kinsing | 2853f32fb50ce7a2d0056a2cd0dc217a2d7b45c7a709fd1c86e12efdedac5c65

Analysis

max time kernel
102s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:33

Target

$PLUGINSDIR/LangDLL.dll
Size

5KB
MD5

a1cd3f159ef78d9ace162f067b544fd9
SHA1

72671fdf4bfeeb99b392685bf01081b4a0b3ae66
SHA256

47b9e251c9c90f43e3524965aecc07bd53c8e09c5b9f9862b44c306667e2b0b6
SHA512

ccc70166c7d7746cd42cd0cec322b2adf4a478ff67c35d465f0f0f5b2b369c996a95557b678c09cb21b8311d8a91eed4196ddc218ea7d510f81464669b911362
SSDEEP

48:apTVWFeApYx2lxaKe3yfeEIWCGWNpBWLGGrx3pMt4z8mtJ7HofYZVSLa:RFG0xaKkyfjIWTW7BYrhSbmtJ7/V

Score

10^/10

kinsing loader

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1264 4464 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1264	4464	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1204 wrote to memory of 4464	1204	rundll32.exe	rundll32.exe
PID 1204 wrote to memory of 4464	1204	rundll32.exe	rundll32.exe
PID 1204 wrote to memory of 4464	1204	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
2⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 600
3⤵
- Program crash
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 4464
1⤵
PID:3572