Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
99s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/05/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
SevenRedCodeDotnet.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
SevenRedCodeDotnet.exe
Resource
win11-20240426-en
General
-
Target
SevenRedCodeDotnet.exe
-
Size
27KB
-
MD5
5ae9732fbd8a3404e4914e96aaedddce
-
SHA1
90128fcf994a12ecaddedad371470a907f2b31de
-
SHA256
0025b64d6da82f3e885a04ae7ef56b997f22516ec385550cd3ae7e84fdabe402
-
SHA512
6257fa81a8542bf7a2daedd010153eb118569b625fd483a0d3edf89a6a5505516bc59ced9a45858a2edf0d9e9691df971eaf3c11dfbeefaab9c763a578581bd5
-
SSDEEP
384:HILkvRsJpkyPer+5TDFGTFeWJTnVNybtvCMbrMcD4yvkjvcK5M/sYipRP1YUxlvq:o4dJTHybSQd0aGF+
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SevenRedCodeDotnet.exe attrib.exe File opened for modification C:\Windows\SysWOW64\SevenRedCodeDotnet.exe attrib.exe File created C:\Windows\SysWOW64\SevenRedCodeDotnet.exe cmd.exe File opened for modification C:\Windows\SysWOW64\SevenRedCodeDotnet.exe cmd.exe File opened for modification C:\Windows\SysWOW64\SevenRedCodeDotnet.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 440 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3964 SevenRedCodeDotnet.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3964 wrote to memory of 404 3964 SevenRedCodeDotnet.exe 79 PID 3964 wrote to memory of 404 3964 SevenRedCodeDotnet.exe 79 PID 3964 wrote to memory of 404 3964 SevenRedCodeDotnet.exe 79 PID 3964 wrote to memory of 3432 3964 SevenRedCodeDotnet.exe 81 PID 3964 wrote to memory of 3432 3964 SevenRedCodeDotnet.exe 81 PID 3964 wrote to memory of 3432 3964 SevenRedCodeDotnet.exe 81 PID 3964 wrote to memory of 5092 3964 SevenRedCodeDotnet.exe 82 PID 3964 wrote to memory of 5092 3964 SevenRedCodeDotnet.exe 82 PID 3964 wrote to memory of 5092 3964 SevenRedCodeDotnet.exe 82 PID 3964 wrote to memory of 836 3964 SevenRedCodeDotnet.exe 83 PID 3964 wrote to memory of 836 3964 SevenRedCodeDotnet.exe 83 PID 3964 wrote to memory of 836 3964 SevenRedCodeDotnet.exe 83 PID 3964 wrote to memory of 2888 3964 SevenRedCodeDotnet.exe 84 PID 3964 wrote to memory of 2888 3964 SevenRedCodeDotnet.exe 84 PID 3964 wrote to memory of 2888 3964 SevenRedCodeDotnet.exe 84 PID 3964 wrote to memory of 4020 3964 SevenRedCodeDotnet.exe 85 PID 3964 wrote to memory of 4020 3964 SevenRedCodeDotnet.exe 85 PID 3964 wrote to memory of 4020 3964 SevenRedCodeDotnet.exe 85 PID 3964 wrote to memory of 4276 3964 SevenRedCodeDotnet.exe 86 PID 3964 wrote to memory of 4276 3964 SevenRedCodeDotnet.exe 86 PID 3964 wrote to memory of 4276 3964 SevenRedCodeDotnet.exe 86 PID 4276 wrote to memory of 652 4276 cmd.exe 93 PID 4276 wrote to memory of 652 4276 cmd.exe 93 PID 4276 wrote to memory of 652 4276 cmd.exe 93 PID 836 wrote to memory of 708 836 cmd.exe 94 PID 836 wrote to memory of 708 836 cmd.exe 94 PID 836 wrote to memory of 708 836 cmd.exe 94 PID 5092 wrote to memory of 2772 5092 cmd.exe 95 PID 5092 wrote to memory of 2772 5092 cmd.exe 95 PID 5092 wrote to memory of 2772 5092 cmd.exe 95 PID 4020 wrote to memory of 2112 4020 cmd.exe 96 PID 4020 wrote to memory of 2112 4020 cmd.exe 96 PID 4020 wrote to memory of 2112 4020 cmd.exe 96 PID 3964 wrote to memory of 440 3964 SevenRedCodeDotnet.exe 97 PID 3964 wrote to memory of 440 3964 SevenRedCodeDotnet.exe 97 PID 3964 wrote to memory of 440 3964 SevenRedCodeDotnet.exe 97 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 652 attrib.exe 708 attrib.exe 2112 attrib.exe 2772 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe"C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Windows\System32\SevenRedCodeDotnet.exe2⤵
- Drops file in System32 directory
PID:404
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Users\Public\Documents\SevenRedCodeDotnet.exe2⤵PID:3432
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe2⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Windows\System32\SevenRedCodeDotnet.exe3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe2⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe3⤵
- Views/modifies file attributes
PID:708
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Windows\System32\SevenRedCodeDotnet.exe2⤵
- Drops file in System32 directory
PID:2888
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Windows\System32\SevenRedCodeDotnet.exe3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2112
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe3⤵
- Views/modifies file attributes
PID:652
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "SevenRecode" /tr "C:\Windows\System32\Winhttp.exe" /sc minute /mo 1 /rl highest /f2⤵
- Creates scheduled task(s)
PID:440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD55ae9732fbd8a3404e4914e96aaedddce
SHA190128fcf994a12ecaddedad371470a907f2b31de
SHA2560025b64d6da82f3e885a04ae7ef56b997f22516ec385550cd3ae7e84fdabe402
SHA5126257fa81a8542bf7a2daedd010153eb118569b625fd483a0d3edf89a6a5505516bc59ced9a45858a2edf0d9e9691df971eaf3c11dfbeefaab9c763a578581bd5