Analysis

  • max time kernel
    146s
  • max time network
    161s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    18-06-2021 07:27

General

  • Target

    44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe

  • Size

    7.8MB

  • MD5

    8d44ccac6b5512a416339984ad664d79

  • SHA1

    6152e1a374fd572d25fab8baae9d1b12116a7c35

  • SHA256

    44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

  • SHA512

    c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

Malware Config

Signatures

  • Klingon

    Klingon is a remote access trojan written in Golang with various capabilities.

  • Klingon RAT Payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Discovers systems in the same network 1 TTPs 2 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
    "C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5068
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe ver
      2⤵
        PID:3128
      • C:\Windows\System32\Wbem\wmic.exe
        wmic process get Caption,ParentProcessId,ProcessId
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1012
      • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
        "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\System32\Wbem\wmic.exe
          wmic process get Caption,ParentProcessId,ProcessId
          3⤵
            PID:4040
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe ver
            3⤵
              PID:4112
            • C:\Windows\System32\Wbem\wmic.exe
              wmic process get Caption,ParentProcessId,ProcessId
              3⤵
                PID:4088
              • C:\Users\Admin\AppData\Local\Temp\546738843.exe
                C:\Users\Admin\AppData\Local\Temp\546738843.exe
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:512
              • C:\Windows\system32\systeminfo.exe
                systeminfo
                3⤵
                • Gathers system information
                PID:580
              • C:\Windows\system32\ipconfig.exe
                ipconfig /all
                3⤵
                • Gathers network information
                PID:1260
              • C:\Windows\system32\net.exe
                net view /all
                3⤵
                • Discovers systems in the same network
                PID:1424
              • C:\Windows\system32\net.exe
                net view /all domain
                3⤵
                • Discovers systems in the same network
                PID:1580
              • C:\Windows\system32\net.exe
                net users /domain
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1896
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 users /domain
                  4⤵
                    PID:1812
                • C:\Windows\system32\nltest.exe
                  nltest /domain_trusts
                  3⤵
                    PID:2144
                  • C:\Windows\system32\nltest.exe
                    nltest /domain_trusts /all_trusts
                    3⤵
                      PID:2268

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\546738843.exe

                  MD5

                  39f71c609daddb77e4e6b747154b7381

                  SHA1

                  4e0e7bd351597c9f363486ee233bedf9dac1bb64

                  SHA256

                  ebca8c4d11a3e0c6977d9e47c8777436859888010ef40195470bf450441dd1f6

                  SHA512

                  f628cb8cbe031ea2a7d11c99aab2da5bd1b382a75d633005cd1a7b945e64fc45c3280db23f1567256b4c2eb1b7f2bd2f4513fe8bbec6806296d1189edcd54b64

                • C:\Users\Admin\AppData\Local\Temp\546738843.exe

                  MD5

                  39f71c609daddb77e4e6b747154b7381

                  SHA1

                  4e0e7bd351597c9f363486ee233bedf9dac1bb64

                  SHA256

                  ebca8c4d11a3e0c6977d9e47c8777436859888010ef40195470bf450441dd1f6

                  SHA512

                  f628cb8cbe031ea2a7d11c99aab2da5bd1b382a75d633005cd1a7b945e64fc45c3280db23f1567256b4c2eb1b7f2bd2f4513fe8bbec6806296d1189edcd54b64

                • C:\Users\Admin\AppData\Local\Temp\Andrew.dmp

                  MD5

                  23e2349661769b9df4d945411173fd85

                  SHA1

                  8615ba66c5de96b954d91fd9e9e0879b2872f6bd

                  SHA256

                  c7bcda3856feb4cafe2a52f290873f48f4f5cceeaa0f7eace812452540750776

                  SHA512

                  2e3aae6cfc4c66d496bba31ab0c74f021b66fc0820fd81441e6721b54f18f0eb60f7a9b366e49c8be7e2eba12faa0cc79ec651c0ce1f72dec4e2eab396a76a5b

                • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

                  MD5

                  8d44ccac6b5512a416339984ad664d79

                  SHA1

                  6152e1a374fd572d25fab8baae9d1b12116a7c35

                  SHA256

                  44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

                  SHA512

                  c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

                • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

                  MD5

                  8d44ccac6b5512a416339984ad664d79

                  SHA1

                  6152e1a374fd572d25fab8baae9d1b12116a7c35

                  SHA256

                  44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611

                  SHA512

                  c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7

                • memory/512-123-0x0000000000000000-mapping.dmp

                • memory/580-125-0x0000000000000000-mapping.dmp

                • memory/1012-116-0x0000000000000000-mapping.dmp

                • memory/1260-128-0x0000000000000000-mapping.dmp

                • memory/1424-129-0x0000000000000000-mapping.dmp

                • memory/1580-130-0x0000000000000000-mapping.dmp

                • memory/1812-132-0x0000000000000000-mapping.dmp

                • memory/1896-131-0x0000000000000000-mapping.dmp

                • memory/2144-133-0x0000000000000000-mapping.dmp

                • memory/2268-134-0x0000000000000000-mapping.dmp

                • memory/3128-115-0x0000000000000000-mapping.dmp

                • memory/4040-120-0x0000000000000000-mapping.dmp

                • memory/4056-117-0x0000000000000000-mapping.dmp

                • memory/4088-122-0x0000000000000000-mapping.dmp

                • memory/4112-121-0x0000000000000000-mapping.dmp

                • memory/5068-114-0x0000000000000000-mapping.dmp