Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    18-06-2021 07:27

General

  • Target

    c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe

  • Size

    3.1MB

  • MD5

    327090cbddf94fc901662f0e863ba0cb

  • SHA1

    fd357aad2d5529127d90757987a2c5ce88ea2a76

  • SHA256

    c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

  • SHA512

    16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6

Malware Config

Signatures

  • Klingon

    Klingon is a remote access trojan written in Golang with various capabilities.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe
    "C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:492
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2936
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      2⤵
        PID:684
      • C:\Windows\system32\cmd.exe
        cmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe\"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
          "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe\"
          3⤵
          • Executes dropped EXE
          • Deletes itself
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2328
          • C:\Windows\System32\Wbem\wmic.exe
            wmic process get Caption,ParentProcessId,ProcessId
            4⤵
              PID:3820
            • C:\Windows\System32\Wbem\wmic.exe
              wmic process get Caption,ParentProcessId,ProcessId
              4⤵
                PID:3456
              • C:\Windows\System32\cmd.exe
                C:\Windows\System32\cmd.exe ver
                4⤵
                  PID:2184
                • C:\Windows\System32\Wbem\wmic.exe
                  wmic process get Caption,ParentProcessId,ProcessId
                  4⤵
                    PID:196

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              327090cbddf94fc901662f0e863ba0cb

              SHA1

              fd357aad2d5529127d90757987a2c5ce88ea2a76

              SHA256

              c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

              SHA512

              16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6

            • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              327090cbddf94fc901662f0e863ba0cb

              SHA1

              fd357aad2d5529127d90757987a2c5ce88ea2a76

              SHA256

              c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7

              SHA512

              16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6

            • memory/196-124-0x0000000000000000-mapping.dmp

            • memory/492-114-0x0000000000000000-mapping.dmp

            • memory/684-116-0x0000000000000000-mapping.dmp

            • memory/1140-117-0x0000000000000000-mapping.dmp

            • memory/2184-123-0x0000000000000000-mapping.dmp

            • memory/2328-118-0x0000000000000000-mapping.dmp

            • memory/2936-115-0x0000000000000000-mapping.dmp

            • memory/3456-122-0x0000000000000000-mapping.dmp

            • memory/3820-121-0x0000000000000000-mapping.dmp