b19f6698a91cc818c14952c74e99db302c229d1f868d144f9344f83d9ecf6825

General

Target

kins_2.0.9.15.vir.exe
Size

203KB
MD5

3eaadae16c69e14384412a2ffd687217
SHA1

c4864e43a9d8e42a742d031e205eaa63dd7df77c
SHA256

b19f6698a91cc818c14952c74e99db302c229d1f868d144f9344f83d9ecf6825
SHA512

a08ff272db05c5dd896da24500fceaad7284cf1c5b0328aa293d740fb1c2fe122be9eb3b141801053fdbae370a0ef5e5011435c413b1f88cd56a6b838bc98b19

Score

8^/10

evasion persistence

Malware Config

Signatures

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1436 WinMail.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

kins_2.0.9.15.vir.exe

description pid process target process

PID 1164 set thread context of 1884 1164 kins_2.0.9.15.vir.exe cmd.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1884 cmd.exe

pid	process
1436	WinMail.exe

description	pid	process	target process
PID 1164 set thread context of 1884	1164	kins_2.0.9.15.vir.exe	cmd.exe

pid	process
1884	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

loas.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	loas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\loas.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Ciawib\\loas.exe"	loas.exe

Loads dropped DLL 1 IoCs

Processes:

kins_2.0.9.15.vir.exe

pid process

1164 kins_2.0.9.15.vir.exe

pid	process
1164	kins_2.0.9.15.vir.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

kins_2.0.9.15.vir.exeloas.exe

description	pid	process	target process
PID 1164 wrote to memory of 624	1164	kins_2.0.9.15.vir.exe	loas.exe
PID 1164 wrote to memory of 624	1164	kins_2.0.9.15.vir.exe	loas.exe
PID 1164 wrote to memory of 624	1164	kins_2.0.9.15.vir.exe	loas.exe
PID 1164 wrote to memory of 624	1164	kins_2.0.9.15.vir.exe	loas.exe
PID 624 wrote to memory of 1172	624	loas.exe	taskhost.exe
PID 624 wrote to memory of 1172	624	loas.exe	taskhost.exe
PID 624 wrote to memory of 1172	624	loas.exe	taskhost.exe
PID 624 wrote to memory of 1172	624	loas.exe	taskhost.exe
PID 624 wrote to memory of 1172	624	loas.exe	taskhost.exe
PID 624 wrote to memory of 1272	624	loas.exe	Dwm.exe
PID 624 wrote to memory of 1272	624	loas.exe	Dwm.exe
PID 624 wrote to memory of 1272	624	loas.exe	Dwm.exe
PID 624 wrote to memory of 1272	624	loas.exe	Dwm.exe
PID 624 wrote to memory of 1272	624	loas.exe	Dwm.exe
PID 624 wrote to memory of 1336	624	loas.exe	Explorer.EXE
PID 624 wrote to memory of 1336	624	loas.exe	Explorer.EXE
PID 624 wrote to memory of 1336	624	loas.exe	Explorer.EXE
PID 624 wrote to memory of 1336	624	loas.exe	Explorer.EXE
PID 624 wrote to memory of 1336	624	loas.exe	Explorer.EXE
PID 624 wrote to memory of 1164	624	loas.exe	kins_2.0.9.15.vir.exe
PID 624 wrote to memory of 1164	624	loas.exe	kins_2.0.9.15.vir.exe
PID 624 wrote to memory of 1164	624	loas.exe	kins_2.0.9.15.vir.exe
PID 624 wrote to memory of 1164	624	loas.exe	kins_2.0.9.15.vir.exe
PID 624 wrote to memory of 1164	624	loas.exe	kins_2.0.9.15.vir.exe
PID 1164 wrote to memory of 1884	1164	kins_2.0.9.15.vir.exe	cmd.exe
PID 1164 wrote to memory of 1884	1164	kins_2.0.9.15.vir.exe	cmd.exe
PID 1164 wrote to memory of 1884	1164	kins_2.0.9.15.vir.exe	cmd.exe
PID 1164 wrote to memory of 1884	1164	kins_2.0.9.15.vir.exe	cmd.exe
PID 1164 wrote to memory of 1884	1164	kins_2.0.9.15.vir.exe	cmd.exe
PID 1164 wrote to memory of 1884	1164	kins_2.0.9.15.vir.exe	cmd.exe
PID 1164 wrote to memory of 1884	1164	kins_2.0.9.15.vir.exe	cmd.exe
PID 1164 wrote to memory of 1884	1164	kins_2.0.9.15.vir.exe	cmd.exe
PID 1164 wrote to memory of 1884	1164	kins_2.0.9.15.vir.exe	cmd.exe
PID 624 wrote to memory of 300	624	loas.exe	DllHost.exe
PID 624 wrote to memory of 300	624	loas.exe	DllHost.exe
PID 624 wrote to memory of 300	624	loas.exe	DllHost.exe
PID 624 wrote to memory of 300	624	loas.exe	DllHost.exe
PID 624 wrote to memory of 300	624	loas.exe	DllHost.exe
PID 624 wrote to memory of 2036	624	loas.exe	DllHost.exe
PID 624 wrote to memory of 2036	624	loas.exe	DllHost.exe
PID 624 wrote to memory of 2036	624	loas.exe	DllHost.exe
PID 624 wrote to memory of 2036	624	loas.exe	DllHost.exe
PID 624 wrote to memory of 2036	624	loas.exe	DllHost.exe

Executes dropped EXE 1 IoCs

Processes:

loas.exe

pid process

624 loas.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1436 WinMail.exe

pid	process
1436	WinMail.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\746145BD-00000001.eml:OECustomProperty	WinMail.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kins_2.0.9.15.vir.exeWinMail.exe

description pid process

Token: SeSecurityPrivilege 1164 kins_2.0.9.15.vir.exe
Token: SeManageVolumePrivilege 1436 WinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1164	kins_2.0.9.15.vir.exe
Token: SeManageVolumePrivilege	1436	WinMail.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

loas.exe

pid	process
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe
624	loas.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1436 WinMail.exe

pid	process
1436	WinMail.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

kins_2.0.9.15.vir.exeloas.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE	kins_2.0.9.15.vir.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE	loas.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1172

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1272

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\kins_2.0.9.15.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_2.0.9.15.vir.exe"
2⤵
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Identifies Wine through registry keys
PID:1164

C:\Users\Admin\AppData\Roaming\Ciawib\loas.exe
"C:\Users\Admin\AppData\Roaming\Ciawib\loas.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Identifies Wine through registry keys
PID:624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp28651f43.bat"
3⤵
- Deletes itself
PID:1884

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1436

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:300

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp28651f43.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Ciawib\loas.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ciawib\loas.exe

Download Submit
\Users\Admin\AppData\Roaming\Ciawib\loas.exe

Download Submit
memory/624-1-0x0000000000000000-mapping.dmp

Download
memory/1436-4-0x0000000003940000-0x0000000003A40000-memory.dmp

Filesize
1024KB

Download
memory/1436-6-0x0000000003940000-0x0000000003B40000-memory.dmp

Filesize
2.0MB

Download
memory/1436-8-0x0000000003940000-0x0000000003A40000-memory.dmp

Filesize
1024KB

Download
memory/1436-9-0x0000000003940000-0x0000000003B40000-memory.dmp

Filesize
2.0MB

Download
memory/1436-10-0x0000000003A40000-0x0000000003B40000-memory.dmp

Filesize
1024KB

Download
memory/1436-14-0x00000000024D0000-0x00000000024D2000-memory.dmp

Filesize
8KB

Download
memory/1436-15-0x00000000024F0000-0x00000000024F2000-memory.dmp

Filesize
8KB

Download
memory/1436-16-0x00000000024E0000-0x00000000024E2000-memory.dmp

Filesize
8KB

Download
memory/1436-17-0x0000000003CA0000-0x0000000003CA2000-memory.dmp

Filesize
8KB

Download
memory/1436-18-0x0000000003C80000-0x0000000003C82000-memory.dmp

Filesize
8KB

Download
memory/1436-19-0x00000000024D0000-0x00000000024D2000-memory.dmp

Filesize
8KB

Download
memory/1436-20-0x0000000003BB0000-0x0000000003BB2000-memory.dmp

Filesize
8KB

Download
memory/1436-21-0x0000000003C70000-0x0000000003C72000-memory.dmp

Filesize
8KB

Download
memory/1436-22-0x0000000003C60000-0x0000000003C62000-memory.dmp

Filesize
8KB

Download
memory/1436-23-0x0000000003B40000-0x0000000003B42000-memory.dmp

Filesize
8KB

Download
memory/1436-24-0x0000000003B40000-0x0000000003B42000-memory.dmp

Filesize
8KB

Download
memory/1436-25-0x0000000003CF0000-0x0000000003CF2000-memory.dmp

Filesize
8KB

Download
memory/1436-26-0x0000000003F90000-0x0000000003F92000-memory.dmp

Filesize
8KB

Download
memory/1436-27-0x0000000003C90000-0x0000000003C92000-memory.dmp

Filesize
8KB

Download
memory/1436-28-0x0000000003BB0000-0x0000000003BB2000-memory.dmp

Filesize
8KB

Download
memory/1436-29-0x0000000004120000-0x0000000004122000-memory.dmp

Filesize
8KB

Download
memory/1436-30-0x0000000004130000-0x0000000004132000-memory.dmp

Filesize
8KB

Download
memory/1436-31-0x0000000004140000-0x0000000004142000-memory.dmp

Filesize
8KB

Download
memory/1436-32-0x0000000004160000-0x0000000004162000-memory.dmp

Filesize
8KB

Download
memory/1436-33-0x00000000042C0000-0x00000000042C2000-memory.dmp

Filesize
8KB

Download
memory/1436-34-0x00000000042D0000-0x00000000042D2000-memory.dmp

Filesize
8KB

Download
memory/1436-35-0x0000000004360000-0x0000000004362000-memory.dmp

Filesize
8KB

Download
memory/1436-36-0x0000000004370000-0x0000000004372000-memory.dmp

Filesize
8KB

Download
memory/1436-37-0x0000000004380000-0x0000000004382000-memory.dmp

Filesize
8KB

Download
memory/1436-38-0x0000000004530000-0x0000000004532000-memory.dmp

Filesize
8KB

Download
memory/1436-39-0x0000000004540000-0x0000000004542000-memory.dmp

Filesize
8KB

Download
memory/1436-40-0x0000000004650000-0x0000000004652000-memory.dmp

Filesize
8KB

Download
memory/1436-41-0x0000000004660000-0x0000000004662000-memory.dmp

Filesize
8KB

Download
memory/1436-42-0x0000000003B60000-0x0000000003B62000-memory.dmp

Filesize
8KB

Download
memory/1436-43-0x0000000003BA0000-0x0000000003BA2000-memory.dmp

Filesize
8KB

Download
memory/1436-44-0x00000000043A0000-0x00000000043A2000-memory.dmp

Filesize
8KB

Download
memory/1436-45-0x00000000044F0000-0x00000000044F2000-memory.dmp

Filesize
8KB

Download
memory/1436-46-0x0000000004500000-0x0000000004502000-memory.dmp

Filesize
8KB

Download
memory/1436-47-0x00000000046B0000-0x00000000046B2000-memory.dmp

Filesize
8KB

Download
memory/1436-48-0x00000000046C0000-0x00000000046C2000-memory.dmp

Filesize
8KB

Download
memory/1436-49-0x0000000003940000-0x0000000003A40000-memory.dmp

Filesize
1024KB

Download
memory/1436-51-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/1436-57-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

Filesize
64KB

Download
memory/1884-63-0x0000000000090000-0x00000000000C3000-memory.dmp

Filesize
204KB

Download
memory/1884-64-0x000000000009F15D-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads