kinsing | 9fc381cfdae2b1cf1c60fd9556cdba5e729f234da8836f2f00dffdeae4148c03

Analysis

max time kernel
90s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74eb0a978cf707fc2a3c33edec9f1f79.exe
Size

652KB
MD5

74eb0a978cf707fc2a3c33edec9f1f79
SHA1

27c0b24d1eb776b7536727bf6ed66b0414178f5c
SHA256

9fc381cfdae2b1cf1c60fd9556cdba5e729f234da8836f2f00dffdeae4148c03
SHA512

aac7845313be9f4ca802ed9682eec6e29d15733334df2f3d58ad1b0aafe3cfb616acdfa6990dc4ab46d04480a94a33eccb761a98255d00fa43e172100678880a
SSDEEP

12288:Te6g5JKP/Ic71V0ao0WADIyJjcSoF3Z4mxxPALW3mZxMZtk:a6g5MPl3Xlc9QmXPAi3qxMZt

Score

10^/10

kinsing modiloader loader trojan

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4076-98-0x0000000000400000-0x00000000005D5000-memory.dmp	modiloader_stage2
behavioral2/memory/2240-97-0x0000000000400000-0x00000000005D5000-memory.dmp	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

KAV2007.exe

pid process

2240 KAV2007.exe

pid	process
2240	KAV2007.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

74eb0a978cf707fc2a3c33edec9f1f79.exe

description	ioc	process
File opened (read-only)	\??\B:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\H:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\I:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\P:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\S:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\A:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\J:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\N:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\T:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\V:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\Y:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\E:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\G:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\L:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\W:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\X:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\K:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\M:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\O:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\Q:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\R:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\U:	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened (read-only)	\??\Z:	74eb0a978cf707fc2a3c33edec9f1f79.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

74eb0a978cf707fc2a3c33edec9f1f79.exe

description	ioc	process
File created	C:\AutoRun.inf	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened for modification	C:\AutoRun.inf	74eb0a978cf707fc2a3c33edec9f1f79.exe
File created	F:\AutoRun.inf	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened for modification	F:\AutoRun.inf	74eb0a978cf707fc2a3c33edec9f1f79.exe

Drops file in System32 directory 2 IoCs

Processes:

KAV2007.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\_KAV2007.exe KAV2007.exe
File created C:\Windows\SysWOW64\_KAV2007.exe KAV2007.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

KAV2007.exe

description pid process target process

PID 2240 set thread context of 3212 2240 KAV2007.exe svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\_KAV2007.exe	KAV2007.exe
File created	C:\Windows\SysWOW64\_KAV2007.exe	KAV2007.exe

description	pid	process	target process
PID 2240 set thread context of 3212	2240	KAV2007.exe	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

74eb0a978cf707fc2a3c33edec9f1f79.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe	74eb0a978cf707fc2a3c33edec9f1f79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe	74eb0a978cf707fc2a3c33edec9f1f79.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1532 3212 WerFault.exe svchost.exe

pid	pid_target	process	target process
1532	3212	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

74eb0a978cf707fc2a3c33edec9f1f79.exeKAV2007.exe

description	pid	process	target process
PID 4076 wrote to memory of 2240	4076	74eb0a978cf707fc2a3c33edec9f1f79.exe	KAV2007.exe
PID 4076 wrote to memory of 2240	4076	74eb0a978cf707fc2a3c33edec9f1f79.exe	KAV2007.exe
PID 4076 wrote to memory of 2240	4076	74eb0a978cf707fc2a3c33edec9f1f79.exe	KAV2007.exe
PID 2240 wrote to memory of 3212	2240	KAV2007.exe	svchost.exe
PID 2240 wrote to memory of 3212	2240	KAV2007.exe	svchost.exe
PID 2240 wrote to memory of 3212	2240	KAV2007.exe	svchost.exe
PID 2240 wrote to memory of 3212	2240	KAV2007.exe	svchost.exe
PID 2240 wrote to memory of 3212	2240	KAV2007.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\74eb0a978cf707fc2a3c33edec9f1f79.exe
"C:\Users\Admin\AppData\Local\Temp\74eb0a978cf707fc2a3c33edec9f1f79.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4076

C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 12
4⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3212 -ip 3212
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe
Filesize
164KB

MD5
7bdffd43dcc4b6ac7efc47bbad111710

SHA1
90016c6e2d61271e0a4debf60f244cbba02cae90

SHA256
854c3ed1a203a071ce23d94f683e175d403ce5d55bc708db3dc497e302b455d5

SHA512
43eec9ae53d305aca805e42397cddeeb8f9dc79ee7c0ff81824a0f21753edeadc79097168ee6594a41f9d4e9c15551cc2242c742b13e6809e27a2e78fd1af152

Download Submit
C:\Program Files\Common Files\microsoft shared\MSInfo\KAV2007.exe
Filesize
44KB

MD5
7069f871ee4fec16ae77d090de3391b5

SHA1
d3674d293f9f60821d40ea54f560487dd57ca17c

SHA256
9cca924e8951227ebdddbdc6093fd599485d23600eebc822bfcb8979923b56d2

SHA512
33a4d6f56a2e176be4dc703af08fcd486a51dbb7e40ecdb6413c9d15bb55929af71dd1c9e86eebe9cf4cf94de9b58d4aafb2bbed2d53c0ea1899b8802a95af36

Download Submit
F:\KAV2007.exe
Filesize
484KB

MD5
418a423dc5201217af8242f4b70216d1

SHA1
584fdaf3aefc4762063cfc49ac5a246b2144b069

SHA256
ab90db281d420a04cf732d54a2ff317c0a86ddafe626433687fec95fd20127ee

SHA512
7aa45c9439a17a0b62dac3ced13e32dba8c8b6b444d7c5d4f793888ad612e31c33d712fec8084f5e2eb39dfd912ccc62ec3098b62a3c73359c405ae24680aca2

Download Submit
memory/2240-97-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3212-93-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3212-100-0x0000000000380000-0x0000000000380000-memory.dmp

Download
memory/4076-64-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-45-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-6-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/4076-7-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/4076-5-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/4076-58-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-19-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/4076-27-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-26-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-25-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-33-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-41-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-46-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-57-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-49-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-48-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-55-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-61-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-60-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-66-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-65-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-68-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-70-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-71-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-73-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-56-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-69-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-67-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-1-0x0000000000C50000-0x0000000000CA4000-memory.dmp

Filesize
336KB

Download
memory/4076-63-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-62-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-59-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-20-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/4076-2-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/4076-72-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-54-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-53-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-52-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-51-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-98-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/4076-50-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-47-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-44-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-43-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-42-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-40-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-39-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-38-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-37-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-36-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-35-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-34-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-32-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-31-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-30-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-29-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-28-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-24-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-23-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-22-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-21-0x00000000035C0000-0x00000000036C0000-memory.dmp

Filesize
1024KB

Download
memory/4076-8-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/4076-4-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/4076-3-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/4076-0-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download