Analysis
-
max time kernel
149s -
max time network
100s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 17:20
Static task
static1
Behavioral task
behavioral1
Sample
kins_3.3.0.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
kins_3.3.0.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
kins_3.3.0.0.vir.exe
-
Size
362KB
-
MD5
f5318580e676c21254bbd209edd55444
-
SHA1
2745398c853ecd6672cba4c51125a42f87e75cb1
-
SHA256
e8a83b5d764c72a3c9c7ec2c5711ca045c3356a4c4d8de999efcacf291bd8b2b
-
SHA512
c8ed17d24362aa256e757497930d0eca46036a0e3f6ddb3a3006ae63bab9bcea03d6b7bf6bf6c95e055f52726a15d49e3968b9334adcffd672d045e98b5e39b4
Score
8/10
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
kins_3.3.0.0.vir.execompatibility.exepid process 1636 kins_3.3.0.0.vir.exe 2676 compatibility.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
kins_3.3.0.0.vir.execompatibility.exepid process 1636 kins_3.3.0.0.vir.exe 2676 compatibility.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kins_3.3.0.0.vir.exedescription pid process Token: SeSecurityPrivilege 1636 kins_3.3.0.0.vir.exe Token: SeSecurityPrivilege 1636 kins_3.3.0.0.vir.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
kins_3.3.0.0.vir.execompatibility.exedescription pid process target process PID 1636 wrote to memory of 2676 1636 kins_3.3.0.0.vir.exe compatibility.exe PID 1636 wrote to memory of 2676 1636 kins_3.3.0.0.vir.exe compatibility.exe PID 1636 wrote to memory of 2676 1636 kins_3.3.0.0.vir.exe compatibility.exe PID 2676 wrote to memory of 2892 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 2892 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 2892 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 2892 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 2892 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 2892 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 2892 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 2892 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 2892 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 2892 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 3912 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 3912 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 3912 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 3912 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 3912 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 3912 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 3912 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 3912 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 3912 2676 compatibility.exe explorer.exe PID 2676 wrote to memory of 3912 2676 compatibility.exe explorer.exe PID 1636 wrote to memory of 496 1636 kins_3.3.0.0.vir.exe cmd.exe PID 1636 wrote to memory of 496 1636 kins_3.3.0.0.vir.exe cmd.exe PID 1636 wrote to memory of 496 1636 kins_3.3.0.0.vir.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
compatibility.exepid process 2676 compatibility.exe -
Suspicious behavior: EnumeratesProcesses 116 IoCs
Processes:
compatibility.exeexplorer.exepid process 2676 compatibility.exe 2676 compatibility.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\Currentversion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\compatibility.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\ah406040.default-release\\storage\\compatibility.exe" explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kins_3.3.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_3.3.0.0.vir.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\compatibility.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\compatibility.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp82d34128.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp82d34128.bat
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\compatibility.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\compatibility.exe
-
memory/496-5-0x0000000000000000-mapping.dmp
-
memory/2676-0-0x0000000000000000-mapping.dmp
-
memory/2892-3-0x0000000000000000-mapping.dmp
-
memory/3912-4-0x0000000000000000-mapping.dmp