Analysis
-
max time kernel
146s -
max time network
161s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-06-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
Resource
win10v20210410
General
-
Target
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
-
Size
7.8MB
-
MD5
8d44ccac6b5512a416339984ad664d79
-
SHA1
6152e1a374fd572d25fab8baae9d1b12116a7c35
-
SHA256
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
-
SHA512
c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7
Malware Config
Signatures
-
Klingon RAT Payload 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000100000001ab88-118.dat family_klingon behavioral2/files/0x000100000001ab88-119.dat family_klingon -
Executes dropped EXE 2 IoCs
Processes:
updater10.exe546738843.exepid Process 4056 updater10.exe 512 546738843.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
updater10.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -1 -0" updater10.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org 13 api.ipify.org -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid Process 1260 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
updater10.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 updater10.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e updater10.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e updater10.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
546738843.exepid Process 512 546738843.exe 512 546738843.exe 512 546738843.exe 512 546738843.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid Process Token: SeIncreaseQuotaPrivilege 5068 wmic.exe Token: SeSecurityPrivilege 5068 wmic.exe Token: SeTakeOwnershipPrivilege 5068 wmic.exe Token: SeLoadDriverPrivilege 5068 wmic.exe Token: SeSystemProfilePrivilege 5068 wmic.exe Token: SeSystemtimePrivilege 5068 wmic.exe Token: SeProfSingleProcessPrivilege 5068 wmic.exe Token: SeIncBasePriorityPrivilege 5068 wmic.exe Token: SeCreatePagefilePrivilege 5068 wmic.exe Token: SeBackupPrivilege 5068 wmic.exe Token: SeRestorePrivilege 5068 wmic.exe Token: SeShutdownPrivilege 5068 wmic.exe Token: SeDebugPrivilege 5068 wmic.exe Token: SeSystemEnvironmentPrivilege 5068 wmic.exe Token: SeRemoteShutdownPrivilege 5068 wmic.exe Token: SeUndockPrivilege 5068 wmic.exe Token: SeManageVolumePrivilege 5068 wmic.exe Token: 33 5068 wmic.exe Token: 34 5068 wmic.exe Token: 35 5068 wmic.exe Token: 36 5068 wmic.exe Token: SeIncreaseQuotaPrivilege 5068 wmic.exe Token: SeSecurityPrivilege 5068 wmic.exe Token: SeTakeOwnershipPrivilege 5068 wmic.exe Token: SeLoadDriverPrivilege 5068 wmic.exe Token: SeSystemProfilePrivilege 5068 wmic.exe Token: SeSystemtimePrivilege 5068 wmic.exe Token: SeProfSingleProcessPrivilege 5068 wmic.exe Token: SeIncBasePriorityPrivilege 5068 wmic.exe Token: SeCreatePagefilePrivilege 5068 wmic.exe Token: SeBackupPrivilege 5068 wmic.exe Token: SeRestorePrivilege 5068 wmic.exe Token: SeShutdownPrivilege 5068 wmic.exe Token: SeDebugPrivilege 5068 wmic.exe Token: SeSystemEnvironmentPrivilege 5068 wmic.exe Token: SeRemoteShutdownPrivilege 5068 wmic.exe Token: SeUndockPrivilege 5068 wmic.exe Token: SeManageVolumePrivilege 5068 wmic.exe Token: 33 5068 wmic.exe Token: 34 5068 wmic.exe Token: 35 5068 wmic.exe Token: 36 5068 wmic.exe Token: SeIncreaseQuotaPrivilege 1012 wmic.exe Token: SeSecurityPrivilege 1012 wmic.exe Token: SeTakeOwnershipPrivilege 1012 wmic.exe Token: SeLoadDriverPrivilege 1012 wmic.exe Token: SeSystemProfilePrivilege 1012 wmic.exe Token: SeSystemtimePrivilege 1012 wmic.exe Token: SeProfSingleProcessPrivilege 1012 wmic.exe Token: SeIncBasePriorityPrivilege 1012 wmic.exe Token: SeCreatePagefilePrivilege 1012 wmic.exe Token: SeBackupPrivilege 1012 wmic.exe Token: SeRestorePrivilege 1012 wmic.exe Token: SeShutdownPrivilege 1012 wmic.exe Token: SeDebugPrivilege 1012 wmic.exe Token: SeSystemEnvironmentPrivilege 1012 wmic.exe Token: SeRemoteShutdownPrivilege 1012 wmic.exe Token: SeUndockPrivilege 1012 wmic.exe Token: SeManageVolumePrivilege 1012 wmic.exe Token: 33 1012 wmic.exe Token: 34 1012 wmic.exe Token: 35 1012 wmic.exe Token: 36 1012 wmic.exe Token: SeIncreaseQuotaPrivilege 1012 wmic.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exeupdater10.exenet.exedescription pid Process procid_target PID 4444 wrote to memory of 5068 4444 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 77 PID 4444 wrote to memory of 5068 4444 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 77 PID 4444 wrote to memory of 3128 4444 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 78 PID 4444 wrote to memory of 3128 4444 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 78 PID 4444 wrote to memory of 1012 4444 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 79 PID 4444 wrote to memory of 1012 4444 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 79 PID 4444 wrote to memory of 4056 4444 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 80 PID 4444 wrote to memory of 4056 4444 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 80 PID 4056 wrote to memory of 4040 4056 updater10.exe 81 PID 4056 wrote to memory of 4040 4056 updater10.exe 81 PID 4056 wrote to memory of 4112 4056 updater10.exe 82 PID 4056 wrote to memory of 4112 4056 updater10.exe 82 PID 4056 wrote to memory of 4088 4056 updater10.exe 83 PID 4056 wrote to memory of 4088 4056 updater10.exe 83 PID 4056 wrote to memory of 512 4056 updater10.exe 87 PID 4056 wrote to memory of 512 4056 updater10.exe 87 PID 4056 wrote to memory of 580 4056 updater10.exe 88 PID 4056 wrote to memory of 580 4056 updater10.exe 88 PID 4056 wrote to memory of 1260 4056 updater10.exe 90 PID 4056 wrote to memory of 1260 4056 updater10.exe 90 PID 4056 wrote to memory of 1424 4056 updater10.exe 91 PID 4056 wrote to memory of 1424 4056 updater10.exe 91 PID 4056 wrote to memory of 1580 4056 updater10.exe 92 PID 4056 wrote to memory of 1580 4056 updater10.exe 92 PID 4056 wrote to memory of 1896 4056 updater10.exe 93 PID 4056 wrote to memory of 1896 4056 updater10.exe 93 PID 1896 wrote to memory of 1812 1896 net.exe 94 PID 1896 wrote to memory of 1812 1896 net.exe 94 PID 4056 wrote to memory of 2144 4056 updater10.exe 95 PID 4056 wrote to memory of 2144 4056 updater10.exe 95 PID 4056 wrote to memory of 2268 4056 updater10.exe 96 PID 4056 wrote to memory of 2268 4056 updater10.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver2⤵PID:3128
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId3⤵PID:4040
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver3⤵PID:4112
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId3⤵PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\546738843.exeC:\Users\Admin\AppData\Local\Temp\546738843.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:512
-
-
C:\Windows\system32\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:580
-
-
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:1260
-
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:1424
-
-
C:\Windows\system32\net.exenet view /all domain3⤵
- Discovers systems in the same network
PID:1580
-
-
C:\Windows\system32\net.exenet users /domain3⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 users /domain4⤵PID:1812
-
-
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:2144
-
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:2268
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
39f71c609daddb77e4e6b747154b7381
SHA14e0e7bd351597c9f363486ee233bedf9dac1bb64
SHA256ebca8c4d11a3e0c6977d9e47c8777436859888010ef40195470bf450441dd1f6
SHA512f628cb8cbe031ea2a7d11c99aab2da5bd1b382a75d633005cd1a7b945e64fc45c3280db23f1567256b4c2eb1b7f2bd2f4513fe8bbec6806296d1189edcd54b64
-
MD5
39f71c609daddb77e4e6b747154b7381
SHA14e0e7bd351597c9f363486ee233bedf9dac1bb64
SHA256ebca8c4d11a3e0c6977d9e47c8777436859888010ef40195470bf450441dd1f6
SHA512f628cb8cbe031ea2a7d11c99aab2da5bd1b382a75d633005cd1a7b945e64fc45c3280db23f1567256b4c2eb1b7f2bd2f4513fe8bbec6806296d1189edcd54b64
-
MD5
23e2349661769b9df4d945411173fd85
SHA18615ba66c5de96b954d91fd9e9e0879b2872f6bd
SHA256c7bcda3856feb4cafe2a52f290873f48f4f5cceeaa0f7eace812452540750776
SHA5122e3aae6cfc4c66d496bba31ab0c74f021b66fc0820fd81441e6721b54f18f0eb60f7a9b366e49c8be7e2eba12faa0cc79ec651c0ce1f72dec4e2eab396a76a5b
-
MD5
8d44ccac6b5512a416339984ad664d79
SHA16152e1a374fd572d25fab8baae9d1b12116a7c35
SHA25644237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
SHA512c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7
-
MD5
8d44ccac6b5512a416339984ad664d79
SHA16152e1a374fd572d25fab8baae9d1b12116a7c35
SHA25644237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
SHA512c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7