Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    99s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/05/2024, 06:05

General

  • Target

    SevenRedCodeDotnet.exe

  • Size

    27KB

  • MD5

    5ae9732fbd8a3404e4914e96aaedddce

  • SHA1

    90128fcf994a12ecaddedad371470a907f2b31de

  • SHA256

    0025b64d6da82f3e885a04ae7ef56b997f22516ec385550cd3ae7e84fdabe402

  • SHA512

    6257fa81a8542bf7a2daedd010153eb118569b625fd483a0d3edf89a6a5505516bc59ced9a45858a2edf0d9e9691df971eaf3c11dfbeefaab9c763a578581bd5

  • SSDEEP

    384:HILkvRsJpkyPer+5TDFGTFeWJTnVNybtvCMbrMcD4yvkjvcK5M/sYipRP1YUxlvq:o4dJTHybSQd0aGF+

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe
    "C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Windows\System32\SevenRedCodeDotnet.exe
      2⤵
      • Drops file in System32 directory
      PID:404
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Users\Public\Documents\SevenRedCodeDotnet.exe
      2⤵
        PID:3432
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
          3⤵
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:2772
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
          3⤵
          • Views/modifies file attributes
          PID:708
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\SevenRedCodeDotnet.exe C:\Windows\System32\SevenRedCodeDotnet.exe
        2⤵
        • Drops file in System32 directory
        PID:2888
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4020
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Windows\System32\SevenRedCodeDotnet.exe
          3⤵
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:2112
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4276
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h C:\Users\Public\Documents\SevenRedCodeDotnet.exe
          3⤵
          • Views/modifies file attributes
          PID:652
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /tn "SevenRecode" /tr "C:\Windows\System32\Winhttp.exe" /sc minute /mo 1 /rl highest /f
        2⤵
        • Creates scheduled task(s)
        PID:440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\SevenRedCodeDotnet.exe

      Filesize

      27KB

      MD5

      5ae9732fbd8a3404e4914e96aaedddce

      SHA1

      90128fcf994a12ecaddedad371470a907f2b31de

      SHA256

      0025b64d6da82f3e885a04ae7ef56b997f22516ec385550cd3ae7e84fdabe402

      SHA512

      6257fa81a8542bf7a2daedd010153eb118569b625fd483a0d3edf89a6a5505516bc59ced9a45858a2edf0d9e9691df971eaf3c11dfbeefaab9c763a578581bd5

    • memory/3964-0-0x0000000000700000-0x000000000070E000-memory.dmp

      Filesize

      56KB

    • memory/3964-1-0x00000000750D0000-0x0000000075881000-memory.dmp

      Filesize

      7.7MB

    • memory/3964-11-0x00000000750D0000-0x0000000075881000-memory.dmp

      Filesize

      7.7MB