oobe\info\backgrounds\backgroundDefault.jpg cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\debug\\Wall.jpg" TheEye-x64.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\debug\wcmd.exe TheEye-x64.exe File created C:\Windows\debug\Wall.jpg TheEye-x64.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\Resources\theeye.exe TheEye-x64.exe File created C:\Windows\Microsoft\Protect\Defender\windef.exe TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr3.gif TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr5.wav TheEye-x64.exe File created C:\Windows\debug\main.bs7 TheEye-x64.exe File created C:\Windows\debug\CHLogOn.exe TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr4.wav TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr6.gif TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr7.wav TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr4.gif TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr6.wav TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr7.gif TheEye-x64.exe File created C:\Windows\debug\BG.jpg TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr1.gif TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr1.wav TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr2.gif TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr2.wav TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr3.wav TheEye-x64.exe File created C:\Windows\debug\defenderlogs\scr5.gif TheEye-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TheEye-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CHLogOn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wcmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\WallpaperStyle = "2" TheEye-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\TileWallpaper = "0" TheEye-x64.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b049faf8445adb01 iexplore.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3184B681-C638-11EF-AD58-7ED3796B1EC0} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3004 reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1832 notepad.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 236 wcmd.exe Token: SeRestorePrivilege 236 wcmd.exe Token: SeBackupPrivilege 236 wcmd.exe Token: SeDebugPrivilege 236 wcmd.exe Token: SeIncreaseQuotaPrivilege 236 wcmd.exe Token: SeSecurityPrivilege 236 wcmd.exe Token: SeTakeOwnershipPrivilege 236 wcmd.exe Token: SeLoadDriverPrivilege 236 wcmd.exe Token: SeSystemProfilePrivilege 236 wcmd.exe Token: SeSystemtimePrivilege 236 wcmd.exe Token: SeProfSingleProcessPrivilege 236 wcmd.exe Token: SeIncBasePriorityPrivilege 236 wcmd.exe Token: SeCreatePagefilePrivilege 236 wcmd.exe Token: SeBackupPrivilege 236 wcmd.exe Token: SeRestorePrivilege 236 wcmd.exe Token: SeShutdownPrivilege 236 wcmd.exe Token: SeDebugPrivilege 236 wcmd.exe Token: SeSystemEnvironmentPrivilege 236 wcmd.exe Token: SeRemoteShutdownPrivilege 236 wcmd.exe Token: SeUndockPrivilege 236 wcmd.exe Token: SeManageVolumePrivilege 236 wcmd.exe Token: 33 236 wcmd.exe Token: 34 236 wcmd.exe Token: 35 236 wcmd.exe Token: SeIncreaseQuotaPrivilege 236 wcmd.exe Token: SeSecurityPrivilege 236 wcmd.exe Token: SeTakeOwnershipPrivilege 236 wcmd.exe Token: SeLoadDriverPrivilege 236 wcmd.exe Token: SeSystemProfilePrivilege 236 wcmd.exe Token: SeSystemtimePrivilege 236 wcmd.exe Token: SeProfSingleProcessPrivilege 236 wcmd.exe Token: SeIncBasePriorityPrivilege 236 wcmd.exe Token: SeCreatePagefilePrivilege 236 wcmd.exe Token: SeBackupPrivilege 236 wcmd.exe Token: SeRestorePrivilege 236 wcmd.exe Token: SeShutdownPrivilege 236 wcmd.exe Token: SeDebugPrivilege 236 wcmd.exe Token: SeSystemEnvironmentPrivilege 236 wcmd.exe Token: SeRemoteShutdownPrivilege 236 wcmd.exe Token: SeUndockPrivilege 236 wcmd.exe Token: SeManageVolumePrivilege 236 wcmd.exe Token: 33 236 wcmd.exe Token: 34 236 wcmd.exe Token: 35 236 wcmd.exe Token: SeIncreaseQuotaPrivilege 236 wcmd.exe Token: SeSecurityPrivilege 236 wcmd.exe Token: SeTakeOwnershipPrivilege 236 wcmd.exe Token: SeLoadDriverPrivilege 236 wcmd.exe Token: SeSystemProfilePrivilege 236 wcmd.exe Token: SeSystemtimePrivilege 236 wcmd.exe Token: SeProfSingleProcessPrivilege 236 wcmd.exe Token: SeIncBasePriorityPrivilege 236 wcmd.exe Token: SeCreatePagefilePrivilege 236 wcmd.exe Token: SeBackupPrivilege 236 wcmd.exe Token: SeRestorePrivilege 236 wcmd.exe Token: SeShutdownPrivilege 236 wcmd.exe Token: SeDebugPrivilege 236 wcmd.exe Token: SeSystemEnvironmentPrivilege 236 wcmd.exe Token: SeRemoteShutdownPrivilege 236 wcmd.exe Token: SeUndockPrivilege 236 wcmd.exe Token: SeManageVolumePrivilege 236 wcmd.exe Token: 33 236 wcmd.exe Token: 34 236 wcmd.exe Token: 35 236 wcmd.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2672 iexplore.exe 2672 iexplore.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe 1224 TheEye-x64.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2672 iexplore.exe 2672 iexplore.exe 2808 IEXPLORE.EXE 2808 IEXPLORE.EXE 2808 IEXPLORE.EXE 2808 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2808 2672 iexplore.exe 31 PID 2672 wrote to memory of 2808 2672 iexplore.exe 31 PID 2672 wrote to memory of 2808 2672 iexplore.exe 31 PID 2672 wrote to memory of 2808 2672 iexplore.exe 31 PID 2672 wrote to memory of 1224 2672 iexplore.exe 33 PID 2672 wrote to memory of 1224 2672 iexplore.exe 33 PID 2672 wrote to memory of 1224 2672 iexplore.exe 33 PID 2672 wrote to memory of 1224 2672 iexplore.exe 33 PID 1224 wrote to memory of 1832 1224 TheEye-x64.exe 34 PID 1224 wrote to memory of 1832 1224 TheEye-x64.exe 34 PID 1224 wrote to memory of 1832 1224 TheEye-x64.exe 34 PID 1224 wrote to memory of 1832 1224 TheEye-x64.exe 34 PID 1224 wrote to memory of 3008 1224 TheEye-x64.exe 35 PID 1224 wrote to memory of 3008 1224 TheEye-x64.exe 35 PID 1224 wrote to memory of 3008 1224 TheEye-x64.exe 35 PID 1224 wrote to memory of 3008 1224 TheEye-x64.exe 35 PID 3008 wrote to memory of 1460 3008 CHLogOn.exe 36 PID 3008 wrote to memory of 1460 3008 CHLogOn.exe 36 PID 3008 wrote to memory of 1460 3008 CHLogOn.exe 36 PID 3008 wrote to memory of 1460 3008 CHLogOn.exe 36 PID 1460 wrote to memory of 3004 1460 cmd.exe 38 PID 1460 wrote to memory of 3004 1460 cmd.exe 38 PID 1460 wrote to memory of 3004 1460 cmd.exe 38 PID 1224 wrote to memory of 236 1224 TheEye-x64.exe 39 PID 1224 wrote to memory of 236 1224 TheEye-x64.exe 39 PID 1224 wrote to memory of 236 1224 TheEye-x64.exe 39 PID 1224 wrote to memory of 236 1224 TheEye-x64.exe 39 PID 1224 wrote to memory of 236 1224 TheEye-x64.exe 39 PID 1224 wrote to memory of 236 1224 TheEye-x64.exe 39 PID 1224 wrote to memory of 236 1224 TheEye-x64.exe 39 PID 1224 wrote to memory of 2552 1224 TheEye-x64.exe 42 PID 1224 wrote to memory of 2552 1224 TheEye-x64.exe 42 PID 1224 wrote to memory of 2552 1224 TheEye-x64.exe 42 PID 1224 wrote to memory of 2552 1224 TheEye-x64.exe 42 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TheEye-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TheEye-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TheEye-x64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/JackDoesMalwares/trojan-leaks/raw/refs/heads/main/TheEye-x64.exe1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224 -
C:\Windows\notepad.exe"C:\Windows\notepad.exe" C:\Users\Admin\AppData\Local\Temp\note.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1832
-
-
C:\Windows\debug\CHLogOn.exe"C:\Windows\debug\CHLogOn.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5B79.tmp\5B7A.tmp\5B7B.bat C:\Windows\debug\CHLogOn.exe"4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\system32\reg.exeREG add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background /v OEMBackground /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
PID:3004
-
-
-
-
C:\Windows\debug\wcmd.exe"C:\Windows\debug\wcmd.exe" C:\Windows\debug\main.bs73⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\System32\wbem\wmic.exe"C:\Windows\System32\wbem\wmic.exe" shadowcopy delete3⤵PID:2552
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:944
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1920
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2712
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ef6a0562d14a8b2f567ced33723167c7
SHA1bf6eea37a5fa0b7260d4fe9ea360ab9a2bcf7a6f
SHA25694203d077ad9659de5bb02b78de488876613dd5bc131a449e7475f052aedda60
SHA512de732f13a69493b3ed38c1134fed64eb1962c56e789eef5f1db792c9b3cf102e7a460ac0f79d9b90f47be5ce6b4d89f71b0f6dae1e3c44efffdcad9da8a3efec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD500e1374a3e02c01288e54d2b75c51fa6
SHA1b5332a50881bb5cc2cb2e755d31254ea8d1ad37f
SHA256754a4b7cdc16ac6047c54508da0fe9e4e91d03656bacfc7f5a91a30b692568c1
SHA512d50cb7db306b09f74c540dd7cf57a9887ddbb50fd49eb0a9ed1af9e2c244b2131017c503a95f156438319ea5ec1f5cfaef35588110daab1cf55636bf7902d434
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ec38f39a3921f93df93c095e42bb65a
SHA1eb64348596147b75e88f62220aa02972680a375c
SHA2568fe8d63af710a71998712729b1001fb1e3784bf5d703e96f504377abfff72435
SHA512fce0e61fb71164c4e3f42102b25f9327eb4e0bbaf6b8b56c9e30bbc4b01d44c0c6bd85ccfc522424f3041ddaa97d04349222585c7872de29a9ce4fb88a4333dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d57f5a86b90da2b2379319e3bc942fc9
SHA12db5516b948f784b58dd60aa27792d9aba462918
SHA2565ee8a5f2b116a9f5ab4b71a5f61ae3357e83c52781a7536910631bc393f24ef4
SHA512f1d85ae16f968d3b2916018cfb181afa73e06caee9b50bed7359b7b276fe1ef69c3582240a35c95bf20ccb8297127ab5c32b0f6326295e13a49eebb788629b7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578dfb77f4adef0d6341ac63bfb155d36
SHA10753eed352d89e245ea7a5c3e9121688dc574fd3
SHA256f4f5508845292b36a943e51cb7c4789756bec9812ed2ea3d7a9c0190a0f9ae22
SHA512dc3a1d1791c1ff94fb4d43647951d50955aa84475a19c6eabc83f452abc5b8cc35535bc3d6e1b48f80ae833dbe7ec2b72fbc57d3d4c5ccf5542ed4c4b5da17bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5be4eb41f88760a4de2698f7973c1b9a0
SHA1455de65020a86957e61ec621787cc55780fd56d6
SHA256de931416925e5073858ff2a9174d07011788d97eec14b1ffd6d677c0800d4085
SHA512b3cab846262130cce8117157741755c3f79ec159b9b564b20885ac73f68c8f998a59c7ae1721c250efebbf06386662039caef707cb488557090d1db17af5f7c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d9091ed6aed28940bbac08e7bf5efca
SHA152787ce5b2f903ef44e14bbfa2896636b7fe6cde
SHA256060a6673bb1c532cf10763cc855a04755e62f066d13127bcde21718bca1fceb2
SHA51282c400b4f3f5506c4f6278336ece042ed241fd05612e8e078761c043285d7fd078f3c975f8c97789260f87614823dcbcd0a9251f2ee3c791714fc27cf281528b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54aaa4bb183457a1050bf26b932ea43b3
SHA19db1be78ec7fddf256252615ade50e697dec5cae
SHA256df7500717ab70c823d2b57314bfe3f6890376995e59dd869ffafef84c6772f33
SHA51292b9b1e2c044bf8b31a2bcadb3d80c9f014b5a91c05e06cca9c7deaee06ce70773b61dfc8f1b65a83342c7059398c6d89eeb4281126142623271f57ae0c5924b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee2a6bb54fae4b27dc90897c25a7b619
SHA1347fe6d88284f49f10835f85bba69e32a7107a04
SHA2569db4ebb1e4913b186f405e88c06c08d9a99ee2fc86f1f01df39a84d098161f48
SHA51206152ba239f4289572806c4567ae2413b26d0a161e35c66303b63262a6a301d36f92fe9563126b3a200fe049a4b073b555cd748601a90893e485a12b450ec8d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54f3c0f8eef006bd01e3ab27eeb832ede
SHA1ec90e7e55dacaa5a43701f69ae029d75b0544d32
SHA256f103f98c0cfbb54f1e9d20a03682eda79c2b1cfef77f7256d944508e8bbbe1aa
SHA512640c57707a27d7dddeb2d8211d9953dc2dbe6ffdb11f21830e2c303cfb8d8c968e6e9b511f9ea2113e33798b8529a80cf972ff28e2f88dcc3a28a6ade56bc447
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51911d06473393edb0c5badc173c28db7
SHA140cc0cee0e224efd71a8bb21c69c39a4d1d7d95b
SHA25690c3dafbee0edda97edc04588a077ad0a4311eb1b469ce4c03c21a659a36f705
SHA512f12fa00b434ddad6802a59f95685837694251d6e7fa1fed7a1bc45166533a2b6d991448468ce0bde4387a05852ac95d8e2ec4f03abf08f0b6c9b5f8a97335d6e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3647ad7a257c00f3ae6f7c5bbf7e6eb
SHA1fa3cecb9951a5ac8f9ccbf82f8c107dd943ed598
SHA256befe820d79524a3fb5cb5e47d924cd3106c4518aa8a13323b95acf6f0d6bd7d6
SHA512a5e244dc5067368614e90897ec9dcaa5135d3449a9fb70dff6faa2fb65b48a23733cc9651946a5dd2e63560bcb6e3cc55d8fe8023c26d003237a9fd0f466f853
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5935418ecf8644ed1ef4c641ac51cffa7
SHA1d2066e927bd3679819014adc5d4b3e4e04ffbfef
SHA25692073956bf6fe1a6a5553897578f76300726d244fab849d638c3058ce083d412
SHA5123fd2f0c62a40986bd323641dc2efcaf92c53e396681024add9b7787c121479e4fae8de38b2ff0bbc8c6bb889f46ef1840c063bb4960231315ffdc7c537c24b20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f9461f5d136677188354d296fc6d818e
SHA14ac24b7872d72fcc4f99c46cc920ee3ad90ea43b
SHA2567c448817f7e2d82cb976c2402d963777d69ca05b57f9344f9f6f0067b26dba5f
SHA5122e6f4589f1913cf86b3e88e3b309d64cbce6c07835b38d146de961943dfe0763f40414c571d10247bb6b92199c254068c5a4602c8f406763af508b330f7aa4ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD526b7e3c73da41b5237ec54ab46d1e43f
SHA15b01d3eb10999591e3708472b68c650965726c6d
SHA25665a9c26cdccc63cb8bb6dac8fdf99f0d3ce85bde5e6403327adaef84c219f54d
SHA51262d03f090d2b57715df65509d83fa5ea26e14ec7386a496f7624cbef01e017404ace5b61ee7bd19ab01de96fcda48701fadd6de34c74bf1066cc63c116e5fe41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD521ac983ede48b21525e364d2d06474f2
SHA18a1cedaaf56c23afd400e63c29fbcc1a1a11aeb1
SHA256572344617a34946b1f32b3ee584c14b616f2ab9229080930bfcbc536111d919f
SHA51228f1665e0f367e01871aca8c43a3296c342f35aee36f575f54463d1b0b7c7b667ccbd29f00d6acc677551c5477a8b512b736012e23ba7f0026fe181cbb2ccd12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5250a9e65c2a50171b90c7a3532cc8e40
SHA15e8850dcf3cd201412e2ef4c061a23175df6bc60
SHA2566054113de1c30377e07321dcdb13a157baa7899783e058d7f4ed3ace751f0ba2
SHA512b002252e9fbf1f94e17d365f3f06973138e90c14d56f57a141eaa2c530ca6d99743419f03947b788916cd5e0540100e7aeb447d8912266188a814a0167767a88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f0ee7653e9119ff6c6c0fc19a95ec914
SHA1e33100220d7b05f18affac441e0c48ac633bca31
SHA256d9c87f8e6b0e9a75ab7105f65ddf7e6e9800ec510c88be9a9da22d5c45b7699c
SHA5126ed4ee643b9e35bd08f65a568fd6b9d3bb3807fa21994edb18c81b6a2121bfc2d11661fbc11a2eeaa77929fae8d8ce4b27d68b9fdb23b232627ee213b83da2e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f193defa3bdb19d982c27ed50730fd30
SHA19a6f695d49a8d32f380a27a141beb7f14b9fae17
SHA2564d2c6569d20680fcdc63d8b134d7da5c745a2936934be782c709f4bd70dd44aa
SHA51202764d4431fca25f1e20f8976399e813929efc36545d7af98cbf1821b98b536c0ba6a233d60c186f79f7608c58d40364684168682005ef78f2faa6d750e255f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53785a4760b4096a56c3838e2aa50e5b3
SHA1948ecae0806913ae39be39973d48f87793bc46e6
SHA256efb33d30177a1dbfa201a6242d84a78ecd63bd91050e28b1149ac872c1dd28e7
SHA512308bf150d41e562ac2514c34071e21bc3c3daa5b01209e14dc873cc7ade22d149c7b7cdd74606d3c9867ca8ecc16642ede631fc880417359029ee3516cd4d8f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c821358ac46b0b113e22ec6c4559e0d7
SHA11d619d1c97c17cd9092237b02ce65bd90d8ad69a
SHA256a41bd1d16312ef1ca693815a43a034c1b7e67b96ee717b4d8fc0ce127bcd7122
SHA5122b63570d0ea4f3d43a9e154197d1613f5fbd1f07d988682effbded9da84ef1b992b7b1ca762bbeb7a60187e14c4f793088414788d5af45e77a6511a8bad0eaaa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58af03795716a81446bd06d89221c958c
SHA1acf3e8320c5eeea7e17634518f82fd295be36f9a
SHA256c3bd3c69b123efba6a977f2367029cb13bdfc046325a1e9762788fc922d30374
SHA5126e2cc058547ea1aa92b1418eef2b83a1340c0ee30ef2419ca53a09b2e0df0b6b23c513bbdbbee6e384c3b40e1fab1d3af81efe6b4ab5b3dbbe57b1a450ddb477
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD519e5255fb6283d5b4c02aeeb1547572a
SHA155a60f663bee7f09a29f15fe9ab705250f65d84b
SHA256981bd695e6d4e5960c3bdc90c02ffad9090bb4e7111fd78b84e07be54aae5f48
SHA512ae20d7792f180b08da81a954b1e70dad8f49e263ea5a762b3e963edfc90ce7920d63b7f7b1554cb49925df508a943512ea49ab2913bcfaac7665f8c77f8013e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f5578ed0d4c15fd464bada7952827080
SHA1e03ecc3cc47128dc43e4086baeb746a8438fe754
SHA256fdb769e81e0182b2d221ff8522597fff1c4a62c1589e823d8cb6fa2cbbcf7ad8
SHA512f25ae2002aa16c0664dbf890c40b7eda95d998f9a25eb9300aa79f7a3d610eb0902d7ce4e694836f904b00b69b6d2bebdacba6349109a3b74eefb43fc8bb8746
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\TheEye-x64.exe.w46vfpa.partial
Filesize17.8MB
MD5914d34ecdfa0ef6430ca4809e7a8c10c
SHA10e00f756f0997414af61b0ba2e1ea78a44619e9d
SHA256fe79fb788f0fc6c4752f7bab66a52d8a4a1d15aa3821a919b9af6ba2c03aa5ae
SHA512cee271e233c472ae2bbc298ca8cf9de08993f7db2f8d8503025e9a644af6ccfc1290a3c02d91854788c316fa2240a155609edb9c87be5470fde1d5abae546e11
-
Filesize
331B
MD57f742118852893437bb5785d5ee7e73c
SHA1aa1ded32065885ffbd8df69034106747c0cf812f
SHA2569c348976c62fbb4c9cb6c9fbf3f9971b3d57a293f27a32a95bc7c051e392c2d4
SHA512abd874873dd8e0c1dde285aa7f403405990e0f6d1f08c32f0519bb4cd744f5232f80fc542a793f896fe450158e237da233f0ae3fab9cd6ef74eb3fb8f81b7658
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
105B
MD57347840cc3e83edafca3af146589e7a6
SHA1cf7aed71cfe5e2c194b33f0101de3199f783571d
SHA2569f401768934bcc0946c53a60ccf0e3741ff80618d8b98bbb0a8b1b16122b4804
SHA5127e379f671cce50bd96cd6094c9d1e91b7bb6a168c634aa499b78ffec70e68136a98cc6c809e8ad7b5b13249074fad6dbd75cb00400ee81d30b1618ad81133cae
-
Filesize
89KB
MD5da3abafe35393a02cfb59c057a456a43
SHA18f38b57d8716f8bfe96c652a442bb6684ad1c577
SHA256d82c51b9ce2448f4229f8bbceaad0a166531e5a50572925c00716307309037c1
SHA51271a79917123287e6fa4df02e0fecb70fbcb0069fb71a36c4c231952a0bd1195482c457918822df002fcb14139639387b138c4e93e1bc1f069ed9c946436288ed
-
Filesize
314KB
MD5d90879c6015e4a04c0941f5cbe263e62
SHA10da175415fe367f814524a0b406cf2b666aa7e9f
SHA2563c21a2f3c4bdfedd641b834d87d927760621ff8a267255a2029c5215f2286967
SHA5121ac57863d7d92abddf14d52d9d243ae39b48fa68ef091cf193678805e061061fd58e0734c488252a33915e73548a5475ecb48f3f7674150f5229eff6a974e68b
-
Filesize
87KB
MD59ca586ddfc5a57ce57ce626f207e1eb6
SHA11c87f85c2ffca02f99bca7d8aafcb342ae2ad7ee
SHA25621684746e7e1540020be0392fb5b05c66a5b06f53671702d175d259144e6a002
SHA512708f6d00bb8a46ce78c9db6fb4af1288a8ee7bd0e52a0384a18f3a77c72d61888030c5f3454658baf120886823fb1c3f8bd7988b7009631dc89e1ccc62b5e2bf