Analysis
-
max time kernel
132s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-06-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe
Resource
win10v20210408
General
-
Target
e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe
-
Size
7.8MB
-
MD5
39d550fd902ca4c1461961d01ad1aeb6
-
SHA1
cae1d0d39e4341c924c21509007852d093c57c91
-
SHA256
e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26
-
SHA512
9b30d65d00d2690a71c306a0f44d654db2b068449b43bac4d05c7d425ac52e091f7c2e8df7c5f1e7eabe5ada0e609bff4aa00dfcd7c03e4a6101c5e6f584c993
Malware Config
Signatures
-
Klingon RAT Payload 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000100000001ab43-118.dat family_klingon behavioral2/files/0x000100000001ab43-119.dat family_klingon -
Executes dropped EXE 1 IoCs
Processes:
updater10.exepid Process 1980 updater10.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
updater10.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -1 -0" updater10.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.ipify.org 6 api.ipify.org 7 api.ipify.org -
Processes:
updater10.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 updater10.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e updater10.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e updater10.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3976 wmic.exe Token: SeSecurityPrivilege 3976 wmic.exe Token: SeTakeOwnershipPrivilege 3976 wmic.exe Token: SeLoadDriverPrivilege 3976 wmic.exe Token: SeSystemProfilePrivilege 3976 wmic.exe Token: SeSystemtimePrivilege 3976 wmic.exe Token: SeProfSingleProcessPrivilege 3976 wmic.exe Token: SeIncBasePriorityPrivilege 3976 wmic.exe Token: SeCreatePagefilePrivilege 3976 wmic.exe Token: SeBackupPrivilege 3976 wmic.exe Token: SeRestorePrivilege 3976 wmic.exe Token: SeShutdownPrivilege 3976 wmic.exe Token: SeDebugPrivilege 3976 wmic.exe Token: SeSystemEnvironmentPrivilege 3976 wmic.exe Token: SeRemoteShutdownPrivilege 3976 wmic.exe Token: SeUndockPrivilege 3976 wmic.exe Token: SeManageVolumePrivilege 3976 wmic.exe Token: 33 3976 wmic.exe Token: 34 3976 wmic.exe Token: 35 3976 wmic.exe Token: 36 3976 wmic.exe Token: SeIncreaseQuotaPrivilege 3976 wmic.exe Token: SeSecurityPrivilege 3976 wmic.exe Token: SeTakeOwnershipPrivilege 3976 wmic.exe Token: SeLoadDriverPrivilege 3976 wmic.exe Token: SeSystemProfilePrivilege 3976 wmic.exe Token: SeSystemtimePrivilege 3976 wmic.exe Token: SeProfSingleProcessPrivilege 3976 wmic.exe Token: SeIncBasePriorityPrivilege 3976 wmic.exe Token: SeCreatePagefilePrivilege 3976 wmic.exe Token: SeBackupPrivilege 3976 wmic.exe Token: SeRestorePrivilege 3976 wmic.exe Token: SeShutdownPrivilege 3976 wmic.exe Token: SeDebugPrivilege 3976 wmic.exe Token: SeSystemEnvironmentPrivilege 3976 wmic.exe Token: SeRemoteShutdownPrivilege 3976 wmic.exe Token: SeUndockPrivilege 3976 wmic.exe Token: SeManageVolumePrivilege 3976 wmic.exe Token: 33 3976 wmic.exe Token: 34 3976 wmic.exe Token: 35 3976 wmic.exe Token: 36 3976 wmic.exe Token: SeIncreaseQuotaPrivilege 188 wmic.exe Token: SeSecurityPrivilege 188 wmic.exe Token: SeTakeOwnershipPrivilege 188 wmic.exe Token: SeLoadDriverPrivilege 188 wmic.exe Token: SeSystemProfilePrivilege 188 wmic.exe Token: SeSystemtimePrivilege 188 wmic.exe Token: SeProfSingleProcessPrivilege 188 wmic.exe Token: SeIncBasePriorityPrivilege 188 wmic.exe Token: SeCreatePagefilePrivilege 188 wmic.exe Token: SeBackupPrivilege 188 wmic.exe Token: SeRestorePrivilege 188 wmic.exe Token: SeShutdownPrivilege 188 wmic.exe Token: SeDebugPrivilege 188 wmic.exe Token: SeSystemEnvironmentPrivilege 188 wmic.exe Token: SeRemoteShutdownPrivilege 188 wmic.exe Token: SeUndockPrivilege 188 wmic.exe Token: SeManageVolumePrivilege 188 wmic.exe Token: 33 188 wmic.exe Token: 34 188 wmic.exe Token: 35 188 wmic.exe Token: 36 188 wmic.exe Token: SeIncreaseQuotaPrivilege 188 wmic.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exeupdater10.exedescription pid Process procid_target PID 516 wrote to memory of 3976 516 e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe 75 PID 516 wrote to memory of 3976 516 e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe 75 PID 516 wrote to memory of 4012 516 e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe 76 PID 516 wrote to memory of 4012 516 e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe 76 PID 516 wrote to memory of 188 516 e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe 78 PID 516 wrote to memory of 188 516 e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe 78 PID 516 wrote to memory of 1980 516 e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe 79 PID 516 wrote to memory of 1980 516 e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe 79 PID 1980 wrote to memory of 2656 1980 updater10.exe 80 PID 1980 wrote to memory of 2656 1980 updater10.exe 80 PID 1980 wrote to memory of 1356 1980 updater10.exe 81 PID 1980 wrote to memory of 1356 1980 updater10.exe 81 PID 1980 wrote to memory of 2040 1980 updater10.exe 82 PID 1980 wrote to memory of 2040 1980 updater10.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe"C:\Users\Admin\AppData\Local\Temp\e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver2⤵PID:4012
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:188
-
-
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId3⤵PID:2656
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver3⤵PID:1356
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId3⤵PID:2040
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
39d550fd902ca4c1461961d01ad1aeb6
SHA1cae1d0d39e4341c924c21509007852d093c57c91
SHA256e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26
SHA5129b30d65d00d2690a71c306a0f44d654db2b068449b43bac4d05c7d425ac52e091f7c2e8df7c5f1e7eabe5ada0e609bff4aa00dfcd7c03e4a6101c5e6f584c993
-
MD5
39d550fd902ca4c1461961d01ad1aeb6
SHA1cae1d0d39e4341c924c21509007852d093c57c91
SHA256e8eea442e148c81f116de31b4fc3d0aa725c5dbbbd840b446a3fb9793d0b9f26
SHA5129b30d65d00d2690a71c306a0f44d654db2b068449b43bac4d05c7d425ac52e091f7c2e8df7c5f1e7eabe5ada0e609bff4aa00dfcd7c03e4a6101c5e6f584c993