Analysis
-
max time kernel
99s -
max time network
102s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
12-11-2021 04:08
Static task
static1
Behavioral task
behavioral1
Sample
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe
-
Size
7.8MB
-
MD5
8d44ccac6b5512a416339984ad664d79
-
SHA1
6152e1a374fd572d25fab8baae9d1b12116a7c35
-
SHA256
44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611
-
SHA512
c83ad02780dde7bb40390fe496ad4b14289b5d270518734409604e50674dcae44e99acc01bdafaef5a504dd608f976a475af11eae28aa762acbaf84fa89312d7
Score
10/10
Malware Config
Signatures
-
Klingon RAT Payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000001abc1-122.dat family_klingon behavioral2/files/0x000400000001abc1-123.dat family_klingon -
Executes dropped EXE 1 IoCs
pid Process 4440 updater10.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -1 -0" updater10.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 api.ipify.org -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4204 wmic.exe Token: SeSecurityPrivilege 4204 wmic.exe Token: SeTakeOwnershipPrivilege 4204 wmic.exe Token: SeLoadDriverPrivilege 4204 wmic.exe Token: SeSystemProfilePrivilege 4204 wmic.exe Token: SeSystemtimePrivilege 4204 wmic.exe Token: SeProfSingleProcessPrivilege 4204 wmic.exe Token: SeIncBasePriorityPrivilege 4204 wmic.exe Token: SeCreatePagefilePrivilege 4204 wmic.exe Token: SeBackupPrivilege 4204 wmic.exe Token: SeRestorePrivilege 4204 wmic.exe Token: SeShutdownPrivilege 4204 wmic.exe Token: SeDebugPrivilege 4204 wmic.exe Token: SeSystemEnvironmentPrivilege 4204 wmic.exe Token: SeRemoteShutdownPrivilege 4204 wmic.exe Token: SeUndockPrivilege 4204 wmic.exe Token: SeManageVolumePrivilege 4204 wmic.exe Token: 33 4204 wmic.exe Token: 34 4204 wmic.exe Token: 35 4204 wmic.exe Token: 36 4204 wmic.exe Token: SeIncreaseQuotaPrivilege 4204 wmic.exe Token: SeSecurityPrivilege 4204 wmic.exe Token: SeTakeOwnershipPrivilege 4204 wmic.exe Token: SeLoadDriverPrivilege 4204 wmic.exe Token: SeSystemProfilePrivilege 4204 wmic.exe Token: SeSystemtimePrivilege 4204 wmic.exe Token: SeProfSingleProcessPrivilege 4204 wmic.exe Token: SeIncBasePriorityPrivilege 4204 wmic.exe Token: SeCreatePagefilePrivilege 4204 wmic.exe Token: SeBackupPrivilege 4204 wmic.exe Token: SeRestorePrivilege 4204 wmic.exe Token: SeShutdownPrivilege 4204 wmic.exe Token: SeDebugPrivilege 4204 wmic.exe Token: SeSystemEnvironmentPrivilege 4204 wmic.exe Token: SeRemoteShutdownPrivilege 4204 wmic.exe Token: SeUndockPrivilege 4204 wmic.exe Token: SeManageVolumePrivilege 4204 wmic.exe Token: 33 4204 wmic.exe Token: 34 4204 wmic.exe Token: 35 4204 wmic.exe Token: 36 4204 wmic.exe Token: SeIncreaseQuotaPrivilege 4224 wmic.exe Token: SeSecurityPrivilege 4224 wmic.exe Token: SeTakeOwnershipPrivilege 4224 wmic.exe Token: SeLoadDriverPrivilege 4224 wmic.exe Token: SeSystemProfilePrivilege 4224 wmic.exe Token: SeSystemtimePrivilege 4224 wmic.exe Token: SeProfSingleProcessPrivilege 4224 wmic.exe Token: SeIncBasePriorityPrivilege 4224 wmic.exe Token: SeCreatePagefilePrivilege 4224 wmic.exe Token: SeBackupPrivilege 4224 wmic.exe Token: SeRestorePrivilege 4224 wmic.exe Token: SeShutdownPrivilege 4224 wmic.exe Token: SeDebugPrivilege 4224 wmic.exe Token: SeSystemEnvironmentPrivilege 4224 wmic.exe Token: SeRemoteShutdownPrivilege 4224 wmic.exe Token: SeUndockPrivilege 4224 wmic.exe Token: SeManageVolumePrivilege 4224 wmic.exe Token: 33 4224 wmic.exe Token: 34 4224 wmic.exe Token: 35 4224 wmic.exe Token: 36 4224 wmic.exe Token: SeIncreaseQuotaPrivilege 4224 wmic.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe -
Suspicious use of SendNotifyMessage 49 IoCs
pid Process 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe 3136 taskmgr.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3580 wrote to memory of 4204 3580 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 69 PID 3580 wrote to memory of 4204 3580 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 69 PID 3580 wrote to memory of 4268 3580 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 71 PID 3580 wrote to memory of 4268 3580 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 71 PID 3580 wrote to memory of 4224 3580 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 72 PID 3580 wrote to memory of 4224 3580 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 72 PID 3580 wrote to memory of 4440 3580 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 73 PID 3580 wrote to memory of 4440 3580 44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe 73 PID 4440 wrote to memory of 4532 4440 updater10.exe 74 PID 4440 wrote to memory of 4532 4440 updater10.exe 74 PID 4440 wrote to memory of 768 4440 updater10.exe 75 PID 4440 wrote to memory of 768 4440 updater10.exe 75 PID 4440 wrote to memory of 628 4440 updater10.exe 76 PID 4440 wrote to memory of 628 4440 updater10.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"C:\Users\Admin\AppData\Local\Temp\44237e2de44a533751c0baace09cf83293572ae7c51cb4575e7267be289c6611.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver2⤵PID:4268
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId3⤵PID:4532
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver3⤵PID:768
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId3⤵PID:628
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3136