Analysis

  • max time kernel
    132s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    18-06-2021 07:27

General

  • Target

    e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe

  • Size

    7.8MB

  • MD5

    39d550fd902ca4c1461961d01ad1aeb6

  • SHA1

    cae1d0d39e4341c924c21509007852d093c57c91

  • SHA256

    e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26

  • SHA512

    9b30d65d00d2690a71c306a0f44d654db2b068449b43bac4d05c7d425ac52e091f7c2e8df7c5f1e7eabe5ada0e609bff4aa00dfcd7c03e4a6101c5e6f584c993

Malware Config

Signatures

  • Klingon

    Klingon is a remote access trojan written in Golang with various capabilities.

  • Klingon RAT Payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe
    "C:\Users\Admin\AppData\Local\Temp\e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3976
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe ver
      2⤵
        PID:4012
      • C:\Windows\System32\Wbem\wmic.exe
        wmic process get Caption,ParentProcessId,ProcessId
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:188
      • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
        "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\System32\Wbem\wmic.exe
          wmic process get Caption,ParentProcessId,ProcessId
          3⤵
            PID:2656
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe ver
            3⤵
              PID:1356
            • C:\Windows\System32\Wbem\wmic.exe
              wmic process get Caption,ParentProcessId,ProcessId
              3⤵
                PID:2040

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

            MD5

            39d550fd902ca4c1461961d01ad1aeb6

            SHA1

            cae1d0d39e4341c924c21509007852d093c57c91

            SHA256

            e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26

            SHA512

            9b30d65d00d2690a71c306a0f44d654db2b068449b43bac4d05c7d425ac52e091f7c2e8df7c5f1e7eabe5ada0e609bff4aa00dfcd7c03e4a6101c5e6f584c993

          • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

            MD5

            39d550fd902ca4c1461961d01ad1aeb6

            SHA1

            cae1d0d39e4341c924c21509007852d093c57c91

            SHA256

            e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26

            SHA512

            9b30d65d00d2690a71c306a0f44d654db2b068449b43bac4d05c7d425ac52e091f7c2e8df7c5f1e7eabe5ada0e609bff4aa00dfcd7c03e4a6101c5e6f584c993

          • memory/188-116-0x0000000000000000-mapping.dmp

          • memory/1356-121-0x0000000000000000-mapping.dmp

          • memory/1980-117-0x0000000000000000-mapping.dmp

          • memory/2040-122-0x0000000000000000-mapping.dmp

          • memory/2656-120-0x0000000000000000-mapping.dmp

          • memory/3976-114-0x0000000000000000-mapping.dmp

          • memory/4012-115-0x0000000000000000-mapping.dmp