Malware Analysis Report

2025-08-05 17:23

Sample ID 221031-2w382aehcm
Target 317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17
SHA256 317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17

Threat Level: Likely malicious

The file 317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17 was found to be: Likely malicious.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:56

Reported

2022-10-31 22:59

Platform

win7-20220812-en

Max time kernel

38s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17.exe N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DPINST.LOG C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17.exe

"C:\Users\Admin\AppData\Local\Temp\317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe"

Network

N/A

Files

memory/1988-54-0x0000000075911000-0x0000000075913000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe

MD5 c3ac43b2018114a617e946aa8fdf3cac
SHA1 2d90f38bc995c9cd5efec52109f8bd2468001ca7
SHA256 ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117
SHA512 8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488

memory/2036-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe

MD5 c3ac43b2018114a617e946aa8fdf3cac
SHA1 2d90f38bc995c9cd5efec52109f8bd2468001ca7
SHA256 ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117
SHA512 8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488

memory/2036-58-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe

MD5 c3ac43b2018114a617e946aa8fdf3cac
SHA1 2d90f38bc995c9cd5efec52109f8bd2468001ca7
SHA256 ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117
SHA512 8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488

\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe

MD5 c3ac43b2018114a617e946aa8fdf3cac
SHA1 2d90f38bc995c9cd5efec52109f8bd2468001ca7
SHA256 ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117
SHA512 8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 22:56

Reported

2022-10-31 22:59

Platform

win10v2004-20220812-en

Max time kernel

89s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DPINST.LOG C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17.exe

"C:\Users\Admin\AppData\Local\Temp\317ee3f84dafc40dac46642ae917cb42fdcb185e43bfb78dc3d6cbc9c4472e17.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 13.107.21.200:443 tcp
NL 104.80.225.205:443 tcp
US 8.247.210.254:80 tcp

Files

memory/924-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe

MD5 c3ac43b2018114a617e946aa8fdf3cac
SHA1 2d90f38bc995c9cd5efec52109f8bd2468001ca7
SHA256 ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117
SHA512 8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe

MD5 c3ac43b2018114a617e946aa8fdf3cac
SHA1 2d90f38bc995c9cd5efec52109f8bd2468001ca7
SHA256 ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117
SHA512 8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488