kinsing | dd869415613ab9aea2599927c23572bcefd9466af5a69f8f6ab239dc2f6c84bb

General

Target

74ff7e7adc7c3926e45143fe7ee1ba07.xls
Size

36KB
MD5

74ff7e7adc7c3926e45143fe7ee1ba07
SHA1

04f0cc8f411db9545e825ce05218ea91b00c48ba
SHA256

dd869415613ab9aea2599927c23572bcefd9466af5a69f8f6ab239dc2f6c84bb
SHA512

f56de18c85d60649b10fa3c444713a049faa9ab6e99162fe357cd6ffae17e0e8b550b5b57fae889ca3059a94299fc7a27ae3b2e415f291c691eb4a90842ea69a
SSDEEP

768:APqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJnGbm5+LlQqKqTD:Mok3hbdlylKsgqopeJBWhZFGkE+cL2Nr

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3372	1564	explorer.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1564 EXCEL.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

EXCEL.EXE

pid process

1564 EXCEL.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXE

pid process

1564 EXCEL.EXE
1564 EXCEL.EXE
1564 EXCEL.EXE
1564 EXCEL.EXE
1564 EXCEL.EXE
1564 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	explorer.exe

pid	process
1564	EXCEL.EXE

pid	process
1564	EXCEL.EXE

pid	process
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE
1564	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXEexplorer.exe

description	pid	process	target process
PID 1564 wrote to memory of 3372	1564	EXCEL.EXE	explorer.exe
PID 1564 wrote to memory of 3372	1564	EXCEL.EXE	explorer.exe
PID 5064 wrote to memory of 4956	5064	explorer.exe	WScript.exe
PID 5064 wrote to memory of 4956	5064	explorer.exe	WScript.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\74ff7e7adc7c3926e45143fe7ee1ba07.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Public\Documents\BRxTLnc.vbs
  2⤵
  - Process spawned unexpected child process
  PID:3372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\BRxTLnc.vbs"
  2⤵
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\BRxTLnc.vbs

Filesize
553B

MD5
6be146c0e044d61af5ca64a56b59c2f6

SHA1
b308cfcd77e68c37a1e3c5ecffeb30821edbaa37

SHA256
6bcbe5ade82a1f4e29ffa55db55fe1710bccc4aa6eb5628b36461fac0c04aa4d

SHA512
be7d386cbc47cc0f7bba74040812ab2a9c7ffd32a9918b167dd2b621fe4c9386418d9254dcbe65c200c189141b936de299e08e089a12716494527e0dab62a824

Download Submit
memory/1564-11-0x00007FFC0DAD0000-0x00007FFC0DAE0000-memory.dmp

Filesize
64KB

Download
memory/1564-3-0x00007FFC102D0000-0x00007FFC102E0000-memory.dmp

Filesize
64KB

Download
memory/1564-10-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-4-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-6-0x00007FFC102D0000-0x00007FFC102E0000-memory.dmp

Filesize
64KB

Download
memory/1564-5-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-7-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-9-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-15-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-0-0x00007FFC102D0000-0x00007FFC102E0000-memory.dmp

Filesize
64KB

Download
memory/1564-32-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-2-0x00007FFC102D0000-0x00007FFC102E0000-memory.dmp

Filesize
64KB

Download
memory/1564-8-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-18-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-17-0x00007FFC0DAD0000-0x00007FFC0DAE0000-memory.dmp

Filesize
64KB

Download
memory/1564-16-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-19-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-20-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-14-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-13-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download
memory/1564-1-0x00007FFC102D0000-0x00007FFC102E0000-memory.dmp

Filesize
64KB

Download
memory/1564-12-0x00007FFC50250000-0x00007FFC50445000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads