Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:44
Static task
static1
Behavioral task
behavioral1
Sample
kins_2.0.11.0.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
kins_2.0.11.0.vir.exe
Resource
win10
General
-
Target
kins_2.0.11.0.vir.exe
-
Size
595KB
-
MD5
c1784500884254d8f7659b545963ed3b
-
SHA1
84786ce781524f66f075d52f4700fd46f862c5d8
-
SHA256
0c780ce6cb4281a12cf329e18bdf36b987e34dd15379a4c2f6f8e03ba56e13be
-
SHA512
580d17052b98ca86d9a507f11cfaf9b445fea33e8aae38ee6820552ef3b35d5855b2ab2d5099ee1f344e7a0425d734d5a47703ee01fbabef9405d1b613b7bd41
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1636 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\562F42FD-00000001.eml:OECustomProperty WinMail.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
kins_2.0.11.0.vir.exeWinMail.exedescription pid process Token: SeSecurityPrivilege 1516 kins_2.0.11.0.vir.exe Token: SeSecurityPrivilege 1516 kins_2.0.11.0.vir.exe Token: SeManageVolumePrivilege 1792 WinMail.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
kins_2.0.11.0.vir.exeSplitDismount.exeexplorer.exedescription pid process target process PID 1516 wrote to memory of 480 1516 kins_2.0.11.0.vir.exe SplitDismount.exe PID 1516 wrote to memory of 480 1516 kins_2.0.11.0.vir.exe SplitDismount.exe PID 1516 wrote to memory of 480 1516 kins_2.0.11.0.vir.exe SplitDismount.exe PID 1516 wrote to memory of 480 1516 kins_2.0.11.0.vir.exe SplitDismount.exe PID 480 wrote to memory of 1620 480 SplitDismount.exe explorer.exe PID 480 wrote to memory of 1620 480 SplitDismount.exe explorer.exe PID 480 wrote to memory of 1620 480 SplitDismount.exe explorer.exe PID 480 wrote to memory of 1620 480 SplitDismount.exe explorer.exe PID 480 wrote to memory of 1620 480 SplitDismount.exe explorer.exe PID 480 wrote to memory of 1620 480 SplitDismount.exe explorer.exe PID 480 wrote to memory of 1620 480 SplitDismount.exe explorer.exe PID 480 wrote to memory of 1620 480 SplitDismount.exe explorer.exe PID 480 wrote to memory of 1620 480 SplitDismount.exe explorer.exe PID 480 wrote to memory of 1620 480 SplitDismount.exe explorer.exe PID 480 wrote to memory of 1516 480 SplitDismount.exe kins_2.0.11.0.vir.exe PID 480 wrote to memory of 1516 480 SplitDismount.exe kins_2.0.11.0.vir.exe PID 480 wrote to memory of 1516 480 SplitDismount.exe kins_2.0.11.0.vir.exe PID 480 wrote to memory of 1516 480 SplitDismount.exe kins_2.0.11.0.vir.exe PID 480 wrote to memory of 1516 480 SplitDismount.exe kins_2.0.11.0.vir.exe PID 480 wrote to memory of 1516 480 SplitDismount.exe kins_2.0.11.0.vir.exe PID 1516 wrote to memory of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe PID 1516 wrote to memory of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe PID 1516 wrote to memory of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe PID 1516 wrote to memory of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe PID 1516 wrote to memory of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe PID 1516 wrote to memory of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe PID 1516 wrote to memory of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe PID 1516 wrote to memory of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe PID 1516 wrote to memory of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe PID 1516 wrote to memory of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe PID 1620 wrote to memory of 1200 1620 explorer.exe Explorer.EXE PID 1620 wrote to memory of 1200 1620 explorer.exe Explorer.EXE PID 1620 wrote to memory of 1200 1620 explorer.exe Explorer.EXE -
Executes dropped EXE 1 IoCs
Processes:
SplitDismount.exepid process 480 SplitDismount.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 1792 WinMail.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kins_2.0.11.0.vir.exedescription pid process target process PID 1516 set thread context of 1636 1516 kins_2.0.11.0.vir.exe cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
kins_2.0.11.0.vir.exepid process 1516 kins_2.0.11.0.vir.exe 1516 kins_2.0.11.0.vir.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SplitDismount.exepid process 480 SplitDismount.exe 480 SplitDismount.exe -
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118 explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\kins_2.0.11.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_2.0.11.0.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\SplitDismount.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\SplitDismount.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Adds Run key to start application
- Modifies system certificate store
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp04bb7461.bat"3⤵
- Deletes itself
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\Local\Temp\tmp04bb7461.bat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\SplitDismount.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\SplitDismount.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\SplitDismount.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\SplitDismount.exe
-
memory/480-2-0x0000000000000000-mapping.dmp
-
memory/1620-5-0x0000000000000000-mapping.dmp
-
memory/1636-26-0x0000000000052BF2-mapping.dmp
-
memory/1636-25-0x0000000000050000-0x000000000007C000-memory.dmpFilesize
176KB
-
memory/1792-23-0x0000000003DF0000-0x0000000003DF2000-memory.dmpFilesize
8KB
-
memory/1792-28-0x0000000004AE0000-0x0000000004AE2000-memory.dmpFilesize
8KB
-
memory/1792-17-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1792-18-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1792-19-0x0000000003E40000-0x0000000003E42000-memory.dmpFilesize
8KB
-
memory/1792-20-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1792-21-0x0000000003CD0000-0x0000000003CD2000-memory.dmpFilesize
8KB
-
memory/1792-22-0x0000000003DF0000-0x0000000003DF2000-memory.dmpFilesize
8KB
-
memory/1792-12-0x00000000039B0000-0x0000000003AB0000-memory.dmpFilesize
1024KB
-
memory/1792-24-0x0000000003CD0000-0x0000000003CD2000-memory.dmpFilesize
8KB
-
memory/1792-11-0x00000000038B0000-0x0000000003AB0000-memory.dmpFilesize
2.0MB
-
memory/1792-10-0x00000000038B0000-0x00000000039B0000-memory.dmpFilesize
1024KB
-
memory/1792-8-0x00000000038B0000-0x0000000003AB0000-memory.dmpFilesize
2.0MB
-
memory/1792-16-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1792-29-0x0000000004AD0000-0x0000000004AD2000-memory.dmpFilesize
8KB
-
memory/1792-30-0x0000000004AC0000-0x0000000004AC2000-memory.dmpFilesize
8KB
-
memory/1792-31-0x0000000004AB0000-0x0000000004AB2000-memory.dmpFilesize
8KB
-
memory/1792-32-0x0000000004430000-0x0000000004432000-memory.dmpFilesize
8KB
-
memory/1792-33-0x0000000004420000-0x0000000004422000-memory.dmpFilesize
8KB
-
memory/1792-34-0x0000000004410000-0x0000000004412000-memory.dmpFilesize
8KB
-
memory/1792-35-0x0000000004400000-0x0000000004402000-memory.dmpFilesize
8KB
-
memory/1792-36-0x00000000043D0000-0x00000000043D2000-memory.dmpFilesize
8KB
-
memory/1792-37-0x00000000043F0000-0x00000000043F2000-memory.dmpFilesize
8KB
-
memory/1792-38-0x0000000004330000-0x0000000004332000-memory.dmpFilesize
8KB
-
memory/1792-39-0x0000000004320000-0x0000000004322000-memory.dmpFilesize
8KB
-
memory/1792-40-0x0000000004310000-0x0000000004312000-memory.dmpFilesize
8KB
-
memory/1792-6-0x00000000038B0000-0x00000000039B0000-memory.dmpFilesize
1024KB