Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

SevenRedCo...et.exe

windows10-2004-x64

9

SevenRedCo...et.exe

windows11-21h2-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/05/2024, 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SevenRedCodeDotnet.exe

  • Size

    28KB

  • MD5

    3b1ce9c2afe664f11ddfacceeca0875a

  • SHA1

    166c88a4ccd007c5b460f77b8b1f5726ac91e22a

  • SHA256

    5db37b4e53d6aa13481ae8d4d82907dbe652909e84b730c56dc2f7a89846cfda

  • SHA512

    4f9bb3272e829e3959ad3c3ae459f8fcc36e73f58f5b86e1ce248261e6cbda820688a15dcad81f3e2cfffbdae5606faf730d035219644048b45f30afcb04ca01

  • SSDEEP

    384:aTTADuwXZAQ+XKlT4AybtvCwrMc+4jvkjvcK5MhsYilRt9VSTxM66YNT/IszFd26:aTTAawS21jybWUnUZS99/gK

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (1009) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe
    "C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Windows\System32\SevenRedCodeDotnet.exe
      2⤵
      • Drops file in System32 directory
      PID:4684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Users\Public\Documents\SevenRedCodeDotnet.exe
      2⤵
        PID:2372
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
          3⤵
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:4888
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
          3⤵
          • Views/modifies file attributes
          PID:4156
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Windows\System32\SevenRedCodeDotnet.exe
        2⤵
          PID:3980
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Users\Public\Documents\SevenRedCodeDotnet.exe
          2⤵
            PID:4952
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Windows\System32\SevenRedCodeDotnet.exe
            2⤵
              PID:2000
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Users\Public\Documents\SevenRedCodeDotnet.exe
              2⤵
                PID:3516
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1596
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
                  3⤵
                  • Drops file in System32 directory
                  • Views/modifies file attributes
                  PID:1960
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2360
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
                  3⤵
                  • Drops file in System32 directory
                  • Views/modifies file attributes
                  PID:3776
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3956
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
                  3⤵
                  • Views/modifies file attributes
                  PID:2100
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2968
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
                  3⤵
                  • Views/modifies file attributes
                  PID:4592
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /tn "SevenRecode" /tr "C:\Windows\System32\Winhttp.exe" /sc minute /mo 1 /rl highest /f
                2⤵
                • Creates scheduled task(s)
                PID:2216

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{c2066bf6-8098-4d79-bae9-cfb04f518f0f}\0.1.filtertrie.intermediate.txt.sos
              Filesize

              16B

              MD5

              e8aaa566651759e399714d464cdfb390

              SHA1

              373942a3618c8d5ff0ba8aab8e22d4a64e5641ae

              SHA256

              1a4a61c3ade192d7f35bb5879ba1493ac39369579eaf9f73c72c44a9ecfa3a6a

              SHA512

              23f835ffc6cfa06b864ee0f945dc844cb88aa1b0ab3cf2d0f8bf616c9a7446a563875ebd04f1b23d86d5a20ccc1a2cacd3e199c228cd73e8652c6f9e34b55ce2

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{c2066bf6-8098-4d79-bae9-cfb04f518f0f}\0.2.filtertrie.intermediate.txt.sos
              Filesize

              16B

              MD5

              209371fb985ae536f7a01b2cbf06fdeb

              SHA1

              6e5d735e5a6aef442f3342931eaf47d505763578

              SHA256

              4cef54ede857b123a2b675fdce8147dbcc1a7c4d471ec5bfd8791f9e2ad9c0b3

              SHA512

              53203c3447837fc04d0114f282e5b1efaeb1e81a90a9d50bd6384bd44823ab70c37f12aca73a52f803ba61a11ed3d7fd05ea04f79fc969212dce946df89b8bbe

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086594688776.txt.sos
              Filesize

              77KB

              MD5

              ba4322cde9f13af4f9eee094e19dea74

              SHA1

              ffc075c1b81fde57b1faac59fa4bf4966017a9cc

              SHA256

              d8b9dca18a21c862ea2f5d917e2fc74dc2fa742899c7048b3a361439cff9b2fe

              SHA512

              df6042e93a93feee993707d5e584d8f4441a68909d4da032c52c19112bea7838921804b82b39098734f3749404f3b2f3befabe191da76c53ecf76e929289c391

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586091897989945.txt.sos
              Filesize

              48KB

              MD5

              d2d98991640f351111e835d43a2aa274

              SHA1

              e16657b9474a518cf5e2cc6b2bc1c52763a54f2b

              SHA256

              5ad85386a3c6dc1cf4c48ddca9151b221d2673f79c2fb3e12fa93042dded0e36

              SHA512

              75f2a271f29ad3cd9681e1cf773ed469dfe19194bd9f40837897e2fffe45579b132b9f114aa55d5fd42df15a8937a00e92e3fad7257ad408a162e7eb785a39f1

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586094768785820.txt.sos
              Filesize

              66KB

              MD5

              49decfe81666667c457426ab0aaef75f

              SHA1

              acc34ab1529ea7dd693f03363c142bdef769a7cd

              SHA256

              a43dba137e9a0e50daf794f7b2969acd3dd4232f05736aa7112ef57b86216de4

              SHA512

              bd0dd2daf63f9deddca74b6ee2f36c54efe05f920a33af26b14609850e87f9743169c6f7f5552bd38a3bc5257a29b5fe16950bba31ec1f62d56c5fff3ec5b302

              Download Submit

            • C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-100.png.sos
              Filesize

              992B

              MD5

              4bc3fa1934e7ef961f7e7cac92e1950b

              SHA1

              fabd3128d5b09055b5523b9f5e5efd7bc5c36ca1

              SHA256

              de6512ba3b589b8842eb0c27edd7de27e5250733cc041933dda4e87760d06582

              SHA512

              e16d3a66d1e6d281b5bb2d6368568795b29ef1da1b97702f66a34f0d723331bb94cfbcca9dc1fdc28a853af7031ec684ec281ed5cdfe18b5eceb9b93a891f616

              Download Submit

            • C:\Windows\ImmersiveControlPanel\images\TinyTile.scale-100.png.sos
              Filesize

              576B

              MD5

              ea025259749e9db0e22523369f2c3b9a

              SHA1

              0258e77030935e3ffada2791519db556bc6b81ff

              SHA256

              5b114ea4c3fe481d15db4f2f0f5b76fbef9f43ac9dae4c71c8fe47e7913d713f

              SHA512

              9b789fe3f05e684e39c6c2534cb05af024132b64c8b836163e3b62f01ae28111c73b87a71e8f89ee6fe3be0bd8fa6a9f6323b479fc782614f1960b683ac1ecf6

              Download Submit

            • C:\Windows\ImmersiveControlPanel\images\logo.scale-100.png.sos
              Filesize

              368B

              MD5

              050bcdf4d9bb6e1a14d13d0fb16336de

              SHA1

              60e2cab77ceb09f6b1f5c24fa2a089ce3c554f17

              SHA256

              33a2059629bdc70a179bcada5088a0e116599758598a24ae5e1e894da0f56ef9

              SHA512

              f2b2393db4ca188e2e0e5a35974e850b59d15f519a892adf827b8f5edf2f9b88b3d577080118837378017f470dd9ea70f3283792e2b84e17976725b2c3ec16ae

              Download Submit

            • C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs.sos
              Filesize

              104KB

              MD5

              2b8cf2cd44709134cb4432806be2ae87

              SHA1

              58a2e665523b2d05a9cead41a2bf46d41680e131

              SHA256

              c9990beb33429b732485c170ea9e4e5fe3847e81da459becc6575e266ba93d25

              SHA512

              5050c2832b8ace6df0a63583b10fe03013dbd62d4634f9d495c8a345d06cdd0d1cd6c9bd6b6ba7ac3a0be3263147587bd0bb262966ce9861db7e71ae141645c8

              Download Submit

            • C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs.sos
              Filesize

              56KB

              MD5

              2279e4a585affd5b51af684842e99fe1

              SHA1

              521a0805af3c5c809b8e7b26071da878dbcc819e

              SHA256

              df75a969f3593e446f1565a2bab2832eb5cb6991bbf3c85e05c99115fc838dd3

              SHA512

              9215490642d7679b7b0aca1eea305441d461116a577ac47475340c1fd619c60109a26f51fb63c350413f6e1dbcce4799d88833b2b63f57639e6e50d742ef2da4

              Download Submit

            • C:\Windows\SysWOW64\SevenRedCodeDotnet.exe
              Filesize

              28KB

              MD5

              3b1ce9c2afe664f11ddfacceeca0875a

              SHA1

              166c88a4ccd007c5b460f77b8b1f5726ac91e22a

              SHA256

              5db37b4e53d6aa13481ae8d4d82907dbe652909e84b730c56dc2f7a89846cfda

              SHA512

              4f9bb3272e829e3959ad3c3ae459f8fcc36e73f58f5b86e1ce248261e6cbda820688a15dcad81f3e2cfffbdae5606faf730d035219644048b45f30afcb04ca01

              Download Submit

            • C:\Windows\servicing\Editions\ProfessionalSingleLanguageEdition.xml.sos
              Filesize

              30KB

              MD5

              664811fd86a5b42c997fe8974c81b195

              SHA1

              ab77a3641a0427a8c50afe7aa71998d87b5ebebb

              SHA256

              460e61f49272d1468d1d2fe3e3e258016d5af980214f170bfc0479d7735f77a6

              SHA512

              6360b5346e629d181d637bfd8b7709bc44456d5311ff52644aa7840086780ff86a1eedc4ff7682d002cc7babeb5870d859d98a3d9f690a94d0d843ec17a70b03

              Download Submit

            • memory/1328-8-0x0000000074B10000-0x00000000752C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1328-0-0x0000000000460000-0x000000000046E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1328-1-0x0000000074B10000-0x00000000752C0000-memory.dmp

              Filesize

              7.7MB

              Download