74c975e466910e51d9a87fcffdc408e88df2aef3d8b0a9011faf70015966f013

General

Target

kins_1.0.0.1.vir.exe
Size

259KB
MD5

33b9dcf1237941fd90e28df9ca78c730
SHA1

9f40f20d5caa06a39db6448ba477742f58a6a959
SHA256

74c975e466910e51d9a87fcffdc408e88df2aef3d8b0a9011faf70015966f013
SHA512

463d83e7f175fb5c890f5d0e2cb37cc38fbb88c9b993a96d8836f077be907f0944d3dffad20b464f7bc1a2b3ccc5c9776b46ca6f2a669cbca0c8a41e667436f1

Score

8^/10

evasion persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kins_1.0.0.1.vir.exeWinMail.exe

description pid process

Token: SeSecurityPrivilege 744 kins_1.0.0.1.vir.exe
Token: SeManageVolumePrivilege 1140 WinMail.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1140 WinMail.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1152 cmd.exe

description	pid	process
Token: SeSecurityPrivilege	744	kins_1.0.0.1.vir.exe
Token: SeManageVolumePrivilege	1140	WinMail.exe

pid	process
1140	WinMail.exe

pid	process
1152	cmd.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

kins_1.0.0.1.vir.exekaeb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE	kins_1.0.0.1.vir.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\WINE	kaeb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1140 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1140 WinMail.exe

pid	process
1140	WinMail.exe

pid	process
1140	WinMail.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kaeb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	kaeb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaeb.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Atvyyt\\kaeb.exe"	kaeb.exe

Suspicious use of WriteProcessMemory 83 IoCs

Processes:

kins_1.0.0.1.vir.exekins_1.0.0.1.vir.exekaeb.exekaeb.exe

description	pid	process	target process
PID 1588 wrote to memory of 744	1588	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 1588 wrote to memory of 744	1588	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 1588 wrote to memory of 744	1588	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 1588 wrote to memory of 744	1588	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 1588 wrote to memory of 744	1588	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 1588 wrote to memory of 744	1588	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 1588 wrote to memory of 744	1588	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 1588 wrote to memory of 744	1588	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 1588 wrote to memory of 744	1588	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 744 wrote to memory of 1764	744	kins_1.0.0.1.vir.exe	kaeb.exe
PID 744 wrote to memory of 1764	744	kins_1.0.0.1.vir.exe	kaeb.exe
PID 744 wrote to memory of 1764	744	kins_1.0.0.1.vir.exe	kaeb.exe
PID 744 wrote to memory of 1764	744	kins_1.0.0.1.vir.exe	kaeb.exe
PID 1764 wrote to memory of 1840	1764	kaeb.exe	kaeb.exe
PID 1764 wrote to memory of 1840	1764	kaeb.exe	kaeb.exe
PID 1764 wrote to memory of 1840	1764	kaeb.exe	kaeb.exe
PID 1764 wrote to memory of 1840	1764	kaeb.exe	kaeb.exe
PID 1764 wrote to memory of 1840	1764	kaeb.exe	kaeb.exe
PID 1764 wrote to memory of 1840	1764	kaeb.exe	kaeb.exe
PID 1764 wrote to memory of 1840	1764	kaeb.exe	kaeb.exe
PID 1764 wrote to memory of 1840	1764	kaeb.exe	kaeb.exe
PID 1764 wrote to memory of 1840	1764	kaeb.exe	kaeb.exe
PID 1840 wrote to memory of 1092	1840	kaeb.exe	taskhost.exe
PID 1840 wrote to memory of 1092	1840	kaeb.exe	taskhost.exe
PID 1840 wrote to memory of 1092	1840	kaeb.exe	taskhost.exe
PID 1840 wrote to memory of 1092	1840	kaeb.exe	taskhost.exe
PID 1840 wrote to memory of 1092	1840	kaeb.exe	taskhost.exe
PID 1840 wrote to memory of 1092	1840	kaeb.exe	taskhost.exe
PID 1840 wrote to memory of 1092	1840	kaeb.exe	taskhost.exe
PID 1840 wrote to memory of 1092	1840	kaeb.exe	taskhost.exe
PID 1840 wrote to memory of 1184	1840	kaeb.exe	Dwm.exe
PID 1840 wrote to memory of 1184	1840	kaeb.exe	Dwm.exe
PID 1840 wrote to memory of 1184	1840	kaeb.exe	Dwm.exe
PID 1840 wrote to memory of 1184	1840	kaeb.exe	Dwm.exe
PID 1840 wrote to memory of 1184	1840	kaeb.exe	Dwm.exe
PID 1840 wrote to memory of 1184	1840	kaeb.exe	Dwm.exe
PID 1840 wrote to memory of 1184	1840	kaeb.exe	Dwm.exe
PID 1840 wrote to memory of 1184	1840	kaeb.exe	Dwm.exe
PID 1840 wrote to memory of 1228	1840	kaeb.exe	Explorer.EXE
PID 1840 wrote to memory of 1228	1840	kaeb.exe	Explorer.EXE
PID 1840 wrote to memory of 1228	1840	kaeb.exe	Explorer.EXE
PID 1840 wrote to memory of 1228	1840	kaeb.exe	Explorer.EXE
PID 1840 wrote to memory of 1228	1840	kaeb.exe	Explorer.EXE
PID 1840 wrote to memory of 1228	1840	kaeb.exe	Explorer.EXE
PID 1840 wrote to memory of 1228	1840	kaeb.exe	Explorer.EXE
PID 1840 wrote to memory of 1228	1840	kaeb.exe	Explorer.EXE
PID 1840 wrote to memory of 744	1840	kaeb.exe	kins_1.0.0.1.vir.exe
PID 1840 wrote to memory of 744	1840	kaeb.exe	kins_1.0.0.1.vir.exe
PID 1840 wrote to memory of 744	1840	kaeb.exe	kins_1.0.0.1.vir.exe
PID 1840 wrote to memory of 744	1840	kaeb.exe	kins_1.0.0.1.vir.exe
PID 1840 wrote to memory of 744	1840	kaeb.exe	kins_1.0.0.1.vir.exe
PID 1840 wrote to memory of 744	1840	kaeb.exe	kins_1.0.0.1.vir.exe
PID 1840 wrote to memory of 744	1840	kaeb.exe	kins_1.0.0.1.vir.exe
PID 1840 wrote to memory of 744	1840	kaeb.exe	kins_1.0.0.1.vir.exe
PID 1840 wrote to memory of 744	1840	kaeb.exe	kins_1.0.0.1.vir.exe
PID 1840 wrote to memory of 1104	1840	kaeb.exe	DllHost.exe
PID 1840 wrote to memory of 1104	1840	kaeb.exe	DllHost.exe
PID 1840 wrote to memory of 1104	1840	kaeb.exe	DllHost.exe
PID 1840 wrote to memory of 1104	1840	kaeb.exe	DllHost.exe
PID 1840 wrote to memory of 1104	1840	kaeb.exe	DllHost.exe
PID 1840 wrote to memory of 1104	1840	kaeb.exe	DllHost.exe
PID 1840 wrote to memory of 1104	1840	kaeb.exe	DllHost.exe
PID 1840 wrote to memory of 1104	1840	kaeb.exe	DllHost.exe
PID 1840 wrote to memory of 1140	1840	kaeb.exe	WinMail.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

kins_1.0.0.1.vir.exekaeb.exe

description	pid	process	target process
PID 1588 set thread context of 744	1588	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 1764 set thread context of 1840	1764	kaeb.exe	kaeb.exe

Loads dropped DLL 2 IoCs

Processes:

kins_1.0.0.1.vir.exe

pid process

744 kins_1.0.0.1.vir.exe
744 kins_1.0.0.1.vir.exe
Executes dropped EXE 2 IoCs

Processes:

kaeb.exekaeb.exe

pid process

1764 kaeb.exe
1840 kaeb.exe

pid	process
744	kins_1.0.0.1.vir.exe
744	kins_1.0.0.1.vir.exe

pid	process
1764	kaeb.exe
1840	kaeb.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

kaeb.exe

pid	process
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe
1840	kaeb.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\677440B7-00000001.eml:OECustomProperty	WinMail.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1092

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\kins_1.0.0.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_1.0.0.1.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1588

C:\Users\Admin\AppData\Local\Temp\kins_1.0.0.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_1.0.0.1.vir.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Identifies Wine through registry keys
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:744

C:\Users\Admin\AppData\Roaming\Atvyyt\kaeb.exe
"C:\Users\Admin\AppData\Roaming\Atvyyt\kaeb.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
PID:1764

C:\Users\Admin\AppData\Roaming\Atvyyt\kaeb.exe
"C:\Users\Admin\AppData\Roaming\Atvyyt\kaeb.exe"
5⤵
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpab2c25ff.bat"
4⤵
- Deletes itself
PID:1152

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1104

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of SendNotifyMessage
- NTFS ADS
PID:1140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpab2c25ff.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Atvyyt\kaeb.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Atvyyt\kaeb.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Atvyyt\kaeb.exe

Download Submit
\Users\Admin\AppData\Roaming\Atvyyt\kaeb.exe

Download Submit
\Users\Admin\AppData\Roaming\Atvyyt\kaeb.exe

Download Submit
memory/744-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-1-0x00000000004196A3-mapping.dmp

Download
memory/744-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1140-41-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/1140-47-0x0000000004DA0000-0x0000000004DA2000-memory.dmp

Filesize
8KB

Download
memory/1140-14-0x00000000038E0000-0x0000000003AE0000-memory.dmp

Filesize
2.0MB

Download
memory/1140-16-0x00000000038E0000-0x00000000039E0000-memory.dmp

Filesize
1024KB

Download
memory/1140-17-0x00000000038E0000-0x0000000003AE0000-memory.dmp

Filesize
2.0MB

Download
memory/1140-18-0x00000000039E0000-0x0000000003AE0000-memory.dmp

Filesize
1024KB

Download
memory/1140-22-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1140-23-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1140-24-0x0000000002550000-0x0000000002552000-memory.dmp

Filesize
8KB

Download
memory/1140-25-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1140-26-0x0000000003FA0000-0x0000000003FA2000-memory.dmp

Filesize
8KB

Download
memory/1140-27-0x0000000004040000-0x0000000004042000-memory.dmp

Filesize
8KB

Download
memory/1140-28-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/1140-30-0x0000000003D60000-0x0000000003D62000-memory.dmp

Filesize
8KB

Download
memory/1140-32-0x0000000003D60000-0x0000000003D62000-memory.dmp

Filesize
8KB

Download
memory/1140-33-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1140-34-0x0000000003D60000-0x0000000003D62000-memory.dmp

Filesize
8KB

Download
memory/1140-37-0x0000000003D60000-0x0000000003D62000-memory.dmp

Filesize
8KB

Download
memory/1140-38-0x0000000003B50000-0x0000000003B52000-memory.dmp

Filesize
8KB

Download
memory/1140-39-0x0000000003D60000-0x0000000003D62000-memory.dmp

Filesize
8KB

Download
memory/1140-40-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1140-77-0x00000000020C0000-0x00000000020D0000-memory.dmp

Filesize
64KB

Download
memory/1140-42-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/1140-43-0x0000000003D70000-0x0000000003D72000-memory.dmp

Filesize
8KB

Download
memory/1140-44-0x0000000004C70000-0x0000000004C72000-memory.dmp

Filesize
8KB

Download
memory/1140-45-0x0000000004C80000-0x0000000004C82000-memory.dmp

Filesize
8KB

Download
memory/1140-46-0x0000000004C90000-0x0000000004C92000-memory.dmp

Filesize
8KB

Download
memory/1140-12-0x00000000038E0000-0x00000000039E0000-memory.dmp

Filesize
1024KB

Download
memory/1140-48-0x00000000057C0000-0x00000000057C2000-memory.dmp

Filesize
8KB

Download
memory/1140-49-0x00000000057D0000-0x00000000057D2000-memory.dmp

Filesize
8KB

Download
memory/1140-50-0x0000000003C40000-0x0000000003C42000-memory.dmp

Filesize
8KB

Download
memory/1140-51-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/1140-52-0x0000000003C30000-0x0000000003C32000-memory.dmp

Filesize
8KB

Download
memory/1140-53-0x0000000003DA0000-0x0000000003DA2000-memory.dmp

Filesize
8KB

Download
memory/1140-54-0x0000000004050000-0x0000000004052000-memory.dmp

Filesize
8KB

Download
memory/1140-56-0x0000000003B60000-0x0000000003B62000-memory.dmp

Filesize
8KB

Download
memory/1140-55-0x0000000004040000-0x0000000004042000-memory.dmp

Filesize
8KB

Download
memory/1140-57-0x0000000004420000-0x0000000004422000-memory.dmp

Filesize
8KB

Download
memory/1140-58-0x00000000044B0000-0x00000000044B2000-memory.dmp

Filesize
8KB

Download
memory/1140-59-0x00000000057F0000-0x00000000057F2000-memory.dmp

Filesize
8KB

Download
memory/1140-60-0x0000000004540000-0x0000000004542000-memory.dmp

Filesize
8KB

Download
memory/1140-61-0x00000000057E0000-0x00000000057E2000-memory.dmp

Filesize
8KB

Download
memory/1140-62-0x00000000045E0000-0x00000000045E2000-memory.dmp

Filesize
8KB

Download
memory/1140-63-0x0000000004090000-0x0000000004092000-memory.dmp

Filesize
8KB

Download
memory/1140-64-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/1140-65-0x0000000004070000-0x0000000004072000-memory.dmp

Filesize
8KB

Download
memory/1140-66-0x0000000004060000-0x0000000004062000-memory.dmp

Filesize
8KB

Download
memory/1140-67-0x0000000003C50000-0x0000000003C52000-memory.dmp

Filesize
8KB

Download
memory/1140-68-0x0000000004C60000-0x0000000004C62000-memory.dmp

Filesize
8KB

Download
memory/1140-69-0x00000000038E0000-0x00000000039E0000-memory.dmp

Filesize
1024KB

Download
memory/1140-71-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/1152-83-0x0000000000000000-mapping.dmp

Download
memory/1764-5-0x0000000000000000-mapping.dmp

Download
memory/1840-9-0x00000000004196A3-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads