Analysis
-
max time kernel
122s -
max time network
117s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:33
Static task
static1
Behavioral task
behavioral1
Sample
kins_2.0.14.0.vir.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
kins_2.0.14.0.vir.exe
-
Size
240KB
-
MD5
da99ec7cfb172928a845b5116765f498
-
SHA1
4298f9dd3e8ba80c05f6ab7a90001590d115918c
-
SHA256
f696348658a9b89041b6bf9bdc9a3ae8f3799c5beee76e42dc81f096307c7847
-
SHA512
58b865fcc05432f214e2023c4bc7a63c89cdcb761046bc825a2b50cbffc153cb3c79736b9658c5327f84c14f59bbf9251edbb85ae431cd23531e259009042e3f
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
kins_2.0.14.0.vir.exexulstore.exexulstore.exepid process 3236 kins_2.0.14.0.vir.exe 3236 kins_2.0.14.0.vir.exe 3820 xulstore.exe 3820 xulstore.exe 3616 xulstore.exe 3616 xulstore.exe -
Executes dropped EXE 2 IoCs
Processes:
xulstore.exexulstore.exepid process 3820 xulstore.exe 3616 xulstore.exe -
Processes:
resource yara_rule behavioral2/memory/3448-0-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/3448-3-0x0000000000400000-0x0000000000444000-memory.dmp upx behavioral2/memory/3448-4-0x0000000000400000-0x0000000000444000-memory.dmp upx -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
kins_2.0.14.0.vir.exeiexplore.exexulstore.exepid process 3236 kins_2.0.14.0.vir.exe 3448 iexplore.exe 3448 iexplore.exe 3448 iexplore.exe 3448 iexplore.exe 3820 xulstore.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
kins_2.0.14.0.vir.exekins_2.0.14.0.vir.exexulstore.exexulstore.exedescription pid process target process PID 3236 wrote to memory of 3876 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3876 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3876 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3236 wrote to memory of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3364 wrote to memory of 3820 3364 kins_2.0.14.0.vir.exe xulstore.exe PID 3364 wrote to memory of 3820 3364 kins_2.0.14.0.vir.exe xulstore.exe PID 3364 wrote to memory of 3820 3364 kins_2.0.14.0.vir.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3820 wrote to memory of 3616 3820 xulstore.exe xulstore.exe PID 3364 wrote to memory of 4036 3364 kins_2.0.14.0.vir.exe cmd.exe PID 3364 wrote to memory of 4036 3364 kins_2.0.14.0.vir.exe cmd.exe PID 3364 wrote to memory of 4036 3364 kins_2.0.14.0.vir.exe cmd.exe PID 3616 wrote to memory of 4024 3616 xulstore.exe explorer.exe PID 3616 wrote to memory of 4024 3616 xulstore.exe explorer.exe PID 3616 wrote to memory of 4024 3616 xulstore.exe explorer.exe PID 3616 wrote to memory of 4024 3616 xulstore.exe explorer.exe PID 3616 wrote to memory of 4024 3616 xulstore.exe explorer.exe PID 3616 wrote to memory of 4024 3616 xulstore.exe explorer.exe PID 3616 wrote to memory of 4024 3616 xulstore.exe explorer.exe PID 3616 wrote to memory of 4024 3616 xulstore.exe explorer.exe PID 3616 wrote to memory of 4024 3616 xulstore.exe explorer.exe PID 3616 wrote to memory of 3448 3616 xulstore.exe iexplore.exe PID 3616 wrote to memory of 3448 3616 xulstore.exe iexplore.exe PID 3616 wrote to memory of 3448 3616 xulstore.exe iexplore.exe PID 3616 wrote to memory of 3448 3616 xulstore.exe iexplore.exe PID 3616 wrote to memory of 3448 3616 xulstore.exe iexplore.exe PID 3616 wrote to memory of 3448 3616 xulstore.exe iexplore.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kins_2.0.14.0.vir.exexulstore.exedescription pid process target process PID 3236 set thread context of 3448 3236 kins_2.0.14.0.vir.exe iexplore.exe PID 3236 set thread context of 3364 3236 kins_2.0.14.0.vir.exe kins_2.0.14.0.vir.exe PID 3820 set thread context of 3616 3820 xulstore.exe xulstore.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
kins_2.0.14.0.vir.exedescription pid process Token: SeSecurityPrivilege 3364 kins_2.0.14.0.vir.exe Token: SeSecurityPrivilege 3364 kins_2.0.14.0.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 IoCs
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6e768b0a.bat"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6e768b0a.bat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe
-
memory/3364-5-0x0000000000406F1E-mapping.dmp
-
memory/3364-6-0x0000000000400000-0x0000000001274000-memory.dmpFilesize
14.5MB
-
memory/3364-2-0x0000000000400000-0x0000000001274000-memory.dmpFilesize
14.5MB
-
memory/3448-1-0x000000000040F750-mapping.dmp
-
memory/3448-0-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/3448-4-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/3448-3-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/3448-18-0x000000000040F750-mapping.dmp
-
memory/3616-12-0x0000000000406F1E-mapping.dmp
-
memory/3820-7-0x0000000000000000-mapping.dmp
-
memory/4024-16-0x0000000000000000-mapping.dmp
-
memory/4036-15-0x0000000000000000-mapping.dmp