kinsing | 40518baff3f8a37752df4005574950ac2fe02a69f717242160cbc4061ef65a39

General

Target

2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Size

274KB
MD5

e6a2ceb6dc18ffbdf8882fa62139986d
SHA1

077ee6b79d80248ebc330cca4ff6edd5d63871e0
SHA256

40518baff3f8a37752df4005574950ac2fe02a69f717242160cbc4061ef65a39
SHA512

ce7e3dbcaf1044526979d8769e85ad0686e1fee341e390a9bc2b06b879e8405eb719bb0daa762e60b4d5df0542c5aa60f5adabef16c9fa8227269cfc25632c6d
SSDEEP

6144:yYvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:yYvEbrUjp3SpWggd3JBPlPDIQ3g

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

Processes:

csrssys.execsrssys.exe

pid process

760 csrssys.exe
968 csrssys.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
760	csrssys.exe
968	csrssys.exe

Modifies registry class 30 IoCs

Processes:

2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\shell\runas\command	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\ = "wexplorer"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\ = "Application"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\shell	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\shell	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\csrssys.exe\" /START \"%1\" %*"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\DefaultIcon\ = "%1"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\shell\open\command	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\DefaultIcon	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\shell\runas	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\shell\runas\command\ = "\"%1\" %*"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\DefaultIcon	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\shell\runas	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\Content-Type = "application/x-msdownload"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\shell\open\command	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\shell\open	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\shell\open	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\wexplorer\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\csrssys.exe\" /START \"%1\" %*"	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\.exe\shell\runas\command	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

csrssys.exe

description pid process

Token: SeIncBasePriorityPrivilege 760 csrssys.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	760	csrssys.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.execsrssys.exe

description	pid	process	target process
PID 1008 wrote to memory of 760	1008	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe	csrssys.exe
PID 1008 wrote to memory of 760	1008	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe	csrssys.exe
PID 1008 wrote to memory of 760	1008	2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe	csrssys.exe
PID 760 wrote to memory of 968	760	csrssys.exe	csrssys.exe
PID 760 wrote to memory of 968	760	csrssys.exe	csrssys.exe
PID 760 wrote to memory of 968	760	csrssys.exe	csrssys.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_e6a2ceb6dc18ffbdf8882fa62139986d_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe"
3⤵
- Executes dropped EXE
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\csrssys.exe
Filesize
274KB

MD5
ccc8a1521f70a10cae8d1542a3bc8eed

SHA1
90366f2df6bebf09dd1505144c43ccc17c34e39e

SHA256
b991e967a6b54c16bf36340117cb092dad30a4d29bcfb4620d7d5e1ec1b4794d

SHA512
a8e1a8a4a6a71131693afa3255fabcdfa29c7fffb4791f9332931bb9ed4bd8e9560c3be92fc9e575938a78a582ce7ce1b45c301c5780261c3c28a28a57c07f17

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads