Overview

overview

10

Static

static

3

74f99f20fe...75.exe

windows7-x64

10

74f99f20fe...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74f99f20fec0194ccd0544ad42965175.exe

  • Size

    444KB

  • MD5

    74f99f20fec0194ccd0544ad42965175

  • SHA1

    0e6e236524c2ef02d74d25b8a686fdc660651285

  • SHA256

    d002e61eb33b500340e5cf915fa124b81263671d9586b76eb622ffb7c532f7a4

  • SHA512

    3d12018cb30870e9c1b1f9043dc347249eb24dd68cedf1df7af3142d5bf4be099fcd28717ad85ca8573fab392eb2aee19d8f6756a31c45709d611d0dff4fd826

  • SSDEEP

    6144:zH1mpm3rzOh6yetgGWnXmQ21thAzCnTWQm/zMIH+e/iRRGNEwy0Zn:TzOKtg2Z3TTWQ0H+LRRyD

Score
10/10
kinsingevasionloaderpersistence

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

    loaderkinsing
  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74f99f20fec0194ccd0544ad42965175.exe
    "C:\Users\Admin\AppData\Local\Temp\74f99f20fec0194ccd0544ad42965175.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Users\Admin\AppData\Local\Temp\74f99f20fec0194ccd0544ad42965175.exe
      "C:\Users\Admin\AppData\Local\Temp\74f99f20fec0194ccd0544ad42965175.exe"
      2⤵
      • Adds policy Run key to start application
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4212
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bs.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1016
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bs.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:1268
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3240
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:4332
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\74f99f20fec0194ccd0544ad42965175.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\74f99f20fec0194ccd0544ad42965175.exe:*:Enabled:Windows Messanger" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\74f99f20fec0194ccd0544ad42965175.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\74f99f20fec0194ccd0544ad42965175.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:3196
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4140
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • Modifies firewall policy service
          • Modifies registry key
          PID:516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4212-2-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-4-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-8-0x00000000768E0000-0x00000000769D0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/4212-9-0x0000000075D70000-0x0000000075DEA000-memory.dmp
    Filesize

    488KB

    Download
  • memory/4212-10-0x0000000077306000-0x0000000077307000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4212-13-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-16-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-17-0x00000000768E0000-0x00000000769D0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/4212-18-0x0000000075D70000-0x0000000075DEA000-memory.dmp
    Filesize

    488KB

    Download
  • memory/4212-19-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-23-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-26-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-29-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-33-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-36-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-43-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-46-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-49-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-53-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4212-56-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download