kinsing | 54e044b77d423736ae6761114a3bc858e62a905733ad4abcf6f20462fe87af6c

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:31

Target

74f98fecd901c14d18d495efd582137a.exe
Size

39KB
MD5

74f98fecd901c14d18d495efd582137a
SHA1

899f84b87b300a09c4a86f7ab7758747b51cb676
SHA256

54e044b77d423736ae6761114a3bc858e62a905733ad4abcf6f20462fe87af6c
SHA512

c8541479d86a4db6b95dd9305eccc34b1782a2c82edbc22d321f1590ed6c6b3ca0a7b65bbca0a5e0fd9518831ba9f60d119beea7f91cd7c6d236f764b248aacb
SSDEEP

768:w1uIb84HoQRZ4AYIvPZeRYvfn/aT8Y2IeKVszaQeEg49HHAs:TI8CBT0CZeRy/S/2I7Vs2JE5

Score

10^/10

kinsing loader

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Executes dropped EXE 1 IoCs

Processes:

nlks.exe

pid process

4904 nlks.exe
Drops file in System32 directory 1 IoCs

Processes:

nlks.exe

description ioc process

File created C:\Windows\SysWOW64\map\88X600.nmp nlks.exe
Drops file in Program Files directory 1 IoCs

Processes:

74f98fecd901c14d18d495efd582137a.exe

description ioc process

File created \??\c:\Program Files\Internet Explorer\nlks.exe 74f98fecd901c14d18d495efd582137a.exe

pid	process
4904	nlks.exe

description	ioc	process
File created	C:\Windows\SysWOW64\map\88X600.nmp	nlks.exe

description	ioc	process
File created	\??\c:\Program Files\Internet Explorer\nlks.exe	74f98fecd901c14d18d495efd582137a.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

74f98fecd901c14d18d495efd582137a.exe

description	pid	process	target process
PID 4424 wrote to memory of 4904	4424	74f98fecd901c14d18d495efd582137a.exe	nlks.exe
PID 4424 wrote to memory of 4904	4424	74f98fecd901c14d18d495efd582137a.exe	nlks.exe
PID 4424 wrote to memory of 4904	4424	74f98fecd901c14d18d495efd582137a.exe	nlks.exe
PID 4424 wrote to memory of 4560	4424	74f98fecd901c14d18d495efd582137a.exe	cmd.exe
PID 4424 wrote to memory of 4560	4424	74f98fecd901c14d18d495efd582137a.exe	cmd.exe
PID 4424 wrote to memory of 4560	4424	74f98fecd901c14d18d495efd582137a.exe	cmd.exe

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Deleteme.bat
2⤵
PID:4560

C:\Program Files\Internet Explorer\nlks.exe
Filesize
87KB

MD5
209092027d99d5c3eec9ad6076d582ab

SHA1
9a70b7bde31652593a1febda34c27449f5ec16f6

SHA256
6f82a875287b733f4243c5e22787062599f0782856f6b6130c73924c42b78fdc

SHA512
e08983f712d4eb5098bb0855d220e280960c0fa9ddabd1e777e81e741dc851f0a235ea7601c0e75543c9f3adca0d74caaf571e1c76a79d624fac7216fcc4e2e1

Download Submit
\??\c:\Deleteme.bat
Filesize
184B

MD5
2a948407291ce23a9eaf45c4fe112e12

SHA1
c89464624237c2e0a1bb58178e0fa6c05d936124

SHA256
61ba0c4bfed93cffa19174f01039c90ae325c3ed3a02e05e459aa1c18ea9f6e7

SHA512
8b48d062366bc4028156eb7267036c75d13d112a744840e6e0ebb83e1994e1566e7d60f910aeecfaa57d42c6542621fdfe7140bf046697de3709c4caa78a515f

Download Submit
memory/4424-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4904-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download