Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-06-2021 07:27

General

  • Target

    c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe

  • Size

    3.1MB

  • MD5

    327090cbddf94fc901662f0e863ba0cb

  • SHA1

    fd357aad2d5529127d90757987a2c5ce88ea2a76

  • SHA256

    c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

  • SHA512

    16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6

Malware Config

Signatures

  • Klingon

    Klingon is a remote access trojan written in Golang with various capabilities.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe
    "C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1384
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1400
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      2⤵
        PID:1732
      • C:\Windows\system32\cmd.exe
        cmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe\"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
          "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe\"
          3⤵
          • Executes dropped EXE
          • Deletes itself
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Windows\System32\Wbem\wmic.exe
            wmic process get Caption,ParentProcessId,ProcessId
            4⤵
              PID:960
            • C:\Windows\System32\Wbem\wmic.exe
              wmic process get Caption,ParentProcessId,ProcessId
              4⤵
                PID:1448
              • C:\Windows\System32\cmd.exe
                C:\Windows\System32\cmd.exe ver
                4⤵
                  PID:296
                • C:\Windows\System32\Wbem\wmic.exe
                  wmic process get Caption,ParentProcessId,ProcessId
                  4⤵
                    PID:1204

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              327090cbddf94fc901662f0e863ba0cb

              SHA1

              fd357aad2d5529127d90757987a2c5ce88ea2a76

              SHA256

              c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

              SHA512

              16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6

            • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              327090cbddf94fc901662f0e863ba0cb

              SHA1

              fd357aad2d5529127d90757987a2c5ce88ea2a76

              SHA256

              c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

              SHA512

              16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6

            • \Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              327090cbddf94fc901662f0e863ba0cb

              SHA1

              fd357aad2d5529127d90757987a2c5ce88ea2a76

              SHA256

              c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

              SHA512

              16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6

            • \Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              327090cbddf94fc901662f0e863ba0cb

              SHA1

              fd357aad2d5529127d90757987a2c5ce88ea2a76

              SHA256

              c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

              SHA512

              16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6

            • memory/296-70-0x0000000000000000-mapping.dmp

            • memory/568-62-0x0000000000000000-mapping.dmp

            • memory/960-68-0x0000000000000000-mapping.dmp

            • memory/1204-71-0x0000000000000000-mapping.dmp

            • memory/1384-59-0x0000000000000000-mapping.dmp

            • memory/1400-60-0x0000000000000000-mapping.dmp

            • memory/1448-69-0x0000000000000000-mapping.dmp

            • memory/1688-66-0x0000000000000000-mapping.dmp

            • memory/1732-61-0x0000000000000000-mapping.dmp