kinsing | 97b65be6c46ad9e28f291b309753b7ab90af2e9e5f7009b1248abcddfc285008

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe
Size

39KB
MD5

53e97dd5c4e5d82ab023e6aa7045487e
SHA1

9d0f007c030a37c40dfeb9f895477ca031d1f82c
SHA256

97b65be6c46ad9e28f291b309753b7ab90af2e9e5f7009b1248abcddfc285008
SHA512

55a24f91b015c4374b8db4bae78f17dbea161a80c1f9ffff04821c80e95bafdf270157c2a5d7fd395aed3871a41800dd21a4470aa5ee3bbf9f47bcbe97992900
SSDEEP

768:bgX4zYcgTEu6QOaryfjqDDw3sCu5b+qZw7pM:bgGYcA/53GADw8ClqZw7pM

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hasfj.exe	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

hasfj.exe

pid process

3608 hasfj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3608	hasfj.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe

description	pid	process	target process
PID 1588 wrote to memory of 3608	1588	2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe	hasfj.exe
PID 1588 wrote to memory of 3608	1588	2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe	hasfj.exe
PID 1588 wrote to memory of 3608	1588	2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe	hasfj.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_53e97dd5c4e5d82ab023e6aa7045487e_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\hasfj.exe
"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
2⤵
- Executes dropped EXE
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe
Filesize
39KB

MD5
79d4f336c64449c2fcf225ee3a73b9ee

SHA1
e20a603fe363a6061b05c5a6c22cf1b51be7b69b

SHA256
c492f4c4ceed311a602dbe5bba80664e1dd76c4e572ef014294f6c4ef4f58c32

SHA512
f94530dab1d5c64bc9ec988cfcb4bd63ed52ca2e44ddf94ddf43daf6cab9e093f709df2359aa0a462ee3024f01ee960a95cf96ad1bf4441783b707b980c88fe5

Download Submit
memory/1588-0-0x00000000022D0000-0x00000000022D6000-memory.dmp

Filesize
24KB

Download
memory/1588-2-0x0000000002300000-0x0000000002306000-memory.dmp

Filesize
24KB

Download
memory/1588-1-0x00000000022D0000-0x00000000022D6000-memory.dmp

Filesize
24KB

Download
memory/3608-18-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/3608-17-0x0000000002140000-0x0000000002146000-memory.dmp

Filesize
24KB

Download