Analysis Overview
SHA256
d01eb5e055638b7c7268936da934b03b603b853a55fbbe7b571fb94e384301ce
Threat Level: Likely benign
The file RC7.SERVERSIDED.exe was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 19:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 19:22
Reported
2025-07-02 19:23
Platform
win10v2004-20250619-en
Max time kernel
23s
Max time network
18s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 936 wrote to memory of 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe | C:\Windows\system32\cmd.exe |
| PID 936 wrote to memory of 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe
"C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8A3E.tmp\8A3F.tmp\8A40.bat C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
Files
memory/936-0-0x0000000000417000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8A3E.tmp\8A3F.tmp\8A40.bat
| MD5 | c918928b3808b2aeebfcaa06592a5bcf |
| SHA1 | d83f78a695ceed8f24c7f5bb0b1e77069dca7f99 |
| SHA256 | 7f25f034c711c847a530736317a936d77f6145d6a8e9b9b71b9ff2bc69f7df52 |
| SHA512 | 30d59baccd8e68cc1abfe786b1e4520b7b97a74d24a1a797e152290f2ffdaac5a51a30ad850b1cc2c9cd841f8f22373b12253994658826425910067aead91915 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-02 19:22
Reported
2025-07-02 19:23
Platform
win11-20250610-en
Max time kernel
57s
Max time network
44s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-903960561-1545645218-4290906778-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3604 wrote to memory of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe | C:\Windows\system32\cmd.exe |
| PID 3604 wrote to memory of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe
"C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7E19.tmp\7E1A.tmp\7E2B.bat C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe"
Network
Files
memory/3604-0-0x0000000000417000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7E19.tmp\7E1A.tmp\7E2B.bat
| MD5 | c918928b3808b2aeebfcaa06592a5bcf |
| SHA1 | d83f78a695ceed8f24c7f5bb0b1e77069dca7f99 |
| SHA256 | 7f25f034c711c847a530736317a936d77f6145d6a8e9b9b71b9ff2bc69f7df52 |
| SHA512 | 30d59baccd8e68cc1abfe786b1e4520b7b97a74d24a1a797e152290f2ffdaac5a51a30ad850b1cc2c9cd841f8f22373b12253994658826425910067aead91915 |