kinsing | cde9562cab02200758221670738714fdb158424c01d3d4badf4ddd19c6758ed8

Analysis

max time kernel
141s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74ee2ae757e5ace18c575d68932c9de6.exe
Size

209KB
MD5

74ee2ae757e5ace18c575d68932c9de6
SHA1

06a2b1ba3b47fb861104a57f6ed970dec1a5806e
SHA256

cde9562cab02200758221670738714fdb158424c01d3d4badf4ddd19c6758ed8
SHA512

b66264afa47c52e85a6ac34553484d61ffe367fe7a713feced4390af4defc40f607e0e8bf486ff8e49a5a8183d8348e6b8821bd1cc3a232f0fad75dab2a138a6
SSDEEP

3072:RltGyseHukSkEzX7YNR+1kBBU23Om02eQivjCZEsgKIBNHe3G55VKpitC9YxQ91F:RltGmukSlzXkNR+1k1+keQane25dtja

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Executes dropped EXE 2 IoCs

Processes:

u.dllmpress.exe

pid process

4176 u.dll
2232 mpress.exe
Modifies registry class 1 IoCs

Processes:

calc.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings calc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

5036 OpenWith.exe

pid	process
4176	u.dll
2232	mpress.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	calc.exe

pid	process
5036	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

74ee2ae757e5ace18c575d68932c9de6.execmd.exeu.dll

description	pid	process	target process
PID 4720 wrote to memory of 2684	4720	74ee2ae757e5ace18c575d68932c9de6.exe	cmd.exe
PID 4720 wrote to memory of 2684	4720	74ee2ae757e5ace18c575d68932c9de6.exe	cmd.exe
PID 4720 wrote to memory of 2684	4720	74ee2ae757e5ace18c575d68932c9de6.exe	cmd.exe
PID 2684 wrote to memory of 4176	2684	cmd.exe	u.dll
PID 2684 wrote to memory of 4176	2684	cmd.exe	u.dll
PID 2684 wrote to memory of 4176	2684	cmd.exe	u.dll
PID 4176 wrote to memory of 2232	4176	u.dll	mpress.exe
PID 4176 wrote to memory of 2232	4176	u.dll	mpress.exe
PID 4176 wrote to memory of 2232	4176	u.dll	mpress.exe
PID 2684 wrote to memory of 4860	2684	cmd.exe	calc.exe
PID 2684 wrote to memory of 4860	2684	cmd.exe	calc.exe
PID 2684 wrote to memory of 4860	2684	cmd.exe	calc.exe

C:\Users\Admin\AppData\Local\Temp\74ee2ae757e5ace18c575d68932c9de6.exe
"C:\Users\Admin\AppData\Local\Temp\74ee2ae757e5ace18c575d68932c9de6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\52C3.tmp\vir.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 74ee2ae757e5ace18c575d68932c9de6.exe.com -include s.dll -overwrite -nodelete
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176

C:\Users\Admin\AppData\Local\Temp\5331.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\5331.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe5341.tmp"
4⤵
- Executes dropped EXE
PID:2232

C:\Windows\SysWOW64\calc.exe
CALC.EXE
3⤵
- Modifies registry class
PID:4860

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52C3.tmp\vir.bat
Filesize
1KB

MD5
845c669005d6fa7b724e3643c9d2f057

SHA1
7c31bc6fb7210a3920e8f3b1a80bd510b47e4bab

SHA256
ee693a828bf61e67f1d3a7ecdb0c3646fceccaa63de058f7cd815768b999d625

SHA512
8d4c89717b57ea9d70a1e81d9f731187113f754cd5f6d1c705bb3680ecdd0c91456ff4fb3934473c846a188c8323a2b40b4b622ca18f6c5d5716fdfd39ddc073

Download Submit
C:\Users\Admin\AppData\Local\Temp\5331.tmp\mpress.exe
Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe5341.tmp
Filesize
41KB

MD5
4f74129c104ef1d140d90e0ba568ce01

SHA1
6f3eff482f956305006b6768a2a6ff242798a45d

SHA256
7695698f1983d6f8884164972c0e546da7e4a29f3c2ac244927f5b28da24c753

SHA512
8757d38c206b29cbabc7ada99871fc590ff0a775814a74752b9f3971956e7c000ca259cc9e1906897a343397d4dcfe9c271024878de42eb87e22477a6fd50f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe5341.tmp
Filesize
24KB

MD5
cdcfa1efe50d04afc7e0132fefaaebee

SHA1
9fb31f91df27a9fa854e13997eb27b1fffba93ec

SHA256
b418c29a1ce04661d4028ca863ba1253d49c15570cbfd50a0b1cba268357520d

SHA512
1aea5e87344b6f74b2584635216f3a3501bb8852aede2b5e395713041b82c006a8518edac769578e2062f9f592a0e5600ca7685fb1430eaef278c4b99b275a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll
Filesize
700KB

MD5
fd0d0d7ae1d515c6a6a5e027a383e813

SHA1
5ac4fff2a23711869002bb26e4463530788e086d

SHA256
6429e1a8f97a7e8226cae762348ad91d938e474db9ac2eb7d5d3aa2cc4b6123e

SHA512
068bec88e014b8d1a657f1eb75dfa1730c48601c4dd69198214fb8ea95e4e99fd8b185dbd1ca2cc6b075acb950af299b2483a3176951d2e80b0070708791778a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat
Filesize
1KB

MD5
75c4e79490188568f10cd004650648db

SHA1
cd7fb5dbe37e5e68c892f1c2c926861218dea37c

SHA256
ce3bb9cfa147b9c8f9d4280e77cc4a33025dae4a6cd0e31f971836bedd518dc2

SHA512
100f71b018a1de565044165a72441fdae8b717d0d87b093e712cb78ca2cec732d3b50f74aac282680a61601c0f305af817e8062c5aeec86de9e5f5334625cc06

Download Submit
memory/2232-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4720-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4720-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download