5db37b4e53d6aa13481ae8d4d82907dbe652909e84b730c56dc2f7a89846cfda

Analysis

max time kernel
150s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
01/05/2024, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SevenRedCodeDotnet.exe
Size

28KB
MD5

3b1ce9c2afe664f11ddfacceeca0875a
SHA1

166c88a4ccd007c5b460f77b8b1f5726ac91e22a
SHA256

5db37b4e53d6aa13481ae8d4d82907dbe652909e84b730c56dc2f7a89846cfda
SHA512

4f9bb3272e829e3959ad3c3ae459f8fcc36e73f58f5b86e1ce248261e6cbda820688a15dcad81f3e2cfffbdae5606faf730d035219644048b45f30afcb04ca01
SSDEEP

384:aTTADuwXZAQ+XKlT4AybtvCwrMc+4jvkjvcK5MhsYilRt9VSTxM66YNT/IszFd26:aTTAawS21jybWUnUZS99/gK

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (1069) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt.sos	SevenRedCodeDotnet.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DefaultAccountTile.png.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\SevenRedCodeDotnet.exe	attrib.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\msdtcvtr.bat.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Event.Format.ps1xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.vbs.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\SecurityAndMaintenance.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\sppui\phone.inf.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\Msdtc\Trace\msdtcvtr.bat.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\SevenRedCodeDotnet.exe	cmd.exe
File created	C:\Windows\SysWOW64\ieuinit.inf.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\SecurityAndMaintenance.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.Format.ps1xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\NdfEventView.xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.vbs.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\DefaultAccountTile.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\icsxml\pppcfg.xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\F12\Timeline.cpu.xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\ras\pad.inf.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\wbem\xsl-mappings.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsCodecsRaw.txt.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\winrm.vbs.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\icsxml\potscfg.xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\ieuinit.inf.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\wsmanconfig_schema.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\getevent.types.ps1xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\SevenRedCodeDotnet.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\tcpbidi.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\icsxml\ipcfg.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\typesv3.ps1xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\SevenRedCodeDotnet.exe	attrib.exe
File created	C:\Windows\SysWOW64\AppxProvisioning.xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\WwanFeatureTests.xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\@EnrollmentToastIcon.png.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\@WirelessDisplayToast.png.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\ras\switch.inf.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\AppxProvisioning.xml.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt.sos	SevenRedCodeDotnet.exe
File opened for modification	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs.sos	SevenRedCodeDotnet.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PeopleSmallTile.scale-125.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-200.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-32_altform-unplated.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.scale-100_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-80.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintStoreLogo.scale-150.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-72.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-100_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-40_altform-unplated_contrast-white.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateAppIcon.scale-400.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Snooze.scale-64.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-40.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-125.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-32_altform-unplated.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-lightunplated_contrast-white.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_RainbowCurve_Thumbnail_Dark.jpg.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintMedTile.scale-400.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-36_altform-unplated.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.OneDriveSync_21220.1024.5.0_neutral__8wekyb3d8bbwe\AppxBlockMap.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Assets\Xbox_UnplatedLargeTile.scale-200.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-150.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60_altform-lightunplated_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PaintWideTile.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.scale-400.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateWide310x150Logo.scale-150.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-256_altform-unplated.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TipsSmallTile.scale-125_contrast-white.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\GetHelpSplashScreen.scale-100_contrast-white.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PeopleStoreLogo.scale-125.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateSquare71x71Logo.scale-150.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_SplashScreen.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GetHelpSplashScreen.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\WeatherStoreLogo.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-200.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-lightunplated_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Illustrations\icon3.scale-100_theme-dark.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Graphing.targetsize-16.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-32_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png.sos	SevenRedCodeDotnet.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\Square150x150Logo.scale-100.png.sos	SevenRedCodeDotnet.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\typescriptServices.js.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\NarratorSmallTile.scale-400.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.22000.1_none_6d5619d8ba52aa97\Ring08.wav.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsLargeCloudIcon.contrast-black_scale-150.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-editions-professional_31bf3856ad364e35_10.0.22000.493_none_d79931409fc7d526\ServerRdshEdition.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_dual_c_primitive.inf_31bf3856ad364e35_10.0.22000.1_none_f0ee8aec3fc2c915\c_primitive.inf.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.22000.120_none_28babea403fb06cb\wide310x150logo.scale-400_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devicediagnostic_31bf3856ad364e35_10.0.22000.1_none_3f68af393f88a53d\TS_DeviceDisabled.ps1.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.22000.1_none_6d5619d8ba52aa97\Windows Message Nudge.wav.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Splashscreen.scale-125_contrast-white.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppxManifest.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\cssfileicon.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-searchdiagnostic_31bf3856ad364e35_10.0.22000.1_none_87ec6e24f8262761\TS_IndexingServiceCrashing.ps1.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-80_altform-lightunplated.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\enterpriseNgcEnrollment.js.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\INF\mdmc26a.inf.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.469_none_160103e31c4d8d88\wide.DefaultPinTile.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msmq-bpa_31bf3856ad364e35_10.0.22000.1_none_1d58323481bc1a8a\Msmq.ps1.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.22000.1_none_e4512f709bf99514\24.txt.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\ImmersiveControlPanel\images\Extras.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\deviceDisplayNameSetup.js.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ifiedwritefilter-ux_31bf3856ad364e35_10.0.22000.1_none_40114fa4882d9762\ResetDriveSquare44x44Logo.scale-200_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printerdiagnostic_31bf3856ad364e35_10.0.22000.1_none_1c02ded69f82821d\RS_PrinterTurnedOff.ps1.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.22000.1_none_28587f5d588ad881\Exchange.Theme-Light_Scale-400.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\diagnostics\system\IESecurity\RS_Blockpopups.ps1.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-80_altform-unplated_contrast-white.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square150x150Logo.contrast-white_scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.22000.1_none_9f994bec1559e1ba\RatingStars31.contrast-white_scale-200.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\diagnostics\system\WindowsUpdate\CL_SetupEnv.ps1.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\Assets\SplashScreen.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\oobe-frame-vm.js.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..l.desktop.searchapp_31bf3856ad364e35_10.0.22000.1_none_d7fb8c7bd4b1b9b1\3.html.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.22000.1_none_28587f5d588ad881\Outlook.Theme-Dark_Scale-150.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_10.0.22000.1_none_eb98c9bc288ef977\ManageAppSettings.aspx.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.contrast-white_scale-400.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_dual_wvid.inf_31bf3856ad364e35_10.0.22000.434_none_ed88c7f7867dda6c\f\wvid.inf.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\oobelocalngc-vm.js.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printerdiagnostic_31bf3856ad364e35_10.0.22000.1_none_1c02ded69f82821d\CL_Utility.ps1.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.469_none_160103e31c4d8d88\TileSmall.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.194_none_a9ffdf7b2efc21ec\975b69eb30393cebd6885b635d2336e84c986366.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\appFrame.js.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_dual_c_barcodescanner.inf_31bf3856ad364e35_10.0.22000.1_none_b3bf952622e7dff2\c_barcodescanner.inf.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_dual_c_magneticstripereader.inf_31bf3856ad364e35_10.0.22000.1_none_ff957d8d31c4404e\c_magneticstripereader.inf.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iebrowsewebdiagnostic_31bf3856ad364e35_10.0.22000.1_none_7abcd2df723257cf\TS_IEAddonLoadingTime.ps1.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_dual_prnms005.inf_31bf3856ad364e35_10.0.22000.100_none_6434df14b94e17e3\Amd64\MSxpsPS-pipelineconfig.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\Media\Alarm01.wav.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\oobecortana-page.js.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.22000.1_none_320485a967710068\CellularToast.scale-400_contrast-black.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bluetoothdiagnostic_31bf3856ad364e35_10.0.22000.1_none_effa244e51dec0bf\RC_DriverProblem.ps1.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\wow64_microsoft.windows.powershell.v3.common_31bf3856ad364e35_10.0.22000.1_none_f822e31abccf3860\HelpV3.format.ps1xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsCloudIcon.contrast-black_scale-400.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\Media\Windows Information Bar.wav.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.22000.493_none_a9fee4e32efd000a\4b53860889d3f3c448fc514d2ea0120100076816.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.22000.282_none_10e4c14208d6d2d3\DMR_48.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square150x150Logo.scale-100.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\Media\dm\Windows Hardware Insert.wav.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WaaS\regkeys\0cf49350999533e06203e66617b9a479c64e3b98.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-40.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\INF\hidscanner.inf.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.469_none_160103e31c4d8d88\wide.Contact.png.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..stratorcore-service_31bf3856ad364e35_10.0.22000.1_none_f431c36493ae92fd\43ee7b2a373632f9a701249fd96d0edec2ff1279.xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-netadaptercim_31bf3856ad364e35_10.0.22000.1_none_d9c0919229c56d22\MSFT_NetAdapterRss.Format.ps1xml.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\WinSxS\x86_netfx4-cfx_extended_sql_files_b03f5f7f11d50a3a_4.0.15806.0_none_be328b68895da47a\SqlPersistenceService_Schema.sql.sos	SevenRedCodeDotnet.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\wide310x150logo.scale-200_contrast-white.png.sos	SevenRedCodeDotnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2368	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	SevenRedCodeDotnet.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1952	5072	SevenRedCodeDotnet.exe	82
PID 5072 wrote to memory of 1952	5072	SevenRedCodeDotnet.exe	82
PID 5072 wrote to memory of 1952	5072	SevenRedCodeDotnet.exe	82
PID 5072 wrote to memory of 4016	5072	SevenRedCodeDotnet.exe	84
PID 5072 wrote to memory of 4016	5072	SevenRedCodeDotnet.exe	84
PID 5072 wrote to memory of 4016	5072	SevenRedCodeDotnet.exe	84
PID 5072 wrote to memory of 2676	5072	SevenRedCodeDotnet.exe	86
PID 5072 wrote to memory of 2676	5072	SevenRedCodeDotnet.exe	86
PID 5072 wrote to memory of 2676	5072	SevenRedCodeDotnet.exe	86
PID 5072 wrote to memory of 2072	5072	SevenRedCodeDotnet.exe	88
PID 5072 wrote to memory of 2072	5072	SevenRedCodeDotnet.exe	88
PID 5072 wrote to memory of 2072	5072	SevenRedCodeDotnet.exe	88
PID 5072 wrote to memory of 4816	5072	SevenRedCodeDotnet.exe	90
PID 5072 wrote to memory of 4816	5072	SevenRedCodeDotnet.exe	90
PID 5072 wrote to memory of 4816	5072	SevenRedCodeDotnet.exe	90
PID 2676 wrote to memory of 4988	2676	cmd.exe	92
PID 2676 wrote to memory of 4988	2676	cmd.exe	92
PID 2676 wrote to memory of 4988	2676	cmd.exe	92
PID 5072 wrote to memory of 2140	5072	SevenRedCodeDotnet.exe	93
PID 5072 wrote to memory of 2140	5072	SevenRedCodeDotnet.exe	93
PID 5072 wrote to memory of 2140	5072	SevenRedCodeDotnet.exe	93
PID 5072 wrote to memory of 2964	5072	SevenRedCodeDotnet.exe	95
PID 5072 wrote to memory of 2964	5072	SevenRedCodeDotnet.exe	95
PID 5072 wrote to memory of 2964	5072	SevenRedCodeDotnet.exe	95
PID 2072 wrote to memory of 3624	2072	cmd.exe	96
PID 2072 wrote to memory of 3624	2072	cmd.exe	96
PID 2072 wrote to memory of 3624	2072	cmd.exe	96
PID 5072 wrote to memory of 1424	5072	SevenRedCodeDotnet.exe	98
PID 5072 wrote to memory of 1424	5072	SevenRedCodeDotnet.exe	98
PID 5072 wrote to memory of 1424	5072	SevenRedCodeDotnet.exe	98
PID 5072 wrote to memory of 5008	5072	SevenRedCodeDotnet.exe	100
PID 5072 wrote to memory of 5008	5072	SevenRedCodeDotnet.exe	100
PID 5072 wrote to memory of 5008	5072	SevenRedCodeDotnet.exe	100
PID 5072 wrote to memory of 2104	5072	SevenRedCodeDotnet.exe	102
PID 5072 wrote to memory of 2104	5072	SevenRedCodeDotnet.exe	102
PID 5072 wrote to memory of 2104	5072	SevenRedCodeDotnet.exe	102
PID 5072 wrote to memory of 2376	5072	SevenRedCodeDotnet.exe	104
PID 5072 wrote to memory of 2376	5072	SevenRedCodeDotnet.exe	104
PID 5072 wrote to memory of 2376	5072	SevenRedCodeDotnet.exe	104
PID 5008 wrote to memory of 1396	5008	cmd.exe	106
PID 5008 wrote to memory of 1396	5008	cmd.exe	106
PID 5008 wrote to memory of 1396	5008	cmd.exe	106
PID 5072 wrote to memory of 1556	5072	SevenRedCodeDotnet.exe	107
PID 5072 wrote to memory of 1556	5072	SevenRedCodeDotnet.exe	107
PID 5072 wrote to memory of 1556	5072	SevenRedCodeDotnet.exe	107
PID 2104 wrote to memory of 3196	2104	cmd.exe	109
PID 2104 wrote to memory of 3196	2104	cmd.exe	109
PID 2104 wrote to memory of 3196	2104	cmd.exe	109
PID 2376 wrote to memory of 3892	2376	cmd.exe	110
PID 2376 wrote to memory of 3892	2376	cmd.exe	110
PID 2376 wrote to memory of 3892	2376	cmd.exe	110
PID 5072 wrote to memory of 2368	5072	SevenRedCodeDotnet.exe	111
PID 5072 wrote to memory of 2368	5072	SevenRedCodeDotnet.exe	111
PID 5072 wrote to memory of 2368	5072	SevenRedCodeDotnet.exe	111
PID 1556 wrote to memory of 3948	1556	cmd.exe	113
PID 1556 wrote to memory of 3948	1556	cmd.exe	113
PID 1556 wrote to memory of 3948	1556	cmd.exe	113

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1396	attrib.exe
3196	attrib.exe
3892	attrib.exe
3948	attrib.exe
4988	attrib.exe
3624	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe
"C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Windows\System32\SevenRedCodeDotnet.exe
  2⤵
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Users\Public\Documents\SevenRedCodeDotnet.exe
  2⤵
  PID:4016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
    3⤵
    - Views/modifies file attributes
    PID:3624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Windows\System32\SevenRedCodeDotnet.exe
  2⤵
  - Drops file in System32 directory
  PID:4816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Users\Public\Documents\SevenRedCodeDotnet.exe
  2⤵
  PID:2140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Windows\System32\SevenRedCodeDotnet.exe
  2⤵
  - Drops file in System32 directory
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Users\Public\Documents\SevenRedCodeDotnet.exe
  2⤵
  PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
    3⤵
    - Views/modifies file attributes
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
    3⤵
    - Views/modifies file attributes
    PID:3892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
    3⤵
    - Views/modifies file attributes
    PID:3948
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn "SevenRecode" /tr "C:\Windows\System32\Winhttp.exe" /sc minute /mo 1 /rl highest /f
  2⤵
  - Creates scheduled task(s)
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\SevenRedCodeDotnet.exe

Filesize
28KB

MD5
3b1ce9c2afe664f11ddfacceeca0875a

SHA1
166c88a4ccd007c5b460f77b8b1f5726ac91e22a

SHA256
5db37b4e53d6aa13481ae8d4d82907dbe652909e84b730c56dc2f7a89846cfda

SHA512
4f9bb3272e829e3959ad3c3ae459f8fcc36e73f58f5b86e1ce248261e6cbda820688a15dcad81f3e2cfffbdae5606faf730d035219644048b45f30afcb04ca01

Download Submit
C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\Assets\StoreLogo.scale-100.png.sos

Filesize
80B

MD5
33a9f17dd8e50ab0b614dfba8a577e12

SHA1
dcaba228b37abe75bea3611358d7ca42708ad369

SHA256
6d00b5a0ee9b03c5710969b830b0e8aab9e7936ad8ba0c44e706356a1b095774

SHA512
b3290be259fc9847ddd69126ce15508f423e7d34dcedb0bb7d0f1837137572a9db59da21b6b1ca2e7c5a9ab47c38487d24a1dd76259b7d4104f54f62cff425af

Download Submit
C:\Windows\servicing\Editions\ProfessionalEducationEdition.xml.sos

Filesize
23KB

MD5
1a1febda702fda4341b4d5e1002120ee

SHA1
4f6b8309c57b156baa8dc1b75cf240100c102be4

SHA256
5313f15560b8e957df3a7b84e3b0a9be2a4f1d49773a7250c2c288ea9a239807

SHA512
e09493f7e985be6c3c57a4bd1b3f9d91bea9e356ee65f8cb577358e9eeb31f57292947bfba505c402ba849bd043873fab2c09fd37e58b41d64ed0e5e5eab4c0f

Download Submit
memory/5072-0-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download
memory/5072-1-0x0000000074AC0000-0x0000000075271000-memory.dmp

Filesize
7.7MB

Download
memory/5072-859-0x0000000074AC0000-0x0000000075271000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads