Analysis

  • max time kernel
    149s
  • max time network
    190s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-06-2021 07:27

General

  • Target

    c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe

  • Size

    3.1MB

  • MD5

    14471a353788bb6cdb6071d0e0a83004

  • SHA1

    c90b5c534ce0d622547bc5b96075eb3d4212d660

  • SHA256

    c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349

  • SHA512

    57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8

Malware Config

Signatures

  • Klingon

    Klingon is a remote access trojan written in Golang with various capabilities.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
    "C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\system32\cmd.exe
      cmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
        "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"
        3⤵
        • Executes dropped EXE
        • Deletes itself
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\System32\Wbem\wmic.exe
          wmic process get Caption,ParentProcessId,ProcessId
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:776
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe ver
          4⤵
            PID:1764
          • C:\Windows\system32\cmd.exe
            cmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1592
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2040
          • C:\Windows\system32\cmd.exe
            cmd /C "wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:988
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'
              5⤵
                PID:1424
            • C:\Windows\system32\cmd.exe
              cmd /C "wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1536
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')
                5⤵
                  PID:948
              • C:\Windows\System32\Wbem\wmic.exe
                wmic process get Caption,ParentProcessId,ProcessId
                4⤵
                  PID:272
                • C:\Windows\system32\cmd.exe
                  cmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1984
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''
                    5⤵
                      PID:1316

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              14471a353788bb6cdb6071d0e0a83004

              SHA1

              c90b5c534ce0d622547bc5b96075eb3d4212d660

              SHA256

              c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349

              SHA512

              57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8

            • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              14471a353788bb6cdb6071d0e0a83004

              SHA1

              c90b5c534ce0d622547bc5b96075eb3d4212d660

              SHA256

              c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349

              SHA512

              57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8

            • \Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              14471a353788bb6cdb6071d0e0a83004

              SHA1

              c90b5c534ce0d622547bc5b96075eb3d4212d660

              SHA256

              c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349

              SHA512

              57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8

            • \Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              14471a353788bb6cdb6071d0e0a83004

              SHA1

              c90b5c534ce0d622547bc5b96075eb3d4212d660

              SHA256

              c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349

              SHA512

              57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8

            • memory/272-74-0x0000000000000000-mapping.dmp

            • memory/776-66-0x0000000000000000-mapping.dmp

            • memory/948-73-0x0000000000000000-mapping.dmp

            • memory/988-70-0x0000000000000000-mapping.dmp

            • memory/1316-76-0x0000000000000000-mapping.dmp

            • memory/1424-71-0x0000000000000000-mapping.dmp

            • memory/1536-72-0x0000000000000000-mapping.dmp

            • memory/1592-68-0x0000000000000000-mapping.dmp

            • memory/1764-67-0x0000000000000000-mapping.dmp

            • memory/1984-75-0x0000000000000000-mapping.dmp

            • memory/2028-60-0x0000000000000000-mapping.dmp

            • memory/2040-69-0x0000000000000000-mapping.dmp

            • memory/2044-64-0x0000000000000000-mapping.dmp