Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:51
Static task
static1
Behavioral task
behavioral1
Sample
kins_1.0.0.1.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
kins_1.0.0.1.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
kins_1.0.0.1.vir.exe
-
Size
259KB
-
MD5
33b9dcf1237941fd90e28df9ca78c730
-
SHA1
9f40f20d5caa06a39db6448ba477742f58a6a959
-
SHA256
74c975e466910e51d9a87fcffdc408e88df2aef3d8b0a9011faf70015966f013
-
SHA512
463d83e7f175fb5c890f5d0e2cb37cc38fbb88c9b993a96d8836f077be907f0944d3dffad20b464f7bc1a2b3ccc5c9776b46ca6f2a669cbca0c8a41e667436f1
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
kins_1.0.0.1.vir.exedescription pid process target process PID 3904 wrote to memory of 3428 3904 kins_1.0.0.1.vir.exe kins_1.0.0.1.vir.exe PID 3904 wrote to memory of 3428 3904 kins_1.0.0.1.vir.exe kins_1.0.0.1.vir.exe PID 3904 wrote to memory of 3428 3904 kins_1.0.0.1.vir.exe kins_1.0.0.1.vir.exe PID 3904 wrote to memory of 3428 3904 kins_1.0.0.1.vir.exe kins_1.0.0.1.vir.exe PID 3904 wrote to memory of 3428 3904 kins_1.0.0.1.vir.exe kins_1.0.0.1.vir.exe PID 3904 wrote to memory of 3428 3904 kins_1.0.0.1.vir.exe kins_1.0.0.1.vir.exe PID 3904 wrote to memory of 3428 3904 kins_1.0.0.1.vir.exe kins_1.0.0.1.vir.exe PID 3904 wrote to memory of 3428 3904 kins_1.0.0.1.vir.exe kins_1.0.0.1.vir.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kins_1.0.0.1.vir.exedescription pid process target process PID 3904 set thread context of 3428 3904 kins_1.0.0.1.vir.exe kins_1.0.0.1.vir.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
kins_1.0.0.1.vir.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE kins_1.0.0.1.vir.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kins_1.0.0.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_1.0.0.1.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\kins_1.0.0.1.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_1.0.0.1.vir.exe"2⤵
- Identifies Wine through registry keys