kinsing | 48919ce83b33b880c83f3de655d6869f8e7cf41fbd874e2c7cf957bba6d9c5e4

General

Target

74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
Size

454KB
MD5

74f36b834a5cf31d6d7ac9f4dc1fd92a
SHA1

2f108d1d6b0a368c614037530374466a5f6ac2ee
SHA256

48919ce83b33b880c83f3de655d6869f8e7cf41fbd874e2c7cf957bba6d9c5e4
SHA512

bbd4ee33619fe8ff3fc1ef5a1bf072bbde79f5098a0ae3affacf268525ba481ea4f4e0d3311e007e37c1169e20ccdaf33b44fbebeb4bd07d5464a6130a332fa7
SSDEEP

6144:P+fiFEGPOln4RUOeincdvjQl5pqhogsKOGruOB3uRy9Aoe:P+gPOV4uOeinsMqHsRIAL

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Drops desktop.ini file(s) 4 IoCs

Processes:

74f36b834a5cf31d6d7ac9f4dc1fd92a.exe

description	ioc	process
File created	\??\c:\$Recycle.Bin\S-1-5-21-1168293393-3419776239-306423207-1000\desktop.ini	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-1168293393-3419776239-306423207-1000\desktop.ini	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\desktop.ini	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\desktop.ini	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe

Drops file in Program Files directory 64 IoCs

Processes:

74f36b834a5cf31d6d7ac9f4dc1fd92a.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\msado21.tlb	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-synch-l1-1-0.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Drawing.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.Immutable.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encoding.Extensions.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\WindowsBase.resources.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\UIAutomationTypes.resources.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\System.Windows.Controls.Ribbon.resources.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\System\msadc\adcvbs.inc	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Primitives.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\meta-index	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\PresentationCore.resources.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\System\msadc\msdaprsr.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\ssv.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\tg.txt	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.SecureString.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\WindowsBase.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.Royale.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\mip.exe	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Metadata.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\msadco.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\System\msadc\msdarem.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\msvcp140.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\msader15.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\msdaosp.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.0 (x64).swidtag	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-1.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\mscordaccore.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.Serialization.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Input.Manipulations.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Resources.Writer.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Tasks.Extensions.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Forms.Primitives.resources.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\PresentationCore.resources.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jli.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\id.txt	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

964 4404 WerFault.exe 74f36b834a5cf31d6d7ac9f4dc1fd92a.exe

pid	pid_target	process	target process
964	4404	WerFault.exe	74f36b834a5cf31d6d7ac9f4dc1fd92a.exe

C:\Users\Admin\AppData\Local\Temp\74f36b834a5cf31d6d7ac9f4dc1fd92a.exe
"C:\Users\Admin\AppData\Local\Temp\74f36b834a5cf31d6d7ac9f4dc1fd92a.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1016
2⤵
- Program crash
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4404 -ip 4404
1⤵
PID:3280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm
Filesize
236KB

MD5
2769e4e0cdf4f4ed4943b4ec8b6b3b4f

SHA1
c515b5f4f760abd3324868b6c28efa641678db9a

SHA256
845fe76e25f469984401b8fabfc25f6208cdd226bd44d4e3f0a10e3047ab8cb9

SHA512
c7a9a3a974f770e0d8f6439db3a70656569ee5301114e73cc6258c1eaafc2b518a635ebc0176f924dfedc85a30adcc5eb15aa8d9b91caef512aabb0ef40619df

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar
Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit
memory/4404-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4404-1948-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing