kinsing | f4b074675650c357f2db275a3b6fa565dacd7a858fad1a02ecf10050ba9495e7

General

Target

74efeebf5311c3a6c11fbe33b169f2f4.pdf
Size

34KB
MD5

74efeebf5311c3a6c11fbe33b169f2f4
SHA1

992410251887d7c353b58d3a23804f64cb68ab7e
SHA256

f4b074675650c357f2db275a3b6fa565dacd7a858fad1a02ecf10050ba9495e7
SHA512

bb06b4778b7e4d7f0877fa5e6bfef503a972aab3196738273cf6be998276aafc15cc712a256d999aa68f00c0549322c8c179319e8aabd55df856204255f06f15
SSDEEP

768:vgGzpDU5HGb6X2AAeUWqLp0xC5RlhDo7bIf1utf6UWjwXd:YGF0t1xCXlhDoAf1u96UGwt

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe
4036	AcroRd32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exe

pid process

4036 AcroRd32.exe
4036 AcroRd32.exe
4036 AcroRd32.exe
4036 AcroRd32.exe
4036 AcroRd32.exe
4036 AcroRd32.exe
4036 AcroRd32.exe
4036 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4036 wrote to memory of 4196	4036	AcroRd32.exe	RdrCEF.exe
PID 4036 wrote to memory of 4196	4036	AcroRd32.exe	RdrCEF.exe
PID 4036 wrote to memory of 4196	4036	AcroRd32.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 3128	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe
PID 4196 wrote to memory of 740	4196	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\74efeebf5311c3a6c11fbe33b169f2f4.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4196

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F58BDF95DE697ACACE22159EFFFE437E --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EBB33320833C6B01B348FE359F265ACA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EBB33320833C6B01B348FE359F265ACA --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
3⤵
PID:740

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5CC1E9254FC819A42024EDCA68538A55 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:968

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AC25BEF03EF5857E96056BEE1C7A285D --mojo-platform-channel-handle=2384 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2788

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=29FF3F3F83BEA75EE9DB1C79F781465A --mojo-platform-channel-handle=2364 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:220

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=535ADDB02DF0A1FBB003603382BA2168 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=535ADDB02DF0A1FBB003603382BA2168 --renderer-client-id=7 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
c2f951dbb4b98be71a618f3175178fc4

SHA1
d7bfd37a777e40020e44aa36be2673da99ad4e9b

SHA256
ad679814eae830d02a98353f6ba9532b4db79cb9f80e6caa4f51f489aa77e41a

SHA512
3b7e9974c99155bfd89d3ae8c19182df36d60b3752b79ce1b23ea65aa50c9202b189f1ae1c29ff5e58c998408da61679b4229a6607b38ba4784abe377f1a828a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
c1847480b370f09c15fb4579e6925a37

SHA1
b95a9dad41bfe25f4f843e091ff84e84405bc24d

SHA256
f48acdff068156da72a0273cfdfd2fd156288fd45045bc0138d2da8f698404bb

SHA512
c3a43b55b75f1db3fafcc10d1da3dd2003ed5aae65d762156800187a0159c08e95f923f3e36af279fb23c4e887f54c2ccd35df8463527b568a2c8396d4dcd239

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads