klingon | 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

Analysis

max time kernel
126s
max time network
153s
platform
windows7_x64
resource
win7v20210410
submitted
18-06-2021 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
Size

7.8MB
MD5

8d44ccac6b5512a416339984ad664d79
SHA1

6152e1a374fd572d25fab8baae9d1b12116a7c35
SHA256

44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
SHA512

c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

Score

10^/10

klingon persistence trojan

Malware Config

Signatures

Klingon
Klingon is a remote access trojan written in Golang with various capabilities.
trojan klingon

Klingon RAT Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0003000000013104-62.dat	family_klingon
behavioral1/files/0x0003000000013104-63.dat	family_klingon
behavioral1/files/0x0003000000013104-65.dat	family_klingon

Executes dropped EXE 2 IoCs

pid	Process
1780	updater10.exe
860	008100038.exe

Loads dropped DLL 3 IoCs

pid	Process
2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
1780	updater10.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -1 -0"	updater10.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org
7	api.ipify.org

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
440	net.exe
280	net.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1676	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1660	systeminfo.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	updater10.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	updater10.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	updater10.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	updater10.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
860	008100038.exe
860	008100038.exe
860	008100038.exe
860	008100038.exe
860	008100038.exe
860	008100038.exe
860	008100038.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	740	wmic.exe
Token: SeSecurityPrivilege	740	wmic.exe
Token: SeTakeOwnershipPrivilege	740	wmic.exe
Token: SeLoadDriverPrivilege	740	wmic.exe
Token: SeSystemProfilePrivilege	740	wmic.exe
Token: SeSystemtimePrivilege	740	wmic.exe
Token: SeProfSingleProcessPrivilege	740	wmic.exe
Token: SeIncBasePriorityPrivilege	740	wmic.exe
Token: SeCreatePagefilePrivilege	740	wmic.exe
Token: SeBackupPrivilege	740	wmic.exe
Token: SeRestorePrivilege	740	wmic.exe
Token: SeShutdownPrivilege	740	wmic.exe
Token: SeDebugPrivilege	740	wmic.exe
Token: SeSystemEnvironmentPrivilege	740	wmic.exe
Token: SeRemoteShutdownPrivilege	740	wmic.exe
Token: SeUndockPrivilege	740	wmic.exe
Token: SeManageVolumePrivilege	740	wmic.exe
Token: 33	740	wmic.exe
Token: 34	740	wmic.exe
Token: 35	740	wmic.exe
Token: SeIncreaseQuotaPrivilege	740	wmic.exe
Token: SeSecurityPrivilege	740	wmic.exe
Token: SeTakeOwnershipPrivilege	740	wmic.exe
Token: SeLoadDriverPrivilege	740	wmic.exe
Token: SeSystemProfilePrivilege	740	wmic.exe
Token: SeSystemtimePrivilege	740	wmic.exe
Token: SeProfSingleProcessPrivilege	740	wmic.exe
Token: SeIncBasePriorityPrivilege	740	wmic.exe
Token: SeCreatePagefilePrivilege	740	wmic.exe
Token: SeBackupPrivilege	740	wmic.exe
Token: SeRestorePrivilege	740	wmic.exe
Token: SeShutdownPrivilege	740	wmic.exe
Token: SeDebugPrivilege	740	wmic.exe
Token: SeSystemEnvironmentPrivilege	740	wmic.exe
Token: SeRemoteShutdownPrivilege	740	wmic.exe
Token: SeUndockPrivilege	740	wmic.exe
Token: SeManageVolumePrivilege	740	wmic.exe
Token: 33	740	wmic.exe
Token: 34	740	wmic.exe
Token: 35	740	wmic.exe
Token: SeIncreaseQuotaPrivilege	936	wmic.exe
Token: SeSecurityPrivilege	936	wmic.exe
Token: SeTakeOwnershipPrivilege	936	wmic.exe
Token: SeLoadDriverPrivilege	936	wmic.exe
Token: SeSystemProfilePrivilege	936	wmic.exe
Token: SeSystemtimePrivilege	936	wmic.exe
Token: SeProfSingleProcessPrivilege	936	wmic.exe
Token: SeIncBasePriorityPrivilege	936	wmic.exe
Token: SeCreatePagefilePrivilege	936	wmic.exe
Token: SeBackupPrivilege	936	wmic.exe
Token: SeRestorePrivilege	936	wmic.exe
Token: SeShutdownPrivilege	936	wmic.exe
Token: SeDebugPrivilege	936	wmic.exe
Token: SeSystemEnvironmentPrivilege	936	wmic.exe
Token: SeRemoteShutdownPrivilege	936	wmic.exe
Token: SeUndockPrivilege	936	wmic.exe
Token: SeManageVolumePrivilege	936	wmic.exe
Token: 33	936	wmic.exe
Token: 34	936	wmic.exe
Token: 35	936	wmic.exe
Token: SeIncreaseQuotaPrivilege	936	wmic.exe
Token: SeSecurityPrivilege	936	wmic.exe
Token: SeTakeOwnershipPrivilege	936	wmic.exe
Token: SeLoadDriverPrivilege	936	wmic.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 740	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	30
PID 2040 wrote to memory of 740	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	30
PID 2040 wrote to memory of 740	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	30
PID 2040 wrote to memory of 1808	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	32
PID 2040 wrote to memory of 1808	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	32
PID 2040 wrote to memory of 1808	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	32
PID 2040 wrote to memory of 936	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	33
PID 2040 wrote to memory of 936	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	33
PID 2040 wrote to memory of 936	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	33
PID 2040 wrote to memory of 1780	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	34
PID 2040 wrote to memory of 1780	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	34
PID 2040 wrote to memory of 1780	2040	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	34
PID 1780 wrote to memory of 1400	1780	updater10.exe	35
PID 1780 wrote to memory of 1400	1780	updater10.exe	35
PID 1780 wrote to memory of 1400	1780	updater10.exe	35
PID 1780 wrote to memory of 772	1780	updater10.exe	36
PID 1780 wrote to memory of 772	1780	updater10.exe	36
PID 1780 wrote to memory of 772	1780	updater10.exe	36
PID 1780 wrote to memory of 1052	1780	updater10.exe	37
PID 1780 wrote to memory of 1052	1780	updater10.exe	37
PID 1780 wrote to memory of 1052	1780	updater10.exe	37
PID 1780 wrote to memory of 860	1780	updater10.exe	38
PID 1780 wrote to memory of 860	1780	updater10.exe	38
PID 1780 wrote to memory of 860	1780	updater10.exe	38
PID 1780 wrote to memory of 1660	1780	updater10.exe	39
PID 1780 wrote to memory of 1660	1780	updater10.exe	39
PID 1780 wrote to memory of 1660	1780	updater10.exe	39
PID 1780 wrote to memory of 1676	1780	updater10.exe	41
PID 1780 wrote to memory of 1676	1780	updater10.exe	41
PID 1780 wrote to memory of 1676	1780	updater10.exe	41
PID 1780 wrote to memory of 440	1780	updater10.exe	42
PID 1780 wrote to memory of 440	1780	updater10.exe	42
PID 1780 wrote to memory of 440	1780	updater10.exe	42
PID 1780 wrote to memory of 280	1780	updater10.exe	43
PID 1780 wrote to memory of 280	1780	updater10.exe	43
PID 1780 wrote to memory of 280	1780	updater10.exe	43
PID 1780 wrote to memory of 1764	1780	updater10.exe	44
PID 1780 wrote to memory of 1764	1780	updater10.exe	44
PID 1780 wrote to memory of 1764	1780	updater10.exe	44
PID 1764 wrote to memory of 1156	1764	net.exe	45
PID 1764 wrote to memory of 1156	1764	net.exe	45
PID 1764 wrote to memory of 1156	1764	net.exe	45
PID 1780 wrote to memory of 1400	1780	updater10.exe	46
PID 1780 wrote to memory of 1400	1780	updater10.exe	46
PID 1780 wrote to memory of 1400	1780	updater10.exe	46
PID 1780 wrote to memory of 1016	1780	updater10.exe	47
PID 1780 wrote to memory of 1016	1780	updater10.exe	47
PID 1780 wrote to memory of 1016	1780	updater10.exe	47

C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
"C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get Caption,ParentProcessId,ProcessId
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe ver
  2⤵
  PID:1808
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get Caption,ParentProcessId,ProcessId
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
  "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\System32\Wbem\wmic.exe
    wmic process get Caption,ParentProcessId,ProcessId
    3⤵
    PID:1400
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe ver
    3⤵
    PID:772
- - C:\Windows\System32\Wbem\wmic.exe
    wmic process get Caption,ParentProcessId,ProcessId
    3⤵
    PID:1052
- - C:\Users\Admin\AppData\Local\Temp\008100038.exe
    C:\Users\Admin\AppData\Local\Temp\008100038.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:860
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1660
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1676
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:440
- - C:\Windows\system32\net.exe
    net view /all domain
    3⤵
    - Discovers systems in the same network
    PID:280
- - C:\Windows\system32\net.exe
    net users /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 users /domain
      4⤵
      PID:1156
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts
    3⤵
    PID:1400
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads