f696348658a9b89041b6bf9bdc9a3ae8f3799c5beee76e42dc81f096307c7847

General

Target

kins_2.0.14.0.vir.exe
Size

240KB
MD5

da99ec7cfb172928a845b5116765f498
SHA1

4298f9dd3e8ba80c05f6ab7a90001590d115918c
SHA256

f696348658a9b89041b6bf9bdc9a3ae8f3799c5beee76e42dc81f096307c7847
SHA512

58b865fcc05432f214e2023c4bc7a63c89cdcb761046bc825a2b50cbffc153cb3c79736b9658c5327f84c14f59bbf9251edbb85ae431cd23531e259009042e3f

Score

8^/10

upx spyware

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

kins_2.0.14.0.vir.exexulstore.exexulstore.exe

pid process

3236 kins_2.0.14.0.vir.exe
3236 kins_2.0.14.0.vir.exe
3820 xulstore.exe
3820 xulstore.exe
3616 xulstore.exe
3616 xulstore.exe
Executes dropped EXE 2 IoCs

Processes:

xulstore.exexulstore.exe

pid process

3820 xulstore.exe
3616 xulstore.exe

pid	process
3236	kins_2.0.14.0.vir.exe
3236	kins_2.0.14.0.vir.exe
3820	xulstore.exe
3820	xulstore.exe
3616	xulstore.exe
3616	xulstore.exe

pid	process
3820	xulstore.exe
3616	xulstore.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3448-0-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3448-3-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral2/memory/3448-4-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

kins_2.0.14.0.vir.exeiexplore.exexulstore.exe

pid process

3236 kins_2.0.14.0.vir.exe
3448 iexplore.exe
3448 iexplore.exe
3448 iexplore.exe
3448 iexplore.exe
3820 xulstore.exe

pid	process
3236	kins_2.0.14.0.vir.exe
3448	iexplore.exe
3448	iexplore.exe
3448	iexplore.exe
3448	iexplore.exe
3820	xulstore.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

kins_2.0.14.0.vir.exekins_2.0.14.0.vir.exexulstore.exexulstore.exe

description	pid	process	target process
PID 3236 wrote to memory of 3876	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3876	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3876	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3236 wrote to memory of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3364 wrote to memory of 3820	3364	kins_2.0.14.0.vir.exe	xulstore.exe
PID 3364 wrote to memory of 3820	3364	kins_2.0.14.0.vir.exe	xulstore.exe
PID 3364 wrote to memory of 3820	3364	kins_2.0.14.0.vir.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3820 wrote to memory of 3616	3820	xulstore.exe	xulstore.exe
PID 3364 wrote to memory of 4036	3364	kins_2.0.14.0.vir.exe	cmd.exe
PID 3364 wrote to memory of 4036	3364	kins_2.0.14.0.vir.exe	cmd.exe
PID 3364 wrote to memory of 4036	3364	kins_2.0.14.0.vir.exe	cmd.exe
PID 3616 wrote to memory of 4024	3616	xulstore.exe	explorer.exe
PID 3616 wrote to memory of 4024	3616	xulstore.exe	explorer.exe
PID 3616 wrote to memory of 4024	3616	xulstore.exe	explorer.exe
PID 3616 wrote to memory of 4024	3616	xulstore.exe	explorer.exe
PID 3616 wrote to memory of 4024	3616	xulstore.exe	explorer.exe
PID 3616 wrote to memory of 4024	3616	xulstore.exe	explorer.exe
PID 3616 wrote to memory of 4024	3616	xulstore.exe	explorer.exe
PID 3616 wrote to memory of 4024	3616	xulstore.exe	explorer.exe
PID 3616 wrote to memory of 4024	3616	xulstore.exe	explorer.exe
PID 3616 wrote to memory of 3448	3616	xulstore.exe	iexplore.exe
PID 3616 wrote to memory of 3448	3616	xulstore.exe	iexplore.exe
PID 3616 wrote to memory of 3448	3616	xulstore.exe	iexplore.exe
PID 3616 wrote to memory of 3448	3616	xulstore.exe	iexplore.exe
PID 3616 wrote to memory of 3448	3616	xulstore.exe	iexplore.exe
PID 3616 wrote to memory of 3448	3616	xulstore.exe	iexplore.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kins_2.0.14.0.vir.exexulstore.exe

description	pid	process	target process
PID 3236 set thread context of 3448	3236	kins_2.0.14.0.vir.exe	iexplore.exe
PID 3236 set thread context of 3364	3236	kins_2.0.14.0.vir.exe	kins_2.0.14.0.vir.exe
PID 3820 set thread context of 3616	3820	xulstore.exe	xulstore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kins_2.0.14.0.vir.exe

description pid process

Token: SeSecurityPrivilege 3364 kins_2.0.14.0.vir.exe
Token: SeSecurityPrivilege 3364 kins_2.0.14.0.vir.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks whether UAC is enabled 1 IoCs

Processes:

iexplore.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe

description	pid	process
Token: SeSecurityPrivilege	3364	kins_2.0.14.0.vir.exe
Token: SeSecurityPrivilege	3364	kins_2.0.14.0.vir.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3236

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3876

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
PID:3448

C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\kins_2.0.14.0.vir.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3820

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe
"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
5⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6e768b0a.bat"
3⤵
PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6e768b0a.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0lj62mcv.default-release\storage\xulstore.exe

Download Submit
memory/3364-5-0x0000000000406F1E-mapping.dmp

Download
memory/3364-6-0x0000000000400000-0x0000000001274000-memory.dmp

Filesize
14.5MB

Download
memory/3364-2-0x0000000000400000-0x0000000001274000-memory.dmp

Filesize
14.5MB

Download
memory/3448-1-0x000000000040F750-mapping.dmp

Download
memory/3448-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3448-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3448-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3448-18-0x000000000040F750-mapping.dmp

Download
memory/3616-12-0x0000000000406F1E-mapping.dmp

Download
memory/3820-7-0x0000000000000000-mapping.dmp

Download
memory/4024-16-0x0000000000000000-mapping.dmp

Download
memory/4036-15-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads