kinsing | dab14529caeac755a18561ee147e05db721a0cd6a37d8fe7bdd18bc6141db86f

Analysis

max time kernel
131s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:10

Target

74f018d8f7f7e46e314b8d4ab0c128c1.exe
Size

385KB
MD5

74f018d8f7f7e46e314b8d4ab0c128c1
SHA1

4fe849a30b7af68c3323dd60c20e81b9c948341f
SHA256

dab14529caeac755a18561ee147e05db721a0cd6a37d8fe7bdd18bc6141db86f
SHA512

a6d32dfbeb32dbb48cb930d1d65a0f0c7b32ce1b2a6b2bcf2bd731421edccfa5df176e09384f7aa914d370620c54c60687c86c01b2f6c79cef9b42fbed6cc5c1
SSDEEP

6144:79XgntqyzGb9LHRwWMJolZhn+b0gr02M8sFzSKrKkrCDPLDl1B:7pgntqaGbcWrm2xtrrCDPnB

Score

10^/10

kinsing loader

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

74f018d8f7f7e46e314b8d4ab0c128c1.exe

pid process

5092 74f018d8f7f7e46e314b8d4ab0c128c1.exe
Executes dropped EXE 1 IoCs

Processes:

74f018d8f7f7e46e314b8d4ab0c128c1.exe

pid process

5092 74f018d8f7f7e46e314b8d4ab0c128c1.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 pastebin.com
8 pastebin.com
Suspicious behavior: RenamesItself 1 IoCs

Processes:

74f018d8f7f7e46e314b8d4ab0c128c1.exe

pid process

796 74f018d8f7f7e46e314b8d4ab0c128c1.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

74f018d8f7f7e46e314b8d4ab0c128c1.exe74f018d8f7f7e46e314b8d4ab0c128c1.exe

pid process

796 74f018d8f7f7e46e314b8d4ab0c128c1.exe
5092 74f018d8f7f7e46e314b8d4ab0c128c1.exe

pid	process
5092	74f018d8f7f7e46e314b8d4ab0c128c1.exe

pid	process
5092	74f018d8f7f7e46e314b8d4ab0c128c1.exe

flow	ioc
7	pastebin.com
8	pastebin.com

pid	process
796	74f018d8f7f7e46e314b8d4ab0c128c1.exe

pid	process
796	74f018d8f7f7e46e314b8d4ab0c128c1.exe
5092	74f018d8f7f7e46e314b8d4ab0c128c1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

74f018d8f7f7e46e314b8d4ab0c128c1.exe

description	pid	process	target process
PID 796 wrote to memory of 5092	796	74f018d8f7f7e46e314b8d4ab0c128c1.exe	74f018d8f7f7e46e314b8d4ab0c128c1.exe
PID 796 wrote to memory of 5092	796	74f018d8f7f7e46e314b8d4ab0c128c1.exe	74f018d8f7f7e46e314b8d4ab0c128c1.exe
PID 796 wrote to memory of 5092	796	74f018d8f7f7e46e314b8d4ab0c128c1.exe	74f018d8f7f7e46e314b8d4ab0c128c1.exe

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\74f018d8f7f7e46e314b8d4ab0c128c1.exe
Filesize
385KB

MD5
f85f434679aa8da1211a19a937dcbf20

SHA1
6e92384816342992f5a626b1241d459bd30a4780

SHA256
7b6743075f487f14759ddc9df7c8e75dee7d28e7b50ee142c2297d221614c005

SHA512
402e2188cde7031c2b69bdfad0c3a0432e97ff9044fff63e6fb941d88b4609e1e652e313d35be0199acebd74ae03e6fd18b0985e6774105222495c5c29c4693c

Download Submit
memory/796-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/796-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/796-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/796-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5092-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5092-14-0x00000000014D0000-0x0000000001536000-memory.dmp

Filesize
408KB

Download
memory/5092-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5092-20-0x0000000004EC0000-0x0000000004F1F000-memory.dmp

Filesize
380KB

Download
memory/5092-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5092-34-0x000000000D660000-0x000000000D69C000-memory.dmp

Filesize
240KB

Download
memory/5092-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download