kinsing | 8480d4458deba8783d8fe333a237d054912f32db57bfb3cf9d8a3a8eec82fcba

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74fa6cc9bd0b8114c1ae4114c5b791fd.exe
Size

72KB
MD5

74fa6cc9bd0b8114c1ae4114c5b791fd
SHA1

5de7dca6672143effef4f155e6b7b495aa8ff324
SHA256

8480d4458deba8783d8fe333a237d054912f32db57bfb3cf9d8a3a8eec82fcba
SHA512

d20901ff775b043e338b6e03ec210879ed65e264465bf27fc425a5a47ce31c0e49ad9ccbd68a02a4b7145b0b853a0ffdff9f03d70bd4ce8d4afbc318515dd7cb
SSDEEP

768:/xOF7BDPn/w/27buebsN8x/CSPEEUyxwczwFj:/wF1Lw/2GebY8kSsEUg6j

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Executes dropped EXE 1 IoCs

Processes:

winUpdate32Login.exe

pid process

784 winUpdate32Login.exe

pid	process
784	winUpdate32Login.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winUpdate32Login.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winUpdateStngs = "C:\\Windows\\winUpdate32Login.exe"	winUpdate32Login.exe

Drops file in Windows directory 1 IoCs

Processes:

74fa6cc9bd0b8114c1ae4114c5b791fd.exe

description ioc process

File opened for modification C:\Windows\winUpdate32Login.exe 74fa6cc9bd0b8114c1ae4114c5b791fd.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

74fa6cc9bd0b8114c1ae4114c5b791fd.exewinUpdate32Login.exe

pid process

2876 74fa6cc9bd0b8114c1ae4114c5b791fd.exe
784 winUpdate32Login.exe

description	ioc	process
File opened for modification	C:\Windows\winUpdate32Login.exe	74fa6cc9bd0b8114c1ae4114c5b791fd.exe

pid	process
2876	74fa6cc9bd0b8114c1ae4114c5b791fd.exe
784	winUpdate32Login.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

74fa6cc9bd0b8114c1ae4114c5b791fd.exe

description	pid	process	target process
PID 2876 wrote to memory of 784	2876	74fa6cc9bd0b8114c1ae4114c5b791fd.exe	winUpdate32Login.exe
PID 2876 wrote to memory of 784	2876	74fa6cc9bd0b8114c1ae4114c5b791fd.exe	winUpdate32Login.exe
PID 2876 wrote to memory of 784	2876	74fa6cc9bd0b8114c1ae4114c5b791fd.exe	winUpdate32Login.exe

C:\Users\Admin\AppData\Local\Temp\74fa6cc9bd0b8114c1ae4114c5b791fd.exe
"C:\Users\Admin\AppData\Local\Temp\74fa6cc9bd0b8114c1ae4114c5b791fd.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\winUpdate32Login.exe
C:\Windows\winUpdate32Login.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\winUpdate32Login.exe
Filesize
40KB

MD5
02af082939dd0dc7e2c5e7e446186158

SHA1
3f55312e34d7e1d9366df8225dcea1b7339d52a0

SHA256
60b1d0955a58b7f83856b9a8b4f83402ad873b3ad3be0a78860a8e1f76ac91dc

SHA512
c517480c70b5dd583322de4f2bdb60865ff07b8fd78f0afd50109fadc9386da13b0277ac4b0e7b455c4fe4effee19f7be7c5a720e9e043e6dc44054c858b9c3d

Download Submit