Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
19-07-2020 17:32
Static task
static1
Behavioral task
behavioral1
Sample
kins_3.1.0.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
kins_3.1.0.0.vir.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
kins_3.1.0.0.vir.exe
-
Size
213KB
-
MD5
23877e74b44452778b56855cdf83d9b9
-
SHA1
4790c8147c74f199481e792493c43ffd1f823e5f
-
SHA256
798c6be4ea73c2d7c936f0d86b804b636188f249fd813f62722565923c158e0b
-
SHA512
cdd6af8e94e7739d4d2d5e0f566da2da94b4a9415bf709a08154a269761f701462d557e2cb79f87ad0cbe25ef6a6e399295dd4c42ed96d2d0ed02f8cfcac5237
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kins_3.1.0.0.vir.exedescription pid process Token: SeSecurityPrivilege 1820 kins_3.1.0.0.vir.exe Token: SeSecurityPrivilege 1820 kins_3.1.0.0.vir.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
kins_3.1.0.0.vir.exeWaitSuspend.exedescription pid process target process PID 1820 wrote to memory of 2136 1820 kins_3.1.0.0.vir.exe WaitSuspend.exe PID 1820 wrote to memory of 2136 1820 kins_3.1.0.0.vir.exe WaitSuspend.exe PID 1820 wrote to memory of 2136 1820 kins_3.1.0.0.vir.exe WaitSuspend.exe PID 2136 wrote to memory of 3656 2136 WaitSuspend.exe explorer.exe PID 2136 wrote to memory of 3656 2136 WaitSuspend.exe explorer.exe PID 2136 wrote to memory of 3656 2136 WaitSuspend.exe explorer.exe PID 2136 wrote to memory of 3656 2136 WaitSuspend.exe explorer.exe PID 2136 wrote to memory of 3656 2136 WaitSuspend.exe explorer.exe PID 2136 wrote to memory of 3656 2136 WaitSuspend.exe explorer.exe PID 2136 wrote to memory of 3656 2136 WaitSuspend.exe explorer.exe PID 2136 wrote to memory of 3656 2136 WaitSuspend.exe explorer.exe PID 2136 wrote to memory of 3656 2136 WaitSuspend.exe explorer.exe PID 2136 wrote to memory of 3656 2136 WaitSuspend.exe explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
WaitSuspend.exepid process 2136 WaitSuspend.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WaitSuspend.exepid process 2136 WaitSuspend.exe 2136 WaitSuspend.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\kins_3.1.0.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_3.1.0.0.vir.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\WaitSuspend.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\WaitSuspend.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\WaitSuspend.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ah406040.default-release\storage\WaitSuspend.exe
-
memory/2136-0-0x0000000000000000-mapping.dmp
-
memory/3656-3-0x0000000000000000-mapping.dmp