kinsing | e68b96f0e99e4b6aebbedd626fbb369c369c8507f5b5cea9013eb3e0ea83e23f

General

Target

74f54405991dc0d284f3158f9266d7e3.exe
Size

1.8MB
MD5

74f54405991dc0d284f3158f9266d7e3
SHA1

eb8b23809c1a72144ef5d3dbec92b8445b790795
SHA256

e68b96f0e99e4b6aebbedd626fbb369c369c8507f5b5cea9013eb3e0ea83e23f
SHA512

3087f74eed15eb522b7938da4859daf0d0af1d13adc1ad23810b599839e94cdc7074ab06a48fae0cce4d2958c5a94ffe799cb9ea1891877ef0b812bf4f1cbbd9
SSDEEP

12288:OsD8BFyOmcNPYmzQ5J0T0aTE6chIoLXGtfbapRVczyu1jZ9sM2cTWzEOk0ksmVgX:FHcNPYDj0T0z6UsapRVclccTWwPdse

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	74f54405991dc0d284f3158f9266d7e3.exe

Executes dropped EXE 2 IoCs

Processes:

FileEn.exeFileEn.exe

pid process

1268 FileEn.exe
4588 FileEn.exe
Loads dropped DLL 1 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

pid process

2056 74f54405991dc0d284f3158f9266d7e3.exe

pid	process
1268	FileEn.exe
4588	FileEn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fileProtect = "C:\\Windows\\system32\\FileEn.exe"	74f54405991dc0d284f3158f9266d7e3.exe

Drops file in System32 directory 9 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Box.exe	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\FileEn.exe	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\fileprotect.dll	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\FileProtecter.ico	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\verwnd.dll	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\face.dll	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\FileProtecter.exe	74f54405991dc0d284f3158f9266d7e3.exe
File opened for modification	C:\Windows\SysWOW64\FileProtecter.exe	74f54405991dc0d284f3158f9266d7e3.exe
File created	C:\Windows\SysWOW64\notewnd.dll	74f54405991dc0d284f3158f9266d7e3.exe

Drops file in Windows directory 1 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

description ioc process

File opened for modification C:\Windows\win.ini 74f54405991dc0d284f3158f9266d7e3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

pid process

2056 74f54405991dc0d284f3158f9266d7e3.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	74f54405991dc0d284f3158f9266d7e3.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exeFileEn.exeFileEn.exe

pid	process
2056	74f54405991dc0d284f3158f9266d7e3.exe
2056	74f54405991dc0d284f3158f9266d7e3.exe
1268	FileEn.exe
1268	FileEn.exe
1268	FileEn.exe
1268	FileEn.exe
2056	74f54405991dc0d284f3158f9266d7e3.exe
4588	FileEn.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

74f54405991dc0d284f3158f9266d7e3.exe

description	pid	process	target process
PID 2056 wrote to memory of 1268	2056	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2056 wrote to memory of 1268	2056	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2056 wrote to memory of 1268	2056	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2056 wrote to memory of 4588	2056	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2056 wrote to memory of 4588	2056	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe
PID 2056 wrote to memory of 4588	2056	74f54405991dc0d284f3158f9266d7e3.exe	FileEn.exe

C:\Users\Admin\AppData\Local\Temp\74f54405991dc0d284f3158f9266d7e3.exe
"C:\Users\Admin\AppData\Local\Temp\74f54405991dc0d284f3158f9266d7e3.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\FileEn.exe
"C:\Windows\system32\FileEn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Windows\SysWOW64\FileEn.exe
"C:\Windows\system32\FileEn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\FileEn.exe
Filesize
260KB

MD5
3c0a05b660e41423fec63815f4549e69

SHA1
4feb0a4a9a592f80d6f2d2a27396654fa3eea816

SHA256
b2d49e811a4702709533a500f857149647ac7b8c384c8e5a23a4cbecc664856e

SHA512
c54192e74d646d61a48b65a4df31b1a9757fe9855f91e60f932f9254ce735808bac17c6ada4a34ef38247852ca48d674140f93e135c008e3c4728f7b087105ce

Download Submit
C:\Windows\SysWOW64\face.dll
Filesize
276KB

MD5
71ae7d6dbb221bf825cc859f5db4a364

SHA1
71ba7e47e29f196d3a4b39747dc2ab287189409c

SHA256
5c02f694e1a8fcd4c81c01014f5aaa011fa5aa4e84ee4adf37f3006082b79083

SHA512
9a4a26b016912f94c3a4b68d23969dc60451bcbb37f0fa9f5c80b315d5819eab931a188618141dbe6972ca7d8dbaaf03c69001b6feb3fe83e9870efc13254a26

Download Submit
C:\Windows\win.ini
Filesize
137B

MD5
93613a490ade72e94dbc22fa31eb22b7

SHA1
81b7c3b0a65903269b1ce283d4116a3203e1f2cd

SHA256
506340e9929af77978ab54302c666617b5284d31445fec920fa4e45cfd8ab2fd

SHA512
f9c170d2b5dd8895f5f5c2c41760c1798b6c32b36c5c3578d181761cc0d7db434317e61b02a996717c38cb144e8ca26b9d1e1bb5954729d3403da1ee1fe6cf95

Download Submit
C:\Windows\win.ini
Filesize
145B

MD5
174407b874d65b40238230e03e6f320d

SHA1
5fb2257b55212fada41762620ef1790140596391

SHA256
abba7020e1302e30efcc8c81ec8990616746d826732ace729f18d3bae11e3dc4

SHA512
b58665ebe7a1dbbb0ecc86d0e864c2a22797434690a54681c5317893275faa326691c675d7faa939b5e5730e5e5c0c2c7cf90fd538c0ee18559def71c18cd231

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads