klingon | 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

Analysis

max time kernel
146s
max time network
161s
platform
windows10_x64
resource
win10v20210410
submitted
18-06-2021 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
Size

7.8MB
MD5

8d44ccac6b5512a416339984ad664d79
SHA1

6152e1a374fd572d25fab8baae9d1b12116a7c35
SHA256

44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
SHA512

c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

Score

10^/10

klingon persistence trojan

Malware Config

Signatures

Klingon
Klingon is a remote access trojan written in Golang with various capabilities.
trojan klingon

Klingon RAT Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab88-118.dat	family_klingon
behavioral2/files/0x000100000001ab88-119.dat	family_klingon

Executes dropped EXE 2 IoCs

pid	Process
4056	updater10.exe
512	546738843.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -1 -0"	updater10.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org
8	api.ipify.org
13	api.ipify.org

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1424	net.exe
1580	net.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1260	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
580	systeminfo.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	updater10.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	updater10.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	updater10.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
512	546738843.exe
512	546738843.exe
512	546738843.exe
512	546738843.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5068	wmic.exe
Token: SeSecurityPrivilege	5068	wmic.exe
Token: SeTakeOwnershipPrivilege	5068	wmic.exe
Token: SeLoadDriverPrivilege	5068	wmic.exe
Token: SeSystemProfilePrivilege	5068	wmic.exe
Token: SeSystemtimePrivilege	5068	wmic.exe
Token: SeProfSingleProcessPrivilege	5068	wmic.exe
Token: SeIncBasePriorityPrivilege	5068	wmic.exe
Token: SeCreatePagefilePrivilege	5068	wmic.exe
Token: SeBackupPrivilege	5068	wmic.exe
Token: SeRestorePrivilege	5068	wmic.exe
Token: SeShutdownPrivilege	5068	wmic.exe
Token: SeDebugPrivilege	5068	wmic.exe
Token: SeSystemEnvironmentPrivilege	5068	wmic.exe
Token: SeRemoteShutdownPrivilege	5068	wmic.exe
Token: SeUndockPrivilege	5068	wmic.exe
Token: SeManageVolumePrivilege	5068	wmic.exe
Token: 33	5068	wmic.exe
Token: 34	5068	wmic.exe
Token: 35	5068	wmic.exe
Token: 36	5068	wmic.exe
Token: SeIncreaseQuotaPrivilege	5068	wmic.exe
Token: SeSecurityPrivilege	5068	wmic.exe
Token: SeTakeOwnershipPrivilege	5068	wmic.exe
Token: SeLoadDriverPrivilege	5068	wmic.exe
Token: SeSystemProfilePrivilege	5068	wmic.exe
Token: SeSystemtimePrivilege	5068	wmic.exe
Token: SeProfSingleProcessPrivilege	5068	wmic.exe
Token: SeIncBasePriorityPrivilege	5068	wmic.exe
Token: SeCreatePagefilePrivilege	5068	wmic.exe
Token: SeBackupPrivilege	5068	wmic.exe
Token: SeRestorePrivilege	5068	wmic.exe
Token: SeShutdownPrivilege	5068	wmic.exe
Token: SeDebugPrivilege	5068	wmic.exe
Token: SeSystemEnvironmentPrivilege	5068	wmic.exe
Token: SeRemoteShutdownPrivilege	5068	wmic.exe
Token: SeUndockPrivilege	5068	wmic.exe
Token: SeManageVolumePrivilege	5068	wmic.exe
Token: 33	5068	wmic.exe
Token: 34	5068	wmic.exe
Token: 35	5068	wmic.exe
Token: 36	5068	wmic.exe
Token: SeIncreaseQuotaPrivilege	1012	wmic.exe
Token: SeSecurityPrivilege	1012	wmic.exe
Token: SeTakeOwnershipPrivilege	1012	wmic.exe
Token: SeLoadDriverPrivilege	1012	wmic.exe
Token: SeSystemProfilePrivilege	1012	wmic.exe
Token: SeSystemtimePrivilege	1012	wmic.exe
Token: SeProfSingleProcessPrivilege	1012	wmic.exe
Token: SeIncBasePriorityPrivilege	1012	wmic.exe
Token: SeCreatePagefilePrivilege	1012	wmic.exe
Token: SeBackupPrivilege	1012	wmic.exe
Token: SeRestorePrivilege	1012	wmic.exe
Token: SeShutdownPrivilege	1012	wmic.exe
Token: SeDebugPrivilege	1012	wmic.exe
Token: SeSystemEnvironmentPrivilege	1012	wmic.exe
Token: SeRemoteShutdownPrivilege	1012	wmic.exe
Token: SeUndockPrivilege	1012	wmic.exe
Token: SeManageVolumePrivilege	1012	wmic.exe
Token: 33	1012	wmic.exe
Token: 34	1012	wmic.exe
Token: 35	1012	wmic.exe
Token: 36	1012	wmic.exe
Token: SeIncreaseQuotaPrivilege	1012	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 5068	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	77
PID 4444 wrote to memory of 5068	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	77
PID 4444 wrote to memory of 3128	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	78
PID 4444 wrote to memory of 3128	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	78
PID 4444 wrote to memory of 1012	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	79
PID 4444 wrote to memory of 1012	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	79
PID 4444 wrote to memory of 4056	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	80
PID 4444 wrote to memory of 4056	4444	44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe	80
PID 4056 wrote to memory of 4040	4056	updater10.exe	81
PID 4056 wrote to memory of 4040	4056	updater10.exe	81
PID 4056 wrote to memory of 4112	4056	updater10.exe	82
PID 4056 wrote to memory of 4112	4056	updater10.exe	82
PID 4056 wrote to memory of 4088	4056	updater10.exe	83
PID 4056 wrote to memory of 4088	4056	updater10.exe	83
PID 4056 wrote to memory of 512	4056	updater10.exe	87
PID 4056 wrote to memory of 512	4056	updater10.exe	87
PID 4056 wrote to memory of 580	4056	updater10.exe	88
PID 4056 wrote to memory of 580	4056	updater10.exe	88
PID 4056 wrote to memory of 1260	4056	updater10.exe	90
PID 4056 wrote to memory of 1260	4056	updater10.exe	90
PID 4056 wrote to memory of 1424	4056	updater10.exe	91
PID 4056 wrote to memory of 1424	4056	updater10.exe	91
PID 4056 wrote to memory of 1580	4056	updater10.exe	92
PID 4056 wrote to memory of 1580	4056	updater10.exe	92
PID 4056 wrote to memory of 1896	4056	updater10.exe	93
PID 4056 wrote to memory of 1896	4056	updater10.exe	93
PID 1896 wrote to memory of 1812	1896	net.exe	94
PID 1896 wrote to memory of 1812	1896	net.exe	94
PID 4056 wrote to memory of 2144	4056	updater10.exe	95
PID 4056 wrote to memory of 2144	4056	updater10.exe	95
PID 4056 wrote to memory of 2268	4056	updater10.exe	96
PID 4056 wrote to memory of 2268	4056	updater10.exe	96

C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
"C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get Caption,ParentProcessId,ProcessId
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe ver
  2⤵
  PID:3128
- C:\Windows\System32\Wbem\wmic.exe
  wmic process get Caption,ParentProcessId,ProcessId
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
  "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\System32\Wbem\wmic.exe
    wmic process get Caption,ParentProcessId,ProcessId
    3⤵
    PID:4040
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe ver
    3⤵
    PID:4112
- - C:\Windows\System32\Wbem\wmic.exe
    wmic process get Caption,ParentProcessId,ProcessId
    3⤵
    PID:4088
- - C:\Users\Admin\AppData\Local\Temp\546738843.exe
    C:\Users\Admin\AppData\Local\Temp\546738843.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:512
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:580
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1260
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:1424
- - C:\Windows\system32\net.exe
    net view /all domain
    3⤵
    - Discovers systems in the same network
    PID:1580
- - C:\Windows\system32\net.exe
    net users /domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 users /domain
      4⤵
      PID:1812
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts
    3⤵
    PID:2144
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads