kinsing | 9a246e698694816a9552c58e4fbf66fdd5ed036bfcf82f3446f44b4029e452e4 | Triage

Analysis

max time kernel
88s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:02

Sharing

Report Analysis Logs

General

Target

74ec412ac4abbd35368a12eac7086cd6.exe
Size

7KB
MD5

74ec412ac4abbd35368a12eac7086cd6
SHA1

9d0e3748d8268ab097071e6c31bf1535e6a0c931
SHA256

9a246e698694816a9552c58e4fbf66fdd5ed036bfcf82f3446f44b4029e452e4
SHA512

362118f49c50765eebab41e0e272508ed9c8fb0eb6b70a6e4290f057fd2afe6c9d7837a739cf54cea663e48e5737489fe560ede6e02c871efa6a11401ef81706
SSDEEP

192:oXcoDse8RvzZPPZf5EoV6oaO3HcXlicF:aDseGvp5V6oaQHcbF

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

74ec412ac4abbd35368a12eac7086cd6.exe

pid process

1356 74ec412ac4abbd35368a12eac7086cd6.exe
1356 74ec412ac4abbd35368a12eac7086cd6.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

74ec412ac4abbd35368a12eac7086cd6.exe

description pid process

Token: 0 1356 74ec412ac4abbd35368a12eac7086cd6.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

74ec412ac4abbd35368a12eac7086cd6.exe

description	pid	process	target process
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE
PID 1356 wrote to memory of 3452	1356	74ec412ac4abbd35368a12eac7086cd6.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\74ec412ac4abbd35368a12eac7086cd6.exe
"C:\Users\Admin\AppData\Local\Temp\74ec412ac4abbd35368a12eac7086cd6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...