kinsing | 93df33c27f484f855e99f9e2e58ac0d390b12704484e33ea580c66563adc35f0

Analysis

max time kernel
134s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74ec11ce2abb6092698bfe9f12a0a940.exe
Size

1000KB
MD5

74ec11ce2abb6092698bfe9f12a0a940
SHA1

16c1113a17eed49d4c7e44d48fc285bd358769a3
SHA256

93df33c27f484f855e99f9e2e58ac0d390b12704484e33ea580c66563adc35f0
SHA512

6b0fd0d826677f2ff9f41517ccfff2a8407bffffe2ef5006c80b549afbdfa93aebc3d71b8a378fd4c0683076811e77db3e77bb4ec5c2d3e00e36107cfef519cd
SSDEEP

24576:6wbXlz15/KVh/FquyLN1B+5vMiqt0gj2ed:Bz15/AFJylqOL

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

74ec11ce2abb6092698bfe9f12a0a940.exe

pid process

1436 74ec11ce2abb6092698bfe9f12a0a940.exe
Executes dropped EXE 1 IoCs

Processes:

74ec11ce2abb6092698bfe9f12a0a940.exe

pid process

1436 74ec11ce2abb6092698bfe9f12a0a940.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 pastebin.com
14 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

74ec11ce2abb6092698bfe9f12a0a940.exe

pid process

1436 74ec11ce2abb6092698bfe9f12a0a940.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4484 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

74ec11ce2abb6092698bfe9f12a0a940.exe

pid process

1436 74ec11ce2abb6092698bfe9f12a0a940.exe
1436 74ec11ce2abb6092698bfe9f12a0a940.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

74ec11ce2abb6092698bfe9f12a0a940.exe

pid process

4428 74ec11ce2abb6092698bfe9f12a0a940.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

74ec11ce2abb6092698bfe9f12a0a940.exe74ec11ce2abb6092698bfe9f12a0a940.exe

pid process

4428 74ec11ce2abb6092698bfe9f12a0a940.exe
1436 74ec11ce2abb6092698bfe9f12a0a940.exe

pid	process
1436	74ec11ce2abb6092698bfe9f12a0a940.exe

pid	process
1436	74ec11ce2abb6092698bfe9f12a0a940.exe

flow	ioc
12	pastebin.com
14	pastebin.com

pid	process
1436	74ec11ce2abb6092698bfe9f12a0a940.exe

pid	process
4484	schtasks.exe

pid	process
1436	74ec11ce2abb6092698bfe9f12a0a940.exe
1436	74ec11ce2abb6092698bfe9f12a0a940.exe

pid	process
4428	74ec11ce2abb6092698bfe9f12a0a940.exe

pid	process
4428	74ec11ce2abb6092698bfe9f12a0a940.exe
1436	74ec11ce2abb6092698bfe9f12a0a940.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

74ec11ce2abb6092698bfe9f12a0a940.exe74ec11ce2abb6092698bfe9f12a0a940.exe

description	pid	process	target process
PID 4428 wrote to memory of 1436	4428	74ec11ce2abb6092698bfe9f12a0a940.exe	74ec11ce2abb6092698bfe9f12a0a940.exe
PID 4428 wrote to memory of 1436	4428	74ec11ce2abb6092698bfe9f12a0a940.exe	74ec11ce2abb6092698bfe9f12a0a940.exe
PID 4428 wrote to memory of 1436	4428	74ec11ce2abb6092698bfe9f12a0a940.exe	74ec11ce2abb6092698bfe9f12a0a940.exe
PID 1436 wrote to memory of 4484	1436	74ec11ce2abb6092698bfe9f12a0a940.exe	schtasks.exe
PID 1436 wrote to memory of 4484	1436	74ec11ce2abb6092698bfe9f12a0a940.exe	schtasks.exe
PID 1436 wrote to memory of 4484	1436	74ec11ce2abb6092698bfe9f12a0a940.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\74ec11ce2abb6092698bfe9f12a0a940.exe
"C:\Users\Admin\AppData\Local\Temp\74ec11ce2abb6092698bfe9f12a0a940.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\74ec11ce2abb6092698bfe9f12a0a940.exe
C:\Users\Admin\AppData\Local\Temp\74ec11ce2abb6092698bfe9f12a0a940.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\74ec11ce2abb6092698bfe9f12a0a940.exe" /TN Google_Trk_Updater /F
3⤵
- Creates scheduled task(s)
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74ec11ce2abb6092698bfe9f12a0a940.exe
Filesize
1000KB

MD5
64934ed4e54702f7e19e1aab04d885cc

SHA1
51bc2a2e7732976a21ff1ff53b5e80d7671eac9d

SHA256
a76920d9ae004ed6e62648284a4115d5988f925378c7d46181811c83b2ea763e

SHA512
c5c8dbe2bde9a93d94a8c26ea690810862cc3bad64658b824660e673ca2588c90f22c199c25c2b14f14fe2b4e064eaf42945d5160e8ba5ab615e0f2c35f4a79d

Download Submit
memory/1436-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1436-15-0x0000000001560000-0x00000000015E3000-memory.dmp

Filesize
524KB

Download
memory/1436-20-0x0000000004FB0000-0x000000000502E000-memory.dmp

Filesize
504KB

Download
memory/1436-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1436-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4428-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4428-1-0x0000000001640000-0x00000000016C3000-memory.dmp

Filesize
524KB

Download
memory/4428-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4428-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download