Malware Analysis Report

2025-08-05 14:35

Sample ID 250702-x3jqra1ky9
Target RC7.SERVERSIDED.exe
SHA256 d01eb5e055638b7c7268936da934b03b603b853a55fbbe7b571fb94e384301ce
Tags
discovery
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

d01eb5e055638b7c7268936da934b03b603b853a55fbbe7b571fb94e384301ce

Threat Level: Likely benign

The file RC7.SERVERSIDED.exe was found to be: Likely benign.

Malicious Activity Summary

discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 19:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 19:22

Reported

2025-07-02 19:23

Platform

win10v2004-20250619-en

Max time kernel

23s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 936 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe C:\Windows\system32\cmd.exe
PID 936 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe

"C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8A3E.tmp\8A3F.tmp\8A40.bat C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp

Files

memory/936-0-0x0000000000417000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8A3E.tmp\8A3F.tmp\8A40.bat

MD5 c918928b3808b2aeebfcaa06592a5bcf
SHA1 d83f78a695ceed8f24c7f5bb0b1e77069dca7f99
SHA256 7f25f034c711c847a530736317a936d77f6145d6a8e9b9b71b9ff2bc69f7df52
SHA512 30d59baccd8e68cc1abfe786b1e4520b7b97a74d24a1a797e152290f2ffdaac5a51a30ad850b1cc2c9cd841f8f22373b12253994658826425910067aead91915

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-02 19:22

Reported

2025-07-02 19:23

Platform

win11-20250610-en

Max time kernel

57s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe N/A
Key created \REGISTRY\USER\S-1-5-21-903960561-1545645218-4290906778-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe C:\Windows\system32\cmd.exe
PID 3604 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe

"C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7E19.tmp\7E1A.tmp\7E2B.bat C:\Users\Admin\AppData\Local\Temp\RC7.SERVERSIDED.exe"

Network

Files

memory/3604-0-0x0000000000417000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7E19.tmp\7E1A.tmp\7E2B.bat

MD5 c918928b3808b2aeebfcaa06592a5bcf
SHA1 d83f78a695ceed8f24c7f5bb0b1e77069dca7f99
SHA256 7f25f034c711c847a530736317a936d77f6145d6a8e9b9b71b9ff2bc69f7df52
SHA512 30d59baccd8e68cc1abfe786b1e4520b7b97a74d24a1a797e152290f2ffdaac5a51a30ad850b1cc2c9cd841f8f22373b12253994658826425910067aead91915