Analysis
-
max time kernel
152s -
max time network
80s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:23
Static task
static1
Behavioral task
behavioral1
Sample
kins_2.0.9.9.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
kins_2.0.9.9.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
kins_2.0.9.9.vir.exe
-
Size
216KB
-
MD5
b74cf245e3b7ee3efc4e6c987acf092d
-
SHA1
ed02aef8f1f30f67a4e40acb60af0076061e362e
-
SHA256
4dfd38dbb39f3ed69c713f601bc52b663a5cd08d37a2ececcbf8d54d8d179f05
-
SHA512
27178f5a008669245cec97d7b901e580615b71d03ae64cf8b94eaaa9b9df95c646fea2b3a8770f358cd24ec1979ab66b58202f07bd0b2303f972a409a06ab40b
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kins_2.0.9.9.vir.exedescription pid process Token: SeSecurityPrivilege 1412 kins_2.0.9.9.vir.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
kins_2.0.9.9.vir.exeidqoa.exedescription pid process target process PID 1412 wrote to memory of 1468 1412 kins_2.0.9.9.vir.exe idqoa.exe PID 1412 wrote to memory of 1468 1412 kins_2.0.9.9.vir.exe idqoa.exe PID 1412 wrote to memory of 1468 1412 kins_2.0.9.9.vir.exe idqoa.exe PID 1412 wrote to memory of 1468 1412 kins_2.0.9.9.vir.exe idqoa.exe PID 1468 wrote to memory of 1072 1468 idqoa.exe taskhost.exe PID 1468 wrote to memory of 1072 1468 idqoa.exe taskhost.exe PID 1468 wrote to memory of 1072 1468 idqoa.exe taskhost.exe PID 1468 wrote to memory of 1072 1468 idqoa.exe taskhost.exe PID 1468 wrote to memory of 1072 1468 idqoa.exe taskhost.exe PID 1468 wrote to memory of 1160 1468 idqoa.exe Dwm.exe PID 1468 wrote to memory of 1160 1468 idqoa.exe Dwm.exe PID 1468 wrote to memory of 1160 1468 idqoa.exe Dwm.exe PID 1468 wrote to memory of 1160 1468 idqoa.exe Dwm.exe PID 1468 wrote to memory of 1160 1468 idqoa.exe Dwm.exe PID 1468 wrote to memory of 1212 1468 idqoa.exe Explorer.EXE PID 1468 wrote to memory of 1212 1468 idqoa.exe Explorer.EXE PID 1468 wrote to memory of 1212 1468 idqoa.exe Explorer.EXE PID 1468 wrote to memory of 1212 1468 idqoa.exe Explorer.EXE PID 1468 wrote to memory of 1212 1468 idqoa.exe Explorer.EXE PID 1468 wrote to memory of 1412 1468 idqoa.exe kins_2.0.9.9.vir.exe PID 1468 wrote to memory of 1412 1468 idqoa.exe kins_2.0.9.9.vir.exe PID 1468 wrote to memory of 1412 1468 idqoa.exe kins_2.0.9.9.vir.exe PID 1468 wrote to memory of 1412 1468 idqoa.exe kins_2.0.9.9.vir.exe PID 1468 wrote to memory of 1412 1468 idqoa.exe kins_2.0.9.9.vir.exe PID 1412 wrote to memory of 272 1412 kins_2.0.9.9.vir.exe cmd.exe PID 1412 wrote to memory of 272 1412 kins_2.0.9.9.vir.exe cmd.exe PID 1412 wrote to memory of 272 1412 kins_2.0.9.9.vir.exe cmd.exe PID 1412 wrote to memory of 272 1412 kins_2.0.9.9.vir.exe cmd.exe PID 1412 wrote to memory of 272 1412 kins_2.0.9.9.vir.exe cmd.exe PID 1412 wrote to memory of 272 1412 kins_2.0.9.9.vir.exe cmd.exe PID 1412 wrote to memory of 272 1412 kins_2.0.9.9.vir.exe cmd.exe PID 1412 wrote to memory of 272 1412 kins_2.0.9.9.vir.exe cmd.exe PID 1412 wrote to memory of 272 1412 kins_2.0.9.9.vir.exe cmd.exe PID 1468 wrote to memory of 1684 1468 idqoa.exe DllHost.exe PID 1468 wrote to memory of 1684 1468 idqoa.exe DllHost.exe PID 1468 wrote to memory of 1684 1468 idqoa.exe DllHost.exe PID 1468 wrote to memory of 1684 1468 idqoa.exe DllHost.exe PID 1468 wrote to memory of 1684 1468 idqoa.exe DllHost.exe PID 1468 wrote to memory of 1824 1468 idqoa.exe DllHost.exe PID 1468 wrote to memory of 1824 1468 idqoa.exe DllHost.exe PID 1468 wrote to memory of 1824 1468 idqoa.exe DllHost.exe PID 1468 wrote to memory of 1824 1468 idqoa.exe DllHost.exe PID 1468 wrote to memory of 1824 1468 idqoa.exe DllHost.exe -
Executes dropped EXE 1 IoCs
Processes:
idqoa.exepid process 1468 idqoa.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
idqoa.exepid process 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe 1468 idqoa.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kins_2.0.9.9.vir.exedescription pid process target process PID 1412 set thread context of 272 1412 kins_2.0.9.9.vir.exe cmd.exe -
Processes:
idqoa.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 idqoa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e idqoa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e idqoa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e idqoa.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
kins_2.0.9.9.vir.exeidqoa.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE kins_2.0.9.9.vir.exe Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\WINE idqoa.exe -
Loads dropped DLL 2 IoCs
Processes:
kins_2.0.9.9.vir.exepid process 1412 kins_2.0.9.9.vir.exe 1412 kins_2.0.9.9.vir.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 272 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
idqoa.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run idqoa.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4C65F3AD-E39B-D323-D3F7-3E104EE0C79F} = "C:\\Users\\Admin\\AppData\\Roaming\\Ziqu\\idqoa.exe" idqoa.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\kins_2.0.9.9.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_2.0.9.9.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Identifies Wine through registry keys
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe"C:\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Identifies Wine through registry keys
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp59453858.bat"3⤵
- Deletes itself
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp59453858.bat
-
C:\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe
-
C:\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe
-
\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe
-
\Users\Admin\AppData\Roaming\Ziqu\idqoa.exe
-
memory/272-5-0x0000000000050000-0x0000000000076000-memory.dmpFilesize
152KB
-
memory/272-6-0x000000000005CA8C-mapping.dmp
-
memory/1468-2-0x0000000000000000-mapping.dmp