74c975e466910e51d9a87fcffdc408e88df2aef3d8b0a9011faf70015966f013

Analysis

Target

kins_1.0.0.1.vir.exe
Size

259KB
MD5

33b9dcf1237941fd90e28df9ca78c730
SHA1

9f40f20d5caa06a39db6448ba477742f58a6a959
SHA256

74c975e466910e51d9a87fcffdc408e88df2aef3d8b0a9011faf70015966f013
SHA512

463d83e7f175fb5c890f5d0e2cb37cc38fbb88c9b993a96d8836f077be907f0944d3dffad20b464f7bc1a2b3ccc5c9776b46ca6f2a669cbca0c8a41e667436f1

Score

7^/10

evasion

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

kins_1.0.0.1.vir.exe

description	pid	process	target process
PID 3904 wrote to memory of 3428	3904	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 3904 wrote to memory of 3428	3904	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 3904 wrote to memory of 3428	3904	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 3904 wrote to memory of 3428	3904	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 3904 wrote to memory of 3428	3904	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 3904 wrote to memory of 3428	3904	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 3904 wrote to memory of 3428	3904	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe
PID 3904 wrote to memory of 3428	3904	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

kins_1.0.0.1.vir.exe

description pid process target process

PID 3904 set thread context of 3428 3904 kins_1.0.0.1.vir.exe kins_1.0.0.1.vir.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

kins_1.0.0.1.vir.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE kins_1.0.0.1.vir.exe

description	pid	process	target process
PID 3904 set thread context of 3428	3904	kins_1.0.0.1.vir.exe	kins_1.0.0.1.vir.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\WINE	kins_1.0.0.1.vir.exe

C:\Users\Admin\AppData\Local\Temp\kins_1.0.0.1.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_1.0.0.1.vir.exe"
2⤵
- Identifies Wine through registry keys
PID:3428

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/3428-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3428-1-0x00000000004196A3-mapping.dmp

Download
memory/3428-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download