Analysis
-
max time kernel
130s -
max time network
134s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:44
Static task
static1
Behavioral task
behavioral1
Sample
kins_2.0.11.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
kins_2.0.11.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
kins_2.0.11.0.vir.exe
-
Size
595KB
-
MD5
c1784500884254d8f7659b545963ed3b
-
SHA1
84786ce781524f66f075d52f4700fd46f862c5d8
-
SHA256
0c780ce6cb4281a12cf329e18bdf36b987e34dd15379a4c2f6f8e03ba56e13be
-
SHA512
580d17052b98ca86d9a507f11cfaf9b445fea33e8aae38ee6820552ef3b35d5855b2ab2d5099ee1f344e7a0425d734d5a47703ee01fbabef9405d1b613b7bd41
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ResizeSuspend.exepid process 3864 ResizeSuspend.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ResizeSuspend.exepid process 3864 ResizeSuspend.exe 3864 ResizeSuspend.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kins_2.0.11.0.vir.exedescription pid process target process PID 3404 set thread context of 1836 3404 kins_2.0.11.0.vir.exe cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kins_2.0.11.0.vir.exedescription pid process Token: SeSecurityPrivilege 3404 kins_2.0.11.0.vir.exe Token: SeSecurityPrivilege 3404 kins_2.0.11.0.vir.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
kins_2.0.11.0.vir.exeResizeSuspend.exedescription pid process target process PID 3404 wrote to memory of 3864 3404 kins_2.0.11.0.vir.exe ResizeSuspend.exe PID 3404 wrote to memory of 3864 3404 kins_2.0.11.0.vir.exe ResizeSuspend.exe PID 3404 wrote to memory of 3864 3404 kins_2.0.11.0.vir.exe ResizeSuspend.exe PID 3864 wrote to memory of 3852 3864 ResizeSuspend.exe explorer.exe PID 3864 wrote to memory of 3852 3864 ResizeSuspend.exe explorer.exe PID 3864 wrote to memory of 3852 3864 ResizeSuspend.exe explorer.exe PID 3864 wrote to memory of 3852 3864 ResizeSuspend.exe explorer.exe PID 3864 wrote to memory of 3852 3864 ResizeSuspend.exe explorer.exe PID 3864 wrote to memory of 3852 3864 ResizeSuspend.exe explorer.exe PID 3864 wrote to memory of 3852 3864 ResizeSuspend.exe explorer.exe PID 3864 wrote to memory of 3852 3864 ResizeSuspend.exe explorer.exe PID 3864 wrote to memory of 3852 3864 ResizeSuspend.exe explorer.exe PID 3864 wrote to memory of 3404 3864 ResizeSuspend.exe kins_2.0.11.0.vir.exe PID 3864 wrote to memory of 3404 3864 ResizeSuspend.exe kins_2.0.11.0.vir.exe PID 3864 wrote to memory of 3404 3864 ResizeSuspend.exe kins_2.0.11.0.vir.exe PID 3864 wrote to memory of 3404 3864 ResizeSuspend.exe kins_2.0.11.0.vir.exe PID 3864 wrote to memory of 3404 3864 ResizeSuspend.exe kins_2.0.11.0.vir.exe PID 3864 wrote to memory of 3404 3864 ResizeSuspend.exe kins_2.0.11.0.vir.exe PID 3404 wrote to memory of 1836 3404 kins_2.0.11.0.vir.exe cmd.exe PID 3404 wrote to memory of 1836 3404 kins_2.0.11.0.vir.exe cmd.exe PID 3404 wrote to memory of 1836 3404 kins_2.0.11.0.vir.exe cmd.exe PID 3404 wrote to memory of 1836 3404 kins_2.0.11.0.vir.exe cmd.exe PID 3404 wrote to memory of 1836 3404 kins_2.0.11.0.vir.exe cmd.exe PID 3404 wrote to memory of 1836 3404 kins_2.0.11.0.vir.exe cmd.exe PID 3404 wrote to memory of 1836 3404 kins_2.0.11.0.vir.exe cmd.exe PID 3404 wrote to memory of 1836 3404 kins_2.0.11.0.vir.exe cmd.exe PID 3404 wrote to memory of 1836 3404 kins_2.0.11.0.vir.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kins_2.0.11.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_2.0.11.0.vir.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\ResizeSuspend.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\ResizeSuspend.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcc210f29.bat"2⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\ResizeSuspend.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\ResizeSuspend.exe
-
memory/1836-4-0x00000000029A0000-0x00000000029CC000-memory.dmpFilesize
176KB
-
memory/1836-5-0x00000000029A2BF2-mapping.dmp
-
memory/3852-3-0x0000000000000000-mapping.dmp
-
memory/3864-0-0x0000000000000000-mapping.dmp