Malware Analysis Report

2025-01-18 02:36

Sample ID 240125-s2ps6aager
Target 2024-01-25_760df6b23762ec89a0a36f2f2d528118_icedid
SHA256 64cbf853beeb55de54576b752151b4808ddee4d83020671ca0529b5ca2394dde
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64cbf853beeb55de54576b752151b4808ddee4d83020671ca0529b5ca2394dde

Threat Level: Known bad

The file 2024-01-25_760df6b23762ec89a0a36f2f2d528118_icedid was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 15:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 15:37

Reported

2024-01-25 15:40

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_760df6b23762ec89a0a36f2f2d528118_icedid.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Employ\boxes.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Employ\boxes.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_760df6b23762ec89a0a36f2f2d528118_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_760df6b23762ec89a0a36f2f2d528118_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_760df6b23762ec89a0a36f2f2d528118_icedid.exe"

C:\Program Files\Employ\boxes.exe

"C:\Program Files\Employ\boxes.exe" "33201"

Network

N/A

Files

C:\Program Files\Employ\boxes.exe

MD5 5fdc13302b2ff0c186dc08d47d4b90cf
SHA1 8005c186c31dca8b3b1931e6a7226b6395c491b6
SHA256 8dbae458bbb076a0a2697f01a4391ca0d3e02b0fae12bdfc206b77a64d121099
SHA512 d87a124f955f146b01b781c9edbca39eba2e54d0f95ef8837410739f106c23aabd5581f98930cb2230fbda72d87a998b714584d569f619487602a28484804a50

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 15:37

Reported

2024-01-25 15:40

Platform

win10v2004-20231215-en

Max time kernel

94s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_760df6b23762ec89a0a36f2f2d528118_icedid.exe"

Signatures

Kinsing

loader kinsing

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\novice\errors.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\novice\errors.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_760df6b23762ec89a0a36f2f2d528118_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_760df6b23762ec89a0a36f2f2d528118_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_760df6b23762ec89a0a36f2f2d528118_icedid.exe"

C:\Program Files\novice\errors.exe

"C:\Program Files\novice\errors.exe" "33201"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp

Files

C:\Program Files\novice\errors.exe

MD5 22eacb102ac617f45f1a201f372018a6
SHA1 1f15141810f9570fb8f7b8db37eae0c016831c13
SHA256 2abef9dda0be117146e8d46fd1ce0117a00bb83bbf0b4bd3c3f212d1745b3c1d
SHA512 0a5eba2ec59bfcc5d9830953404e205679a5732fc0c6687bd64a36443d20d2ce6fbdf930313767f2d25f24c1120ffbb4ee00426c37dcc9c21662b78d99ecc93f