kinsing | b593fc0998d4370219b198230d3118d40ddc85c33f8cea5def5f9508b0b2759c

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:40

Target

74fda5d3ad7f7daef1234472e16eb0ce.exe
Size

56KB
MD5

74fda5d3ad7f7daef1234472e16eb0ce
SHA1

29a0c05df54c780cb639ad4e53ad7ceaf4844ad1
SHA256

b593fc0998d4370219b198230d3118d40ddc85c33f8cea5def5f9508b0b2759c
SHA512

d9b956eef93e743c413e9df0964a2a97f2f22c6c61b4759222348770edaffa4c462f0aebfc72318edafa6ffd168940fa514c1b08923a031c897142c0815818e2
SSDEEP

768:vCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWNReOO8:71Tzy48untU8fOMEI3jyYfPiuO8

Score

10^/10

kinsing loader

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

74fda5d3ad7f7daef1234472e16eb0ce.execmd.exeiexpress.exe

description	pid	process	target process
PID 2924 wrote to memory of 2328	2924	74fda5d3ad7f7daef1234472e16eb0ce.exe	cmd.exe
PID 2924 wrote to memory of 2328	2924	74fda5d3ad7f7daef1234472e16eb0ce.exe	cmd.exe
PID 2924 wrote to memory of 2328	2924	74fda5d3ad7f7daef1234472e16eb0ce.exe	cmd.exe
PID 2328 wrote to memory of 4476	2328	cmd.exe	iexpress.exe
PID 2328 wrote to memory of 4476	2328	cmd.exe	iexpress.exe
PID 2328 wrote to memory of 4476	2328	cmd.exe	iexpress.exe
PID 4476 wrote to memory of 396	4476	iexpress.exe	makecab.exe
PID 4476 wrote to memory of 396	4476	iexpress.exe	makecab.exe
PID 4476 wrote to memory of 396	4476	iexpress.exe	makecab.exe

C:\Users\Admin\AppData\Local\Temp\74fda5d3ad7f7daef1234472e16eb0ce.exe
"C:\Users\Admin\AppData\Local\Temp\74fda5d3ad7f7daef1234472e16eb0ce.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3B15.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\74fda5d3ad7f7daef1234472e16eb0ce.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\iexpress.exe
iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
3⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\makecab.exe
C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
1⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\3B15.tmp\1.bat
Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed
Filesize
57KB

MD5
92ebb22e9292b7e349906f9f52793572

SHA1
88c6c3af5dfe635bee512c0c7449d3fe8cfaac7a

SHA256
a7327daaf38f890de476a76eb398ab92a87df2d2ff0c4be8c1e74d14ebfc0670

SHA512
883d6514dafb93cf7d4982d947683f87056854368cd248a54be6806c4de5e588e533785efe34a0cacfd35837512fbd75b134e7fc1808131c7f675a5b5ed66a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF
Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit