kinsing | dc21b5ce1f8e1518045def5cb1a6917ac894bb679dd6cc8082f5b24375c94b2b

General

Target

PHOTO-GOLAYA.exe
Size

238KB
MD5

466171c86c39f1266019f1386b78ad45
SHA1

cf50984c43232cffb00e181597be92b5a118c65e
SHA256

af2f6bc331ddbf6401b342e21947f949a92143d7f8dea3e6a1dcefca18bcefb2
SHA512

162f43193b6e387ae9bbe77b099d62ad473f47b7dbfddb8e94fe75b3b7003035dadd9bb2e7069e8009eba74a6206784f54999f29ff5ea5a7463b086382018b4b
SSDEEP

3072:QBAp5XhKpN4eOyVTGfhEClj8jTk+0h5TlWnC+Cgw5CKHG:HbXE9OiTGfhEClq9IlWzJJUG

Score

10^/10

kinsing discovery loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

10 3164 WScript.exe

flow	pid	process
10	3164	WScript.exe

Drops file in Drivers directory 2 IoCs

Processes:

cmd.exeWScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hîsts	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PHOTO-GOLAYA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	PHOTO-GOLAYA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

Processes:

PHOTO-GOLAYA.execmd.exe

description	ioc	process
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\Uninstall.exe	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\moby duck\rider_on_the_storm\Uninstall.exe	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\Uninstall.ini	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\p0po9i8u7uy6yt5tr4re3ww2jfbgi50y38y92ffb8583vf9292fg38y4934g394fg293g39h4938973t47f983t94fy30ghj430tjg04hg9347f834.fff	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\moby duck\rider_on_the_storm\p0po9i8u7uy6yt5tr4re3ww2jfbgi50y38y92ffb8583vf9292fg38y4934g394fg293g39h4938973t47f983t94fy30ghj430tjg04hg9347f834.fff	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.klm	PHOTO-GOLAYA.exe
File opened for modification	C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.klm	PHOTO-GOLAYA.exe
File created	C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs	cmd.exe
File opened for modification	C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

PHOTO-GOLAYA.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings PHOTO-GOLAYA.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	PHOTO-GOLAYA.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

PHOTO-GOLAYA.exe

description	pid	process	target process
PID 32 wrote to memory of 2968	32	PHOTO-GOLAYA.exe	cmd.exe
PID 32 wrote to memory of 2968	32	PHOTO-GOLAYA.exe	cmd.exe
PID 32 wrote to memory of 2968	32	PHOTO-GOLAYA.exe	cmd.exe
PID 32 wrote to memory of 3164	32	PHOTO-GOLAYA.exe	WScript.exe
PID 32 wrote to memory of 3164	32	PHOTO-GOLAYA.exe	WScript.exe
PID 32 wrote to memory of 3164	32	PHOTO-GOLAYA.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe
"C:\Users\Admin\AppData\Local\Temp\PHOTO-GOLAYA.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat" "
2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
PID:2968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs"
2⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\moby duck\rider_on_the_storm\froggi_noggi_topppi_nocci.bat
Filesize
1KB

MD5
ef09b0975dd3055e115040da125bf1e7

SHA1
c4653bad1b4bfd34ffeab5182fb16e244f8c35c4

SHA256
6a8031866aa29518659e04ccef03708ba654afada75b03406c52bebaadefe3ec

SHA512
b69ddaa597c4f4877f1d53d83aa950f9aaf6dba1643be2a45a3cb3eb9d1b66e777ca28b88feb7ae401c0410c00da0acb0ad5634ecfa9af6f3ffe2633a4cd70d4

Download Submit
C:\Program Files (x86)\moby duck\rider_on_the_storm\ne_nu_ne_zraza_li.vbs
Filesize
1KB

MD5
5ce6512909ac7bcb0c544a6d9879e853

SHA1
10e2a2145c3e65fe24159645314e4809bd2f3edd

SHA256
5e1089b403c748c7697968bda25367aada5a3281ddfd7d3f18747c338a03aa30

SHA512
515f66fc03f1d28e044ee5abdfaca33f8d12b7db10e6b1000c88b0ccd1ccc771aa53b6c8e4848b1a9649c6ec266c6d7f181dd5ab49d33e31c650d644a8d24e95

Download Submit
C:\Program Files (x86)\moby duck\rider_on_the_storm\p0po9i8u7uy6yt5tr4re3ww2jfbgi50y38y92ffb8583vf9292fg38y4934g394fg293g39h4938973t47f983t94fy30ghj430tjg04hg9347f834.fff
Filesize
87B

MD5
2048e7f377827684952eac6638737664

SHA1
177f0e8e28f88204df60059d64c6ec3bc108a673

SHA256
e69334131aff4bd540d8972b135c0510f9e7e310c4513df87793923b464ae688

SHA512
624f4865cda8892e6521ff1878cb290b9329fd7eb82034b3224a0358678d2d6eaa20c287efbe69b6d6fcc654c2ee4a36d3235f688c817f44f0e67d6f55ad7916

Download Submit
memory/32-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/32-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/32-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads