kinsing | 13a6b9b0cb511df243abcac34539e4c8465826e1fa012e13d0fe67476c9191d8

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:56

Target

13a6b9b0cb511df243abcac34539e4c8465826e1fa012e13d0fe67476c9191d8.dll
Size

600KB
MD5

e73164847311387bfc9fa722f264b2dc
SHA1

01aab93797b4b329adf4be9548f9e7e0802c998b
SHA256

13a6b9b0cb511df243abcac34539e4c8465826e1fa012e13d0fe67476c9191d8
SHA512

e0a80c015f3834885bcf0f4892dc489ab67e0c9772d0bf387d042bff63e3d3639cd0674db7b8451cbe1a26d53cb5668a93b8f77ddb20b5da71ec24cab5964fcf
SSDEEP

12288:aLVYmb+rC++14fIJ4n9eK+RSQoVzb73P4cKGZ13DaxuD+BxjJJRUbTNwHPe7lG:IYq+rC++14wyn9eK+8QoVzb73P4cKGjI

Score

10^/10

kinsing loader

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4704 4004 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4704	4004	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 228 wrote to memory of 4004	228	rundll32.exe	rundll32.exe
PID 228 wrote to memory of 4004	228	rundll32.exe	rundll32.exe
PID 228 wrote to memory of 4004	228	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\13a6b9b0cb511df243abcac34539e4c8465826e1fa012e13d0fe67476c9191d8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\13a6b9b0cb511df243abcac34539e4c8465826e1fa012e13d0fe67476c9191d8.dll,#1
2⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 600
3⤵
- Program crash
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4004 -ip 4004
1⤵
PID:1888