c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Analysis

max time kernel
1799s
max time network
1783s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cn.exe
Size

520KB
MD5

2033a6d7d02690c31fa53d8717fc7ffb
SHA1

5ff0fb65c1322fba3f30a325097bd140ac9f508e
SHA256

5b81c2781d2c953f46fa7fdd815a31eebdaf8d402ab96457814cdf87583eaf1d
SHA512

8ec8cd260a54d138145ce1a2591ab3768f535518f7ea75967f5e7d89a1569a8ff4cdb33c85fb2fb31497e27aaf2a661c11fd7702fee73a0fa4652ed146d136c3
SSDEEP

12288:H8D0Pn8yQAOWqNujygoH8qCTxQSza+bqHKNci1/9aa:H8D0/JO/ujy9yTxDza3q2i1/9f

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3356	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system\DProtectSupport\svchost.exe.bak	cn.exe
File created	C:\Windows\system\DProtectSupport\svchost.exe	cn.exe
File opened for modification	C:\Windows\system\DProtectSupport\svchost.exe	cn.exe
File opened for modification	C:\Windows\system\DProtectSupport\fake.cfg	svchost.exe
File created	C:\Windows\system\DProtectSupport\fake.cfg	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cn.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe

C:\Users\Admin\AppData\Local\Temp\cn.exe
"C:\Users\Admin\AppData\Local\Temp\cn.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1476

C:\Windows\system\DProtectSupport\svchost.exe
C:\Windows\system\DProtectSupport\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DProtectSupport\svchost.exe

Filesize
281KB

MD5
eb6b77778c65e43ff9b3e3d43e1b73d5

SHA1
81172f2a3e4b387e20e3d404a09c3487d5601f70

SHA256
2afc2f49dd75c30e378fd9af09d1ff288583eb3a02b1b5efa53864fe876288df

SHA512
24c511205d6a452c7068c7a1db112042441aadf05e66665cd5caf979b1267b5512588819a24aabd0f159697faa00f417713336bbd14be9b1469d4b8aad948bd2

Download Submit
memory/1476-0-0x0000000000400000-0x0000000000516F33-memory.dmp

Filesize
1.1MB

Download
memory/1476-1-0x0000000000400000-0x0000000000516F33-memory.dmp

Filesize
1.1MB

Download
memory/1476-2-0x0000000000400000-0x0000000000516F33-memory.dmp

Filesize
1.1MB

Download
memory/1476-11-0x0000000000400000-0x0000000000516F33-memory.dmp

Filesize
1.1MB

Download