kinsing | d4756363dedb92f110502f135d81e105449bc43af29170b759926e749fa2bb1a

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:03

Target

74eca17eb233c154cb22f449405f72ee.exe
Size

653KB
MD5

74eca17eb233c154cb22f449405f72ee
SHA1

8906b6bcaefbfce559b2a8093f7a3dffe84bb6d7
SHA256

d4756363dedb92f110502f135d81e105449bc43af29170b759926e749fa2bb1a
SHA512

1f8b33a876a2d5dc6853441a9fddc54715f685a5db73455f526d0ac4b0cccb98765c9aacb8febb06aed30c37adf2b84d2f6134dad2a813e6db087b067210d730
SSDEEP

12288:gnJPbyFx4sjKipMOdDnK9iaYnd5CKfs3oxT0ssKHYxZAuPs:gJ2FisjKYXDnMiaYuQxAsNYjvPs

Score

10^/10

kinsing loader

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Executes dropped EXE 1 IoCs

Processes:

GLB4229.tmp

pid process

2700 GLB4229.tmp
Loads dropped DLL 3 IoCs

Processes:

GLB4229.tmp

pid process

2700 GLB4229.tmp
2700 GLB4229.tmp
2700 GLB4229.tmp
Drops file in System32 directory 1 IoCs

Processes:

GLB4229.tmp

description ioc process

File created C:\Windows\SysWOW64\GLBSINST.%$D GLB4229.tmp

pid	process
2700	GLB4229.tmp

description	ioc	process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLB4229.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

74eca17eb233c154cb22f449405f72ee.exe

description	pid	process	target process
PID 3396 wrote to memory of 2700	3396	74eca17eb233c154cb22f449405f72ee.exe	GLB4229.tmp
PID 3396 wrote to memory of 2700	3396	74eca17eb233c154cb22f449405f72ee.exe	GLB4229.tmp
PID 3396 wrote to memory of 2700	3396	74eca17eb233c154cb22f449405f72ee.exe	GLB4229.tmp

C:\Users\Admin\AppData\Local\Temp\74eca17eb233c154cb22f449405f72ee.exe
"C:\Users\Admin\AppData\Local\Temp\74eca17eb233c154cb22f449405f72ee.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Users\Admin\AppData\Local\Temp\GLB4229.tmp
Filesize
70KB

MD5
b021a69bf1f7319f32da4d08b4e5b0b2

SHA1
9b09554ea6db172fe16a2145d80b17a0b1fdb597

SHA256
abd7b3d8f45471bd28a89d9dcc348fe167bc269cb851bcb879755d78d4c3da6a

SHA512
0e5c4c11cf209462e337b0caa835e60182e4b3d074e4470aaca5e1832cc729ee0bc6309d5e0460965f4d36786fc772e542a95fca59e37a706ed0fecf36fc943e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC42A6.tmp
Filesize
157KB

MD5
fbd929bfc7b4a9e4fa4506655bab4c4a

SHA1
b4df84de80729a04ed90dc976a3e730a568f24f8

SHA256
adf8dea5d36b58cf621e2bb0c4549f94e0919308dd7cc1215d942417c45e54a4

SHA512
b310e79848dc2a3c6a4524e0b120e2e3dd73ecb6852c65a9eec368045f7bab0b141210726476dd3cb0c1d9008e1f34149f35c03a0156a9eef7d4a7fbc61ea1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK42F5.tmp
Filesize
30KB

MD5
3df61e5730883b2d338addd7acbe4bc4

SHA1
03166e6230231e7e3583cf9c8944f4967aa1bf1b

SHA256
2efe9a54c8eb878711d9b6cd18f276838645aff52fe69d8a864376cb258ec616

SHA512
36e9d705d22dad3d952b4da578a990f2b63ec2f9fbf2734efdaea9ecbd4f07a8d7232792eb5bdd81c553354d51334993cb6103c377f3483a680eac9e41cd2087

Download Submit
memory/3396-0-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3396-3-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3396-1-0x0000000002200000-0x0000000002213000-memory.dmp

Filesize
76KB

Download
memory/3396-19-0x0000000002200000-0x0000000002213000-memory.dmp

Filesize
76KB

Download