kinsing | 69f40c2f6a4540550f934e0b2f9a354629d3835b30fd13293c2f6a6b97202159

General

Target

SecuriteInfo.com.Heur.25589.9954.xls
Size

275KB
MD5

e108b870cba8e39e516076ca3989372b
SHA1

439fd0bdcf0319994f9b91f28d4f2b2a5bde0874
SHA256

69f40c2f6a4540550f934e0b2f9a354629d3835b30fd13293c2f6a6b97202159
SHA512

710235888d211b49f89d97d2cd32a7ac47922cbe421a3eb0fbb7f50a2b5f2e46236a6b64843cf29e6163c32798b48f46b6e1fca318f8cfc04045f00bf30d244a
SSDEEP

6144:5kunhVY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVLOMI2n1WbMS5Fuhix2c:5tC3bVLOMIg9Y

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2404 EXCEL.EXE
3972 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 3972 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

2404 EXCEL.EXE
2404 EXCEL.EXE

description	pid	process
Token: SeAuditPrivilege	3972	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
2404	EXCEL.EXE
3972	WINWORD.EXE
3972	WINWORD.EXE
3972	WINWORD.EXE
3972	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3972 wrote to memory of 1504	3972	WINWORD.EXE	splwow64.exe
PID 3972 wrote to memory of 1504	3972	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25589.9954.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E9B5A4E0-ED79-46E4-8E73-AE1F762303E5
Filesize
159KB

MD5
ebca3b598072acd15798671b9e822f38

SHA1
81900a90f4bbc5ddb6175637a4095887b4e3dc67

SHA256
8bf6a4b8696ea7a8cdcbe6a82a86d31fd895b9e3467854302c0d2d140fabc460

SHA512
be0d8c17c4c28d90a106f224e2e392adbc9d8417156f0006c51db275a76e3bd6b43961ba83bfed0f64ac9d80d8e70d25bd20f3726d4555486966a6395c1929f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
23d1dfd2e95276d834ffcd63a798022d

SHA1
83cef1d1c4f10345e21cf407ed9de0caf1bea77c

SHA256
97a698b4e58240e8a4d536800cad3f5d482d020066deb7e40ae8be757002c51b

SHA512
0a4fa64887ae79ec6cf73beaa322e55cbf631b46a1a1b53b33d3f097bf4587e7d52813556a36ad8396bfcddcf205a97894f95f33975b3f8a2e4e922af6a38058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
9c544020ac724f8a3dc1e8c5e4d834dc

SHA1
1a0745fc237e089d3c847889de060c5e4e243490

SHA256
f66cc54d343aea7d61ba3fd7ca0d8b8c7100aa3f84c68cd9a69a4c3b7232c4dc

SHA512
7021dd8de6fdf2b677ee36761aca2096988dbc0852deeda98ab744726de72b99d3e46b7e3847fbe5724e9efe9d09ab34fc17b8567584f20593792b5b93257504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\vnextofficeupdationwaitingfortheentireprocesstocompleteandimprovethethecnonologyfornew[1].doc
Filesize
65KB

MD5
869dc88123916a7193c56809db6b5e97

SHA1
fb285a3be57ea12e4884152c9542dbcc4b3d1b6d

SHA256
d144a111d023b667aa6a2f56af76323943ae9553b6629afe91131dfd2d5f2e0b

SHA512
67bd25e403c355090ad1db59f9f15426595c7c70ab77d85cb3678bfac5c939f4a3f72d6caf713dd2ca8f2df4f8f908f190940c2035afd5efbf9e6916f52f2081

Download Submit
memory/2404-41-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/2404-1-0x00007FFB298D0000-0x00007FFB298E0000-memory.dmp

Filesize
64KB

Download
memory/2404-7-0x00007FFB298D0000-0x00007FFB298E0000-memory.dmp

Filesize
64KB

Download
memory/2404-6-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/2404-8-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/2404-9-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/2404-10-0x00007FFB273D0000-0x00007FFB273E0000-memory.dmp

Filesize
64KB

Download
memory/2404-11-0x00007FFB273D0000-0x00007FFB273E0000-memory.dmp

Filesize
64KB

Download
memory/2404-2-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/2404-46-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/2404-44-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/2404-43-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/2404-0-0x00007FFB298D0000-0x00007FFB298E0000-memory.dmp

Filesize
64KB

Download
memory/2404-5-0x00007FFB298D0000-0x00007FFB298E0000-memory.dmp

Filesize
64KB

Download
memory/2404-4-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/2404-3-0x00007FFB298D0000-0x00007FFB298E0000-memory.dmp

Filesize
64KB

Download
memory/3972-31-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/3972-30-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/3972-27-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/3972-28-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/3972-24-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/3972-25-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/3972-52-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download
memory/3972-53-0x00007FFB69850000-0x00007FFB69A45000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads