e8a83b5d764c72a3c9c7ec2c5711ca045c3356a4c4d8de999efcacf291bd8b2b

General

Target

kins_3.3.0.0.vir.exe
Size

362KB
MD5

f5318580e676c21254bbd209edd55444
SHA1

2745398c853ecd6672cba4c51125a42f87e75cb1
SHA256

e8a83b5d764c72a3c9c7ec2c5711ca045c3356a4c4d8de999efcacf291bd8b2b
SHA512

c8ed17d24362aa256e757497930d0eca46036a0e3f6ddb3a3006ae63bab9bcea03d6b7bf6bf6c95e055f52726a15d49e3968b9334adcffd672d045e98b5e39b4

Score

8^/10

persistence spyware

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kins_3.3.0.0.vir.exe

description pid process

Token: SeSecurityPrivilege 1508 kins_3.3.0.0.vir.exe
Token: SeSecurityPrivilege 1508 kins_3.3.0.0.vir.exe

description	pid	process
Token: SeSecurityPrivilege	1508	kins_3.3.0.0.vir.exe
Token: SeSecurityPrivilege	1508	kins_3.3.0.0.vir.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

kins_3.3.0.0.vir.exeaddonStartup.json.exe

description	pid	process	target process
PID 1508 wrote to memory of 912	1508	kins_3.3.0.0.vir.exe	addonStartup.json.exe
PID 1508 wrote to memory of 912	1508	kins_3.3.0.0.vir.exe	addonStartup.json.exe
PID 1508 wrote to memory of 912	1508	kins_3.3.0.0.vir.exe	addonStartup.json.exe
PID 1508 wrote to memory of 912	1508	kins_3.3.0.0.vir.exe	addonStartup.json.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1060	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 912 wrote to memory of 1536	912	addonStartup.json.exe	explorer.exe
PID 1508 wrote to memory of 1708	1508	kins_3.3.0.0.vir.exe	cmd.exe
PID 1508 wrote to memory of 1708	1508	kins_3.3.0.0.vir.exe	cmd.exe
PID 1508 wrote to memory of 1708	1508	kins_3.3.0.0.vir.exe	cmd.exe
PID 1508 wrote to memory of 1708	1508	kins_3.3.0.0.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

addonStartup.json.exe

pid process

912 addonStartup.json.exe

Suspicious behavior: EnumeratesProcesses 138 IoCs

Processes:

addonStartup.json.exeexplorer.exe

pid	process
912	addonStartup.json.exe
912	addonStartup.json.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe
1060	explorer.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

kins_3.3.0.0.vir.exeaddonStartup.json.exe

pid process

1508 kins_3.3.0.0.vir.exe
912 addonStartup.json.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

kins_3.3.0.0.vir.exeaddonStartup.json.exe

pid process

1508 kins_3.3.0.0.vir.exe
912 addonStartup.json.exe
Loads dropped DLL 1 IoCs

Processes:

kins_3.3.0.0.vir.exe

pid process

1508 kins_3.3.0.0.vir.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1708 cmd.exe

pid	process
1508	kins_3.3.0.0.vir.exe
912	addonStartup.json.exe

pid	process
1508	kins_3.3.0.0.vir.exe
912	addonStartup.json.exe

pid	process
1508	kins_3.3.0.0.vir.exe

pid	process
1708	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\addonStartup.json.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d5vrebxd.default-release\\crashes\\addonStartup.json.exe"	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\kins_3.3.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_3.3.0.0.vir.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Loads dropped DLL
PID:1508

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\addonStartup.json.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\addonStartup.json.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:912

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Adds Run key to start application
PID:1060

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa11a06a0.bat"
2⤵
- Deletes itself
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa11a06a0.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\addonStartup.json.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\addonStartup.json.exe

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\addonStartup.json.exe

Download Submit
memory/912-1-0x0000000000000000-mapping.dmp

Download
memory/1060-4-0x0000000000000000-mapping.dmp

Download
memory/1536-5-0x0000000000000000-mapping.dmp

Download
memory/1708-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads