Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
25-01-2024 16:03
General
-
Target
7b84a9dde57ecaed21008d7c94f547c2691569f32fe96858207ebf8fe65acaad.exe
-
Size
2.0MB
-
MD5
c9f5836878d8edbaa9eb864f5195a5c3
-
SHA1
f2703ce36fdc714258221f9e1cf7b9b2c8d33898
-
SHA256
7b84a9dde57ecaed21008d7c94f547c2691569f32fe96858207ebf8fe65acaad
-
SHA512
00dd50d63017c87b7f828d57524d0d91ab60b5f0c864a26142e161cfef9ccfd6a3a2099bb9b3d39a382fbb345c2075d3f6277d4f825c85dd56f23b31b290a1c7
-
SSDEEP
49152:yTxbkIPtWc7c5stBUrHHC4cxyt50WwI3blLRb5Cherbi:g5kIAc7ksturCVK3bNRb5Chmi
Malware Config
Signatures
-
Kinsing
Kinsing is a loader written in Golang.
-
XMRig Miner payload 7 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b84a9dde57ecaed21008d7c94f547c2691569f32fe96858207ebf8fe65acaad.exe"C:\Users\Admin\AppData\Local\Temp\7b84a9dde57ecaed21008d7c94f547c2691569f32fe96858207ebf8fe65acaad.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\sin.datC:\Users\Admin\Documents\/sin.dat2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\config.jsonFilesize
3KB
MD59547529a20cd5d10872657bd1171ac5b
SHA1869e47f6c8023ae14d92247fcd6f93a3e48f719f
SHA256ffa3750f71d9504ce2c67285e2e1e588828edf37cd12b7cd57d76db26d91f60b
SHA5128afb99f3fcc5d54ef8b6dc265f18fe1be3c05910953c13a94fbdfe3c33a4b179628452b7351576c49d98c4dcb73c1ffedf19215b115d8361ed095aa4267bd1c7
-
C:\Users\Admin\Documents\sin.datFilesize
2.2MB
MD5898f0ad69791bef50377471150cb31dc
SHA13293468fe26bbded63509c300ff2e5b186764e4b
SHA25614f877a877ec0a8b9d14be0440b0f77693c8606c5a3f48fa8e7b7ba584e5c2f1
SHA5124fafa94dcf4aa7e82c174ed72dc28afbaeef313c0ec7b17e8f283ba3a6c7b0e4735fa43217a4a29bde4a69ef956866b5f88bc417b13ffebfc3e3d9ae69eb60fd
-
C:\Users\Admin\Documents\sin.datFilesize
2.1MB
MD55207ba356e4eef9cb6b3f96351abb667
SHA1ff962bd8e249162c479cc1e59f37fef4260a8c98
SHA25687fa8c27765ad86b231ccc45ef6fb8db17af9cd77fa2162c768eccad35896180
SHA5127c866e53933822fd4bad9575a2ed4adbffa3d85affe03c3ad4a9c33a396a6d49d6d2707f0fb03825805a3509ca011bdb6e102063dc017dffd520d02befe72671
-
memory/4032-16-0x0000000000400000-0x0000000000C43000-memory.dmpFilesize
8.3MB
-
memory/4032-3-0x0000000000400000-0x0000000000C43000-memory.dmpFilesize
8.3MB
-
memory/4032-2-0x0000000000400000-0x0000000000C43000-memory.dmpFilesize
8.3MB
-
memory/4032-1-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/4032-0-0x0000000000400000-0x0000000000C43000-memory.dmpFilesize
8.3MB
-
memory/4032-17-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/4420-13-0x0000014F99A80000-0x0000014F99AA0000-memory.dmpFilesize
128KB
-
memory/4420-15-0x0000014F99C70000-0x0000014F99C74000-memory.dmpFilesize
16KB
-
memory/4420-18-0x0000014F99C70000-0x0000014F99C74000-memory.dmpFilesize
16KB
-
memory/4420-19-0x0000014F99D00000-0x0000014F99D04000-memory.dmpFilesize
16KB