4dfd38dbb39f3ed69c713f601bc52b663a5cd08d37a2ececcbf8d54d8d179f05

General

Target

kins_2.0.9.9.vir.exe
Size

216KB
MD5

b74cf245e3b7ee3efc4e6c987acf092d
SHA1

ed02aef8f1f30f67a4e40acb60af0076061e362e
SHA256

4dfd38dbb39f3ed69c713f601bc52b663a5cd08d37a2ececcbf8d54d8d179f05
SHA512

27178f5a008669245cec97d7b901e580615b71d03ae64cf8b94eaaa9b9df95c646fea2b3a8770f358cd24ec1979ab66b58202f07bd0b2303f972a409a06ab40b

Score

8^/10

evasion persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kins_2.0.9.9.vir.exe

description pid process

Token: SeSecurityPrivilege 1412 kins_2.0.9.9.vir.exe

description	pid	process
Token: SeSecurityPrivilege	1412	kins_2.0.9.9.vir.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

kins_2.0.9.9.vir.exeidqoa.exe

description	pid	process	target process
PID 1412 wrote to memory of 1468	1412	kins_2.0.9.9.vir.exe	idqoa.exe
PID 1412 wrote to memory of 1468	1412	kins_2.0.9.9.vir.exe	idqoa.exe
PID 1412 wrote to memory of 1468	1412	kins_2.0.9.9.vir.exe	idqoa.exe
PID 1412 wrote to memory of 1468	1412	kins_2.0.9.9.vir.exe	idqoa.exe
PID 1468 wrote to memory of 1072	1468	idqoa.exe	taskhost.exe
PID 1468 wrote to memory of 1072	1468	idqoa.exe	taskhost.exe
PID 1468 wrote to memory of 1072	1468	idqoa.exe	taskhost.exe
PID 1468 wrote to memory of 1072	1468	idqoa.exe	taskhost.exe
PID 1468 wrote to memory of 1072	1468	idqoa.exe	taskhost.exe
PID 1468 wrote to memory of 1160	1468	idqoa.exe	Dwm.exe
PID 1468 wrote to memory of 1160	1468	idqoa.exe	Dwm.exe
PID 1468 wrote to memory of 1160	1468	idqoa.exe	Dwm.exe
PID 1468 wrote to memory of 1160	1468	idqoa.exe	Dwm.exe
PID 1468 wrote to memory of 1160	1468	idqoa.exe	Dwm.exe
PID 1468 wrote to memory of 1212	1468	idqoa.exe	Explorer.EXE
PID 1468 wrote to memory of 1212	1468	idqoa.exe	Explorer.EXE
PID 1468 wrote to memory of 1212	1468	idqoa.exe	Explorer.EXE
PID 1468 wrote to memory of 1212	1468	idqoa.exe	Explorer.EXE
PID 1468 wrote to memory of 1212	1468	idqoa.exe	Explorer.EXE
PID 1468 wrote to memory of 1412	1468	idqoa.exe	kins_2.0.9.9.vir.exe
PID 1468 wrote to memory of 1412	1468	idqoa.exe	kins_2.0.9.9.vir.exe
PID 1468 wrote to memory of 1412	1468	idqoa.exe	kins_2.0.9.9.vir.exe
PID 1468 wrote to memory of 1412	1468	idqoa.exe	kins_2.0.9.9.vir.exe
PID 1468 wrote to memory of 1412	1468	idqoa.exe	kins_2.0.9.9.vir.exe
PID 1412 wrote to memory of 272	1412	kins_2.0.9.9.vir.exe	cmd.exe
PID 1412 wrote to memory of 272	1412	kins_2.0.9.9.vir.exe	cmd.exe
PID 1412 wrote to memory of 272	1412	kins_2.0.9.9.vir.exe	cmd.exe
PID 1412 wrote to memory of 272	1412	kins_2.0.9.9.vir.exe	cmd.exe
PID 1412 wrote to memory of 272	1412	kins_2.0.9.9.vir.exe	cmd.exe
PID 1412 wrote to memory of 272	1412	kins_2.0.9.9.vir.exe	cmd.exe
PID 1412 wrote to memory of 272	1412	kins_2.0.9.9.vir.exe	cmd.exe
PID 1412 wrote to memory of 272	1412	kins_2.0.9.9.vir.exe	cmd.exe
PID 1412 wrote to memory of 272	1412	kins_2.0.9.9.vir.exe	cmd.exe
PID 1468 wrote to memory of 1684	1468	idqoa.exe	DllHost.exe
PID 1468 wrote to memory of 1684	1468	idqoa.exe	DllHost.exe
PID 1468 wrote to memory of 1684	1468	idqoa.exe	DllHost.exe
PID 1468 wrote to memory of 1684	1468	idqoa.exe	DllHost.exe
PID 1468 wrote to memory of 1684	1468	idqoa.exe	DllHost.exe
PID 1468 wrote to memory of 1824	1468	idqoa.exe	DllHost.exe
PID 1468 wrote to memory of 1824	1468	idqoa.exe	DllHost.exe
PID 1468 wrote to memory of 1824	1468	idqoa.exe	DllHost.exe
PID 1468 wrote to memory of 1824	1468	idqoa.exe	DllHost.exe
PID 1468 wrote to memory of 1824	1468	idqoa.exe	DllHost.exe

Executes dropped EXE 1 IoCs

Processes:

idqoa.exe

pid process

1468 idqoa.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

idqoa.exe

pid	process
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe
1468	idqoa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

kins_2.0.9.9.vir.exe

description pid process target process

PID 1412 set thread context of 272 1412 kins_2.0.9.9.vir.exe cmd.exe

description	pid	process	target process
PID 1412 set thread context of 272	1412	kins_2.0.9.9.vir.exe	cmd.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

idqoa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	idqoa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	idqoa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	idqoa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	idqoa.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

kins_2.0.9.9.vir.exeidqoa.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE	kins_2.0.9.9.vir.exe
Key opened	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE	idqoa.exe

Loads dropped DLL 2 IoCs

Processes:

kins_2.0.9.9.vir.exe

pid process

1412 kins_2.0.9.9.vir.exe
1412 kins_2.0.9.9.vir.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

272 cmd.exe

pid	process
1412	kins_2.0.9.9.vir.exe
1412	kins_2.0.9.9.vir.exe

pid	process
272	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

idqoa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	idqoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4C65F3AD-E39B-D323-D3F7-3E104EE0C79F} = "C:\\Users\\Admin\\AppData\\Roaming\\Ziqu\\idqoa.exe"	idqoa.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1072

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\kins_2.0.9.9.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_2.0.9.9.vir.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Identifies Wine through registry keys
- Loads dropped DLL
PID:1412

C:\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe
"C:\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Identifies Wine through registry keys
- Adds Run key to start application
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp59453858.bat"
3⤵
- Deletes itself
PID:272

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1684

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp59453858.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe

Download Submit
\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe

Download Submit
\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe

Download Submit
memory/272-5-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/272-6-0x000000000005CA8C-mapping.dmp

Download
memory/1468-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads