kinsing | e161926dbde52476ecadf490e4d2f8292c28bab433f6d1bc427ae13589eed769

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:02

Target

$PLUGINSDIR/blowfish.dll
Size

60KB
MD5

926e4475c00fb5254c32c876921b77d0
SHA1

8a55bc8b6e49021a4abbd441783c41d5e019798b
SHA256

d54c8582863c079996c4f1113b1c106204773ad9ea2ae831ba2b33b45bafdfa8
SHA512

53f389e1a967c123ed591c7650cf6d3140abf1012dcac90faf2327e68558949eb2b19905098bd14ab3a9811d23f98466f88418d992ca6373f94afae56a285bd8
SSDEEP

768:iqdVHQr1iIxqXiURXB+tzjjrrzhzlRryN+SaYhba3mrf+C7jWk1MLfoMR38:iawr1iIIXYplRrOk4f7HML1R3

Score

10^/10

kinsing loader

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1880 3480 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1880	3480	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4040 wrote to memory of 3480	4040	rundll32.exe	rundll32.exe
PID 4040 wrote to memory of 3480	4040	rundll32.exe	rundll32.exe
PID 4040 wrote to memory of 3480	4040	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blowfish.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\blowfish.dll,#1
2⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 600
3⤵
- Program crash
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3480 -ip 3480
1⤵
PID:4360