kinsing | 200ebd86175e76e073681a8f19eb75587bd55ede404fea81adeacf8f5aaf6418

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:40

Target

2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe
Size

5.0MB
MD5

75c428c607b56602db8b95d9dbc07292
SHA1

2ba839a0f0994bf5c2f1a70fe1049e34809041b8
SHA256

200ebd86175e76e073681a8f19eb75587bd55ede404fea81adeacf8f5aaf6418
SHA512

e52d711db13a01d480e601e371c590b29805e4c8065a7a374fc911b06659bb41ba7eaffce6b700353839a622d8bb0733f0996c62dfcdc57171404661466bb4ed
SSDEEP

98304:Z8cPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:Z8cPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3170) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

5084 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 1 IoCs

Processes:

2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5104 5084 WerFault.exe tasksche.exe

pid	process
5084	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

pid	pid_target	process	target process
5104	5084	WerFault.exe	tasksche.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

description	pid	process	target process
PID 3308 wrote to memory of 5084	3308	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe	tasksche.exe
PID 3308 wrote to memory of 5084	3308	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe	tasksche.exe
PID 3308 wrote to memory of 5084	3308	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe	tasksche.exe

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 220
3⤵
- Program crash
PID:5104

C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe -m security
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5084 -ip 5084
1⤵
PID:3256

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\WINDOWS\tasksche.exe
Filesize
576KB

MD5
fb9c385ca5968070264bb75acef468ca

SHA1
57157f7d2acf7a56fe34f6c65437cf64f08405c4

SHA256
c62672bf0c2b4bceac25d08839901b9d4aa34bc60e3f8ce3882e95c1de9f6d3e

SHA512
62fcd3c0c17e9f0e05a2a16be22a036f4cb010b4f493254106a32741ddb33f5cdc15557f041d9c19bbaa93851d0063bee8eddc5c769997734eb953cec1f10850

Download Submit
C:\Windows\tasksche.exe
Filesize
717KB

MD5
0c9444e3ab4691a5f012b4111577967f

SHA1
5d650e6ce0b8b5fb0b5494a531c1d02c599c3098

SHA256
94d76611c9be7b5e7c6db2f183d8effeee288a043ed1210b299f9cafe74e71ea

SHA512
93e41d9a6f30a35630d42ee08fd5e3ea94c7136d819a87b97191964186c3334e21900e240690075f1fba723f534e16013bcd300364fe7c8ce334083664c4372e

Download Submit