Analysis

  • max time kernel
    146s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    18-06-2021 07:27

General

  • Target

    c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe

  • Size

    3.1MB

  • MD5

    14471a353788bb6cdb6071d0e0a83004

  • SHA1

    c90b5c534ce0d622547bc5b96075eb3d4212d660

  • SHA256

    c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349

  • SHA512

    57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8

Malware Config

Signatures

  • Klingon

    Klingon is a remote access trojan written in Golang with various capabilities.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
    "C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\system32\cmd.exe
      cmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
        "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"
        3⤵
        • Executes dropped EXE
        • Deletes itself
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Windows\System32\Wbem\wmic.exe
          wmic process get Caption,ParentProcessId,ProcessId
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4060
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe ver
          4⤵
            PID:3684
          • C:\Windows\system32\cmd.exe
            cmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4040
          • C:\Windows\system32\cmd.exe
            cmd /C "wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:636
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'
              5⤵
                PID:1484
            • C:\Windows\system32\cmd.exe
              cmd /C "wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2268
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')
                5⤵
                  PID:3784
              • C:\Windows\System32\Wbem\wmic.exe
                wmic process get Caption,ParentProcessId,ProcessId
                4⤵
                  PID:1872
                • C:\Windows\system32\cmd.exe
                  cmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1804
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''
                    5⤵
                      PID:4060

            Network

            • flag-unknown
              DNS
              api.ipify.org
              updater10.exe
              Remote address:
              8.8.8.8:53
              Request
              api.ipify.org
              IN A
              Response
              api.ipify.org
              IN CNAME
              nagano-19599.herokussl.com
              nagano-19599.herokussl.com
              IN CNAME
              elb097307-934924932.us-east-1.elb.amazonaws.com
              elb097307-934924932.us-east-1.elb.amazonaws.com
              IN A
              23.23.104.250
              elb097307-934924932.us-east-1.elb.amazonaws.com
              IN A
              54.235.175.90
              elb097307-934924932.us-east-1.elb.amazonaws.com
              IN A
              54.235.190.106
              elb097307-934924932.us-east-1.elb.amazonaws.com
              IN A
              54.243.175.83
              elb097307-934924932.us-east-1.elb.amazonaws.com
              IN A
              50.19.92.227
              elb097307-934924932.us-east-1.elb.amazonaws.com
              IN A
              50.19.84.107
              elb097307-934924932.us-east-1.elb.amazonaws.com
              IN A
              23.21.136.132
              elb097307-934924932.us-east-1.elb.amazonaws.com
              IN A
              23.21.205.229
            • 23.23.104.250:443
              api.ipify.org
              tls
              updater10.exe
              1.1kB
              6.8kB
              13
              14
            • 94.177.123.134:9998
              updater10.exe
              156 B
              3
            • 94.177.123.134:9998
              updater10.exe
              156 B
              3
            • 94.177.123.134:9998
              updater10.exe
              156 B
              3
            • 94.177.123.134:9998
              updater10.exe
              156 B
              3
            • 94.177.123.134:9998
              updater10.exe
              156 B
              3
            • 94.177.123.134:9998
              updater10.exe
              104 B
              2
            • 8.8.8.8:53
              api.ipify.org
              dns
              updater10.exe
              59 B
              285 B
              1
              1

              DNS Request

              api.ipify.org

              DNS Response

              23.23.104.250
              54.235.175.90
              54.235.190.106
              54.243.175.83
              50.19.92.227
              50.19.84.107
              23.21.136.132
              23.21.205.229

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.