Analysis

  • max time kernel
    126s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-06-2021 07:27

General

  • Target

    44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe

  • Size

    7.8MB

  • MD5

    8d44ccac6b5512a416339984ad664d79

  • SHA1

    6152e1a374fd572d25fab8baae9d1b12116a7c35

  • SHA256

    44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

  • SHA512

    c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

Malware Config

Signatures

  • Klingon

    Klingon is a remote access trojan written in Golang with various capabilities.

  • Klingon RAT Payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Discovers systems in the same network 1 TTPs 2 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
    "C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:740
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe ver
      2⤵
        PID:1808
      • C:\Windows\System32\Wbem\wmic.exe
        wmic process get Caption,ParentProcessId,ProcessId
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:936
      • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
        "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Windows\System32\Wbem\wmic.exe
          wmic process get Caption,ParentProcessId,ProcessId
          3⤵
            PID:1400
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe ver
            3⤵
              PID:772
            • C:\Windows\System32\Wbem\wmic.exe
              wmic process get Caption,ParentProcessId,ProcessId
              3⤵
                PID:1052
              • C:\Users\Admin\AppData\Local\Temp\008100038.exe
                C:\Users\Admin\AppData\Local\Temp\008100038.exe
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:860
              • C:\Windows\system32\systeminfo.exe
                systeminfo
                3⤵
                • Gathers system information
                PID:1660
              • C:\Windows\system32\ipconfig.exe
                ipconfig /all
                3⤵
                • Gathers network information
                PID:1676
              • C:\Windows\system32\net.exe
                net view /all
                3⤵
                • Discovers systems in the same network
                PID:440
              • C:\Windows\system32\net.exe
                net view /all domain
                3⤵
                • Discovers systems in the same network
                PID:280
              • C:\Windows\system32\net.exe
                net users /domain
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1764
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 users /domain
                  4⤵
                    PID:1156
                • C:\Windows\system32\nltest.exe
                  nltest /domain_trusts
                  3⤵
                    PID:1400
                  • C:\Windows\system32\nltest.exe
                    nltest /domain_trusts /all_trusts
                    3⤵
                      PID:1016

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\008100038.exe

                  MD5

                  39f71c609daddb77e4e6b747154b7381

                  SHA1

                  4e0e7bd351597c9f363486ee233bedf9dac1bb64

                  SHA256

                  ebca8c4d11a3e0c6977d9e47c8777436859888010ef40195470bf450441dd1f6

                  SHA512

                  f628cb8cbe031ea2a7d11c99aab2da5bd1b382a75d633005cd1a7b945e64fc45c3280db23f1567256b4c2eb1b7f2bd2f4513fe8bbec6806296d1189edcd54b64

                • C:\Users\Admin\AppData\Local\Temp\Andrew.dmp

                  MD5

                  69ae798d6829b87b3549b629e262a369

                  SHA1

                  1c8912cecfa21cc5f2908067913408808f2c2bd0

                  SHA256

                  a21059a2921c1ee24ebd43ec5a54589121e0a666ef9ff42e0d193fc045ffcdad

                  SHA512

                  44abaa01ce5b4c16676a7d7b48666804ecd35ea9bbe76aa251dd561a41acebac7a91a38652e351cfe910e92180352103304c885ab3f6600a69e449a337ea7f2b

                • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

                  MD5

                  8d44ccac6b5512a416339984ad664d79

                  SHA1

                  6152e1a374fd572d25fab8baae9d1b12116a7c35

                  SHA256

                  44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

                  SHA512

                  c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

                • \??\PIPE\lsarpc

                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                • \Users\Admin\AppData\Local\Temp\008100038.exe

                  MD5

                  39f71c609daddb77e4e6b747154b7381

                  SHA1

                  4e0e7bd351597c9f363486ee233bedf9dac1bb64

                  SHA256

                  ebca8c4d11a3e0c6977d9e47c8777436859888010ef40195470bf450441dd1f6

                  SHA512

                  f628cb8cbe031ea2a7d11c99aab2da5bd1b382a75d633005cd1a7b945e64fc45c3280db23f1567256b4c2eb1b7f2bd2f4513fe8bbec6806296d1189edcd54b64

                • \Users\Admin\AppData\Local\Windows Update\updater10.exe

                  MD5

                  8d44ccac6b5512a416339984ad664d79

                  SHA1

                  6152e1a374fd572d25fab8baae9d1b12116a7c35

                  SHA256

                  44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

                  SHA512

                  c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

                • \Users\Admin\AppData\Local\Windows Update\updater10.exe

                  MD5

                  8d44ccac6b5512a416339984ad664d79

                  SHA1

                  6152e1a374fd572d25fab8baae9d1b12116a7c35

                  SHA256

                  44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

                  SHA512

                  c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

                • memory/280-76-0x0000000000000000-mapping.dmp

                • memory/440-75-0x0000000000000000-mapping.dmp

                • memory/740-59-0x0000000000000000-mapping.dmp

                • memory/772-67-0x0000000000000000-mapping.dmp

                • memory/860-70-0x0000000000000000-mapping.dmp

                • memory/936-61-0x0000000000000000-mapping.dmp

                • memory/1016-81-0x0000000000000000-mapping.dmp

                • memory/1052-68-0x0000000000000000-mapping.dmp

                • memory/1156-78-0x0000000000000000-mapping.dmp

                • memory/1400-66-0x0000000000000000-mapping.dmp

                • memory/1400-80-0x0000000000000000-mapping.dmp

                • memory/1660-72-0x0000000000000000-mapping.dmp

                • memory/1676-74-0x0000000000000000-mapping.dmp

                • memory/1764-77-0x0000000000000000-mapping.dmp

                • memory/1780-64-0x0000000000000000-mapping.dmp

                • memory/1808-60-0x0000000000000000-mapping.dmp