Analysis
-
max time kernel
511s -
max time network
575s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-01-2024 15:35
General
-
Target
http://135.181.253.8:8181/
Malware Config
Signatures
-
Kinsing
Kinsing is a loader written in Golang.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://135.181.253.8:8181/"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://135.181.253.8:8181/2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.0.1033516489\1024659486" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc9a1d2b-a405-4e51-a078-6e7050c2edd9} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 1960 209aa8cfe58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.1.2031296432\289011891" -parentBuildID 20221007134813 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c28785d3-9743-4432-a306-8a01ac4c4ca0} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 2384 209aa7fba58 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.2.986489504\797816263" -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 2768 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6daf08b2-aaf2-465f-be71-e9d3b5599599} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 3124 209ae7eed58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.3.218274467\999066734" -childID 2 -isForBrowser -prefsHandle 3792 -prefMapHandle 3788 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87d6d66c-85ee-4d8b-92e6-a09eb8724f3a} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 3800 2099e061f58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.4.1304692078\1912039833" -childID 3 -isForBrowser -prefsHandle 5076 -prefMapHandle 5072 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48f6c3f1-ca48-41c9-ab19-c0f069ab2591} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 5084 209ad4f8758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.6.420135242\1372216307" -childID 5 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3be35a07-0440-40ec-a856-57c6609071f8} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 5388 209b1160f58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3580.5.808535257\1909183392" -childID 4 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1136 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7dba9d4-91c4-444f-a6a2-e7e17a414a84} 3580 "\\.\pipe\gecko-crash-server-pipe.3580" 5188 209b1160058 tab3⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\cache2\entries\77FB5EE92C576E2505C8C9FF2EC417D7727F401EFilesize
13KB
MD5db3c03f8831f424982f6d40b1fbcf384
SHA1485ebea39265b40fb0fb2222cd3ed1ee37bd9048
SHA2566bd0b03afb9383abcaa55aa1028df236570ed6becf1aad08dcc3d02e50a1a251
SHA512189c886b4b4771fcccb0becc9282bdde0cdfc33367dcdf8b6617260b03488a700eec20f7d143debd071e61ec9ec0663ac43521065d20d8c91705ae33e4b3c422
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
7KB
MD565c8c3365a0377b7791d625a61025511
SHA1c8652bd7a9b2c43f3d28fe40d158a5b6abf7758e
SHA2560a48de41bd048ca956199011d93ac4181c6478a6d103502370a3ed80a442ac25
SHA512a7dedf57655302b6fb9194d8409e0fe54e3677a10369bd14a36f4cdd37d3ddfad9df125984242fbb235a5ac0e3c2eff0c202a274ca77f1625d26b3a6e86d484b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\addonStartup.json.lz4Filesize
5KB
MD51d35995895f11861bd422dbf10a4e5a9
SHA163f24fe9829ad9f44781bd2e80911335ff2eb1ec
SHA256f68fc04a19df48f4fdb462f397ec07fa8ee87c1427f3364f73a18366b0eb0671
SHA512fa98d820c82d0c6296b5beeaead8de414baa835bf4fc20e78ddaadbc71b4c24b28e0350de23eac49964c6be10e3502b89de0a96a501ea5c6a73feb00075c5c34
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\bookmarkbackups\bookmarks-2024-01-25_11_WJsgnGze+smyG0IyeXPCeg==.jsonlz4Filesize
942B
MD5990a779e41ef21495a18baa1cd6c9d59
SHA17a627193f490947a0c201138915126c325d4b997
SHA25663fb4e23fcd9028d79aa2ff0e2dadb6754e459b8272275686da3a6c323370de8
SHA512309c98a8b8fed798edbe48cb2cb039a182e86c8e70ad658a6feee43cba3544d850c925564c089795959f6f3fa166ef80b2d1744aeba776a30fc4523502461edb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\broadcast-listeners.jsonFilesize
216B
MD50eb561fcdf12fb4c782d1e4168d8979b
SHA10b213fd9bff9b7803a998cbf714e5bf093d356b7
SHA2566364bcffdba49f7b89d7d9f856b1fbedb9dbecd805b65d6e3974bb2cb35520ef
SHA51214de905d564dd3b9d1183d091bbd2500505a663d8333d09fb0beabb863dc5768d7e6a06182cb4571ed3b2ed8c6e87e33532bafcc1c7d7c29f38576410af3cb25
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD502e6a15fbca197ac28348f761edb6cd8
SHA17607d2053ce810836b654654fa3486c9078c3237
SHA2564236c9be703039ed178fdb02d8b2e7a30f1d590890e9cd45d0a3cc21b8a6a920
SHA51204aa2babf781bf2a578754498afb8c0a4ed590b1d32b2782d823f11b80424c3e432c68af21889eb006b22a3b1dd924892e357404a3ad4e2babe5caadc2d6710d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\datareporting\glean\pending_pings\0d52a527-f70a-4266-9964-9eda984c709dFilesize
11KB
MD58f83a7b08460e4cc9e4cc494517dbb96
SHA154083d3fc2460b771cce0087610198d19f974f52
SHA256b1a2284a330380c6aed90ae82449f7501d5ba2143c002ca32831a0c2d433766c
SHA512b1172bb8063f82ceba1e3a1445fe1a8cbc56c516fca286fb92fa5fba0f0c4d89182db6c933a6dc17694bae3a276b2688de4f67537a03b9cf8a7a4e1f97e26214
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\datareporting\glean\pending_pings\1ec6ae9c-2eb6-48d4-8151-68221ba58960Filesize
746B
MD56b1b78595721e3c8f3c8a9c1300f4d0f
SHA1092f6fbfe75f57886b321655a04eb8775d9dc726
SHA256150f31b800d865b48f283318b06dcd3e3bf23972fe8095db99aa554e47bdae58
SHA5124d3492b95b0d769e86b20572da54ec0e9654e9a1a0a5967a96bb84090336642e6c93288caad6fc1e1f48dda73424211235e0b1354d8a0096ad54165b04e09b9b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\prefs-1.jsFilesize
9KB
MD58ee72da697afa560ab2a77656deaa866
SHA18887e77f9ea71e07bf2d04be4434688a787b37c4
SHA2563ec63df74237e5689bb7bdc622f5971abab7cf1e88f21435b3e7c7b6e5380922
SHA51262629ea1b5729d98bbbda94c218a22fdb057b9512196dabf79c3b93c63fb1782df5c24d3053b9a06ff9663045863c3f23fa62d71def51cb9e5e858245aa6d6ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\prefs-1.jsFilesize
10KB
MD59d632ec9e7debd136a7ad2fcf63be93b
SHA12d087c33495123f2c700bfca087835dd0702e468
SHA25698532a684c797ddb1229a65f0f1d6b61b5a5ac5362eb3632c990c9fecfd8476e
SHA51296b73ae31d3b33acc2711299f76d8bcd6810d7e489f8a39486de6228a7a145478b616c4760d5cb66ecc261065eaec304640726bcfb7d57a11eec524903570b94
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\prefs-1.jsFilesize
7KB
MD5b602d547a0479aeab05fb10046caa92d
SHA17aa3464193ded878215798e739425344c0b08f7b
SHA256ec3a1a90db2795a707f22238f6758fcacca6a3cfaf9628cf7d4d8b830c11b215
SHA5121280cfb14838ac06c05f6df962f03a236ccb84c76c4e153ec4ae9960a1db8de364a438d756c0b54b11296f1068549e61c3fbcf4f1bbbad6888e753980080c9da
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\prefs-1.jsFilesize
10KB
MD59685367af57565fc62d7dcb771b072c9
SHA1bcf7b08eb9edcb9aedd21b57f18a157ae6bbe882
SHA256f98a98be3919f875b25dd57c0f12c7576913ef173a1bd0784b49b6f880acbcec
SHA512e7d86cfee72949e15636e5e87f71a769debc2f89d73da97d54be0df804c54f590b9efb649098d5b2527664d3a972060f20f579c28b25d179af21e409100f5c7a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\prefs.jsFilesize
6KB
MD5ebaa5ac73b537d9cc7277ebc95df4b63
SHA1809871dd257b417ac8e2177336a923d83ebf69ce
SHA2569b47cba29ceb1fc54c2dccdebac4244fd49145f7430340a2d87180cd50f1aae9
SHA5123c420cbd2b803fa7fb53b879ba89adeaaca2ec0faeb625e479051964bcbbbdc535a5777dea4048ccc0f3b4e5a71c723c52e8f9b4ecb96a0236679c7a35e972fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\sessionCheckpoints.jsonFilesize
90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD513d375f830915d19d64df342de361c4b
SHA131c54a28f7e9fd7a3ecee0f684cf67175044827a
SHA256cb09f7704061ac06ad775b6696e17c0649b471fe16ce5423d38721bbb22f6505
SHA512564c7a9301000f2e0da5529d736f1e349039174aafa131d8aa482bf709d88a734ba495cb2a3ef50de95a983a9bd984ed11d38b89ac40d6437483b2eb7d976b3c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
384KB
MD587d3fcc27350bd3a1db71c0267824bbd
SHA1ff83147688280a4aea226c3ad58381d3860cf456
SHA2562a475877743738d17b8fd15a6589d8a57a0c114252e69f2247138ed293c22a56
SHA512847fa7131fe06e0acb4d9185d8bbf19b4db60ddc56caaf82d9e5464446cbd104600272056e8211d85cc0517df1944bb209e65086806cf9088e799318c06fe1c0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD51bd251010f40d2f9a5248de5ec953dab
SHA12dff8cfcfdf1f8e14436d997340b1616740f0550
SHA2567f51459d68c89983c9b5327a3cb9e45fc003f403f9696eb8d0e0eba62114f3af
SHA5129cabef3298a8c9226534025a2be52fa935e69d5320deb0b1a9f8ed509b19ecbe2272f32e0ec539fc50f8bf7f6d40ae5daf6c37a2cf38ce6bdf46cf5bfb94c28d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\targeting.snapshot.jsonFilesize
3KB
MD5685386d63e9d838d998b07078cc4c044
SHA1ec0161265ca08f2ae5aab0d54671f12165182f9d
SHA256d7cd494a54beb8dccf03abf6076155f8534bf524abb8b25f17ff4cb53f5644d8
SHA512afec97e7ba7dbbf8cbec46a99c2c7a0ec0bcf4f39e01b9934c46bcd4f1a8408e8420832459db67715a1a7840539ef57588798e25ebda4a3fb145e3c1f62bdcaf