e8a83b5d764c72a3c9c7ec2c5711ca045c3356a4c4d8de999efcacf291bd8b2b

General

Target

kins_3.3.0.0.vir.exe
Size

362KB
MD5

f5318580e676c21254bbd209edd55444
SHA1

2745398c853ecd6672cba4c51125a42f87e75cb1
SHA256

e8a83b5d764c72a3c9c7ec2c5711ca045c3356a4c4d8de999efcacf291bd8b2b
SHA512

c8ed17d24362aa256e757497930d0eca46036a0e3f6ddb3a3006ae63bab9bcea03d6b7bf6bf6c95e055f52726a15d49e3968b9334adcffd672d045e98b5e39b4

Score

8^/10

spyware persistence

Malware Config

Signatures

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

kins_3.3.0.0.vir.execompatibility.exe

pid process

1636 kins_3.3.0.0.vir.exe
2676 compatibility.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

kins_3.3.0.0.vir.execompatibility.exe

pid process

1636 kins_3.3.0.0.vir.exe
2676 compatibility.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kins_3.3.0.0.vir.exe

description pid process

Token: SeSecurityPrivilege 1636 kins_3.3.0.0.vir.exe
Token: SeSecurityPrivilege 1636 kins_3.3.0.0.vir.exe

pid	process
1636	kins_3.3.0.0.vir.exe
2676	compatibility.exe

pid	process
1636	kins_3.3.0.0.vir.exe
2676	compatibility.exe

description	pid	process
Token: SeSecurityPrivilege	1636	kins_3.3.0.0.vir.exe
Token: SeSecurityPrivilege	1636	kins_3.3.0.0.vir.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

kins_3.3.0.0.vir.execompatibility.exe

description	pid	process	target process
PID 1636 wrote to memory of 2676	1636	kins_3.3.0.0.vir.exe	compatibility.exe
PID 1636 wrote to memory of 2676	1636	kins_3.3.0.0.vir.exe	compatibility.exe
PID 1636 wrote to memory of 2676	1636	kins_3.3.0.0.vir.exe	compatibility.exe
PID 2676 wrote to memory of 2892	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 2892	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 2892	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 2892	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 2892	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 2892	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 2892	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 2892	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 2892	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 2892	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 3912	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 3912	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 3912	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 3912	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 3912	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 3912	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 3912	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 3912	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 3912	2676	compatibility.exe	explorer.exe
PID 2676 wrote to memory of 3912	2676	compatibility.exe	explorer.exe
PID 1636 wrote to memory of 496	1636	kins_3.3.0.0.vir.exe	cmd.exe
PID 1636 wrote to memory of 496	1636	kins_3.3.0.0.vir.exe	cmd.exe
PID 1636 wrote to memory of 496	1636	kins_3.3.0.0.vir.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

compatibility.exe

pid process

2676 compatibility.exe

Suspicious behavior: EnumeratesProcesses 116 IoCs

Processes:

compatibility.exeexplorer.exe

pid	process
2676	compatibility.exe
2676	compatibility.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe
2892	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\compatibility.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ah406040.default-release\\storage\\compatibility.exe"	explorer.exe

C:\Users\Admin\AppData\Local\Temp\kins_3.3.0.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_3.3.0.0.vir.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\compatibility.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\compatibility.exe"
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
PID:2892

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp82d34128.bat"
2⤵
PID:496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp82d34128.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\compatibility.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\compatibility.exe

Download Submit
memory/496-5-0x0000000000000000-mapping.dmp

Download
memory/2676-0-0x0000000000000000-mapping.dmp

Download
memory/2892-3-0x0000000000000000-mapping.dmp

Download
memory/3912-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads