Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:33
Static task
static1
Behavioral task
behavioral1
Sample
kins_2.0.14.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
kins_2.0.14.0.vir.exe
-
Size
240KB
-
MD5
da99ec7cfb172928a845b5116765f498
-
SHA1
4298f9dd3e8ba80c05f6ab7a90001590d115918c
-
SHA256
f696348658a9b89041b6bf9bdc9a3ae8f3799c5beee76e42dc81f096307c7847
-
SHA512
58b865fcc05432f214e2023c4bc7a63c89cdcb761046bc825a2b50cbffc153cb3c79736b9658c5327f84c14f59bbf9251edbb85ae431cd23531e259009042e3f
Score
8/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
kins_2.0.14.0.vir.exeSplitTest.exedescription pid process target process PID 1164 set thread context of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 set thread context of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1468 set thread context of 872 1468 SplitTest.exe iexplore.exe PID 1468 set thread context of 660 1468 SplitTest.exe SplitTest.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kins_2.0.14.0.vir.exedescription pid process Token: SeSecurityPrivilege 1332 kins_2.0.14.0.vir.exe Token: SeSecurityPrivilege 1332 kins_2.0.14.0.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
kins_2.0.14.0.vir.exepid process 1332 kins_2.0.14.0.vir.exe 1332 kins_2.0.14.0.vir.exe -
Executes dropped EXE 2 IoCs
Processes:
SplitTest.exeSplitTest.exepid process 1468 SplitTest.exe 660 SplitTest.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118 explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 explorer.exe -
Checks whether UAC is enabled 1 IoCs
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe -
Processes:
resource yara_rule behavioral1/memory/844-0-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral1/memory/872-11-0x0000000000400000-0x0000000000AA4000-memory.dmp upx behavioral1/memory/872-14-0x0000000000400000-0x0000000000AA4000-memory.dmp upx behavioral1/memory/872-17-0x0000000000400000-0x0000000000AA4000-memory.dmp upx -
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
kins_2.0.14.0.vir.exeSplitTest.exeiexplore.exepid process 1164 kins_2.0.14.0.vir.exe 1468 SplitTest.exe 872 iexplore.exe 872 iexplore.exe 872 iexplore.exe 872 iexplore.exe -
Suspicious use of WriteProcessMemory 79 IoCs
Processes:
kins_2.0.14.0.vir.exekins_2.0.14.0.vir.exeSplitTest.exeSplitTest.exedescription pid process target process PID 1164 wrote to memory of 1328 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 1328 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 1328 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 1328 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 844 1164 kins_2.0.14.0.vir.exe iexplore.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1164 wrote to memory of 1332 1164 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 1332 wrote to memory of 1468 1332 kins_2.0.14.0.vir.exe SplitTest.exe PID 1332 wrote to memory of 1468 1332 kins_2.0.14.0.vir.exe SplitTest.exe PID 1332 wrote to memory of 1468 1332 kins_2.0.14.0.vir.exe SplitTest.exe PID 1332 wrote to memory of 1468 1332 kins_2.0.14.0.vir.exe SplitTest.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 872 1468 SplitTest.exe iexplore.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1468 wrote to memory of 660 1468 SplitTest.exe SplitTest.exe PID 1332 wrote to memory of 536 1332 kins_2.0.14.0.vir.exe cmd.exe PID 1332 wrote to memory of 536 1332 kins_2.0.14.0.vir.exe cmd.exe PID 1332 wrote to memory of 536 1332 kins_2.0.14.0.vir.exe cmd.exe PID 1332 wrote to memory of 536 1332 kins_2.0.14.0.vir.exe cmd.exe PID 660 wrote to memory of 1104 660 SplitTest.exe explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\SplitTest.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d5vrebxd.default-release\\crashes\\SplitTest.exe" explorer.exe -
Suspicious behavior: EnumeratesProcesses 284 IoCs
Processes:
kins_2.0.14.0.vir.exeSplitTest.exeSplitTest.exeexplorer.exepid process 1164 kins_2.0.14.0.vir.exe 1468 SplitTest.exe 660 SplitTest.exe 660 SplitTest.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe 1104 explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 536 cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe"3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵
- Modifies system certificate store
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5cd49ced.bat"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5cd49ced.bat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe
-
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe
-
\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d5vrebxd.default-release\crashes\SplitTest.exe
-
memory/536-19-0x0000000000000000-mapping.dmp
-
memory/660-15-0x0000000000406F1E-mapping.dmp
-
memory/844-1-0x000000000040F750-mapping.dmp
-
memory/844-0-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/872-11-0x0000000000400000-0x0000000000AA4000-memory.dmpFilesize
6.6MB
-
memory/872-12-0x000000000040F750-mapping.dmp
-
memory/872-14-0x0000000000400000-0x0000000000AA4000-memory.dmpFilesize
6.6MB
-
memory/872-17-0x0000000000400000-0x0000000000AA4000-memory.dmpFilesize
6.6MB
-
memory/872-22-0x000000000040F750-mapping.dmp
-
memory/1104-20-0x0000000000000000-mapping.dmp
-
memory/1332-3-0x0000000000406F1E-mapping.dmp
-
memory/1332-2-0x0000000000400000-0x0000000001274000-memory.dmpFilesize
14.5MB
-
memory/1332-4-0x0000000000400000-0x0000000001274000-memory.dmpFilesize
14.5MB
-
memory/1468-7-0x0000000000000000-mapping.dmp