klingon | 29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22

Analysis

max time kernel
167s
max time network
209s
platform
windows7_x64
resource
win7-20220414-en
submitted
15-06-2022 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22.exe
Size

8.4MB
MD5

382e1fd1e08ca8b6c19b5a0792e23eee
SHA1

1d683f336635ccd7a29b473e8168ba62d3d24e45
SHA256

29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22
SHA512

4a701bb7ac9d56205cd2cb6372c73d328e36673fa1a120246f2aeceda3d42357339d9f4731e791f992baf9468e5516da75000bf1a471d07e8709bd5493a6bcb3

Score

10^/10

klingon persistence trojan

Malware Config

Signatures

Klingon
Klingon is a remote access trojan written in Golang with various capabilities.
trojan klingon

Klingon RAT Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001230f-55.dat	family_klingon
behavioral1/files/0x000a00000001230f-57.dat	family_klingon
behavioral1/files/0x000a00000001230f-56.dat	family_klingon
behavioral1/files/0x000a00000001230f-59.dat	family_klingon

Executes dropped EXE 1 IoCs

pid	Process
608	updater10.exe

Deletes itself 1 IoCs

pid	Process
608	updater10.exe

Loads dropped DLL 2 IoCs

pid	Process
956	cmd.exe
956	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -0 -0"	updater10.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -0 -0"	updater10.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1700	wmic.exe
Token: SeSecurityPrivilege	1700	wmic.exe
Token: SeTakeOwnershipPrivilege	1700	wmic.exe
Token: SeLoadDriverPrivilege	1700	wmic.exe
Token: SeSystemProfilePrivilege	1700	wmic.exe
Token: SeSystemtimePrivilege	1700	wmic.exe
Token: SeProfSingleProcessPrivilege	1700	wmic.exe
Token: SeIncBasePriorityPrivilege	1700	wmic.exe
Token: SeCreatePagefilePrivilege	1700	wmic.exe
Token: SeBackupPrivilege	1700	wmic.exe
Token: SeRestorePrivilege	1700	wmic.exe
Token: SeShutdownPrivilege	1700	wmic.exe
Token: SeDebugPrivilege	1700	wmic.exe
Token: SeSystemEnvironmentPrivilege	1700	wmic.exe
Token: SeRemoteShutdownPrivilege	1700	wmic.exe
Token: SeUndockPrivilege	1700	wmic.exe
Token: SeManageVolumePrivilege	1700	wmic.exe
Token: 33	1700	wmic.exe
Token: 34	1700	wmic.exe
Token: 35	1700	wmic.exe
Token: SeIncreaseQuotaPrivilege	1700	wmic.exe
Token: SeSecurityPrivilege	1700	wmic.exe
Token: SeTakeOwnershipPrivilege	1700	wmic.exe
Token: SeLoadDriverPrivilege	1700	wmic.exe
Token: SeSystemProfilePrivilege	1700	wmic.exe
Token: SeSystemtimePrivilege	1700	wmic.exe
Token: SeProfSingleProcessPrivilege	1700	wmic.exe
Token: SeIncBasePriorityPrivilege	1700	wmic.exe
Token: SeCreatePagefilePrivilege	1700	wmic.exe
Token: SeBackupPrivilege	1700	wmic.exe
Token: SeRestorePrivilege	1700	wmic.exe
Token: SeShutdownPrivilege	1700	wmic.exe
Token: SeDebugPrivilege	1700	wmic.exe
Token: SeSystemEnvironmentPrivilege	1700	wmic.exe
Token: SeRemoteShutdownPrivilege	1700	wmic.exe
Token: SeUndockPrivilege	1700	wmic.exe
Token: SeManageVolumePrivilege	1700	wmic.exe
Token: 33	1700	wmic.exe
Token: 34	1700	wmic.exe
Token: 35	1700	wmic.exe
Token: SeIncreaseQuotaPrivilege	1324	WMIC.exe
Token: SeSecurityPrivilege	1324	WMIC.exe
Token: SeTakeOwnershipPrivilege	1324	WMIC.exe
Token: SeLoadDriverPrivilege	1324	WMIC.exe
Token: SeSystemProfilePrivilege	1324	WMIC.exe
Token: SeSystemtimePrivilege	1324	WMIC.exe
Token: SeProfSingleProcessPrivilege	1324	WMIC.exe
Token: SeIncBasePriorityPrivilege	1324	WMIC.exe
Token: SeCreatePagefilePrivilege	1324	WMIC.exe
Token: SeBackupPrivilege	1324	WMIC.exe
Token: SeRestorePrivilege	1324	WMIC.exe
Token: SeShutdownPrivilege	1324	WMIC.exe
Token: SeDebugPrivilege	1324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1324	WMIC.exe
Token: SeRemoteShutdownPrivilege	1324	WMIC.exe
Token: SeUndockPrivilege	1324	WMIC.exe
Token: SeManageVolumePrivilege	1324	WMIC.exe
Token: 33	1324	WMIC.exe
Token: 34	1324	WMIC.exe
Token: 35	1324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1324	WMIC.exe
Token: SeSecurityPrivilege	1324	WMIC.exe
Token: SeTakeOwnershipPrivilege	1324	WMIC.exe
Token: SeLoadDriverPrivilege	1324	WMIC.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 956	1828	29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22.exe	28
PID 1828 wrote to memory of 956	1828	29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22.exe	28
PID 1828 wrote to memory of 956	1828	29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22.exe	28
PID 956 wrote to memory of 608	956	cmd.exe	30
PID 956 wrote to memory of 608	956	cmd.exe	30
PID 956 wrote to memory of 608	956	cmd.exe	30
PID 608 wrote to memory of 1700	608	updater10.exe	31
PID 608 wrote to memory of 1700	608	updater10.exe	31
PID 608 wrote to memory of 1700	608	updater10.exe	31
PID 608 wrote to memory of 1768	608	updater10.exe	34
PID 608 wrote to memory of 1768	608	updater10.exe	34
PID 608 wrote to memory of 1768	608	updater10.exe	34
PID 608 wrote to memory of 772	608	updater10.exe	36
PID 608 wrote to memory of 772	608	updater10.exe	36
PID 608 wrote to memory of 772	608	updater10.exe	36
PID 772 wrote to memory of 1324	772	cmd.exe	38
PID 772 wrote to memory of 1324	772	cmd.exe	38
PID 772 wrote to memory of 1324	772	cmd.exe	38
PID 608 wrote to memory of 944	608	updater10.exe	39
PID 608 wrote to memory of 944	608	updater10.exe	39
PID 608 wrote to memory of 944	608	updater10.exe	39
PID 944 wrote to memory of 1600	944	cmd.exe	41
PID 944 wrote to memory of 1600	944	cmd.exe	41
PID 944 wrote to memory of 1600	944	cmd.exe	41
PID 608 wrote to memory of 1648	608	updater10.exe	42
PID 608 wrote to memory of 1648	608	updater10.exe	42
PID 608 wrote to memory of 1648	608	updater10.exe	42
PID 1648 wrote to memory of 588	1648	cmd.exe	44
PID 1648 wrote to memory of 588	1648	cmd.exe	44
PID 1648 wrote to memory of 588	1648	cmd.exe	44
PID 608 wrote to memory of 1816	608	updater10.exe	45
PID 608 wrote to memory of 1816	608	updater10.exe	45
PID 608 wrote to memory of 1816	608	updater10.exe	45
PID 608 wrote to memory of 1204	608	updater10.exe	47
PID 608 wrote to memory of 1204	608	updater10.exe	47
PID 608 wrote to memory of 1204	608	updater10.exe	47
PID 1204 wrote to memory of 1260	1204	cmd.exe	49
PID 1204 wrote to memory of 1260	1204	cmd.exe	49
PID 1204 wrote to memory of 1260	1204	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22.exe
"C:\Users\Admin\AppData\Local\Temp\29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\system32\cmd.exe
  cmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22.exe\"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Windows Update\updater10.exe
    "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22.exe\"
    3⤵
    - Executes dropped EXE
    - Deletes itself
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1700
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe ver
      4⤵
      PID:1768
  - - C:\Windows\system32\cmd.exe
      cmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
  - - C:\Windows\system32\cmd.exe
      cmd /C "wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'
        5⤵
        
        PID:1600
  - - C:\Windows\system32\cmd.exe
      cmd /C "wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')
        5⤵
        
        PID:588
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic process get Caption,ParentProcessId,ProcessId
      4⤵
      PID:1816
  - - C:\Windows\system32\cmd.exe
      cmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''
        5⤵
        
        PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

Filesize
8.4MB

MD5
382e1fd1e08ca8b6c19b5a0792e23eee

SHA1
1d683f336635ccd7a29b473e8168ba62d3d24e45

SHA256
29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22

SHA512
4a701bb7ac9d56205cd2cb6372c73d328e36673fa1a120246f2aeceda3d42357339d9f4731e791f992baf9468e5516da75000bf1a471d07e8709bd5493a6bcb3

Download Submit
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe

Filesize
8.4MB

MD5
382e1fd1e08ca8b6c19b5a0792e23eee

SHA1
1d683f336635ccd7a29b473e8168ba62d3d24e45

SHA256
29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22

SHA512
4a701bb7ac9d56205cd2cb6372c73d328e36673fa1a120246f2aeceda3d42357339d9f4731e791f992baf9468e5516da75000bf1a471d07e8709bd5493a6bcb3

Download Submit
\Users\Admin\AppData\Local\Windows Update\updater10.exe

Filesize
8.4MB

MD5
382e1fd1e08ca8b6c19b5a0792e23eee

SHA1
1d683f336635ccd7a29b473e8168ba62d3d24e45

SHA256
29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22

SHA512
4a701bb7ac9d56205cd2cb6372c73d328e36673fa1a120246f2aeceda3d42357339d9f4731e791f992baf9468e5516da75000bf1a471d07e8709bd5493a6bcb3

Download Submit
\Users\Admin\AppData\Local\Windows Update\updater10.exe

Filesize
8.4MB

MD5
382e1fd1e08ca8b6c19b5a0792e23eee

SHA1
1d683f336635ccd7a29b473e8168ba62d3d24e45

SHA256
29cecf58ac96b5a5a7af77f49154d4abcdeac232758d968da6473c65eb1aff22

SHA512
4a701bb7ac9d56205cd2cb6372c73d328e36673fa1a120246f2aeceda3d42357339d9f4731e791f992baf9468e5516da75000bf1a471d07e8709bd5493a6bcb3

Download Submit