kinsing | 4f7f0e5746943c6c5d64ecf906f8540c842ad6275dacc0144d05f070c928a976

General

Target

74f4aed732c61e9a1e8c86fc73add304.exe
Size

241KB
MD5

74f4aed732c61e9a1e8c86fc73add304
SHA1

9827c2ae5d2f45270b31c8d814cc0972a5e584be
SHA256

4f7f0e5746943c6c5d64ecf906f8540c842ad6275dacc0144d05f070c928a976
SHA512

09d7adb8d32502962a43694d0ad0cc51f42c26249ab76abf6ec7a141bb717dc648992ed6b7c15ff647f341293baec2eaaba136aa41ce59e32fe80c59c9750d54
SSDEEP

3072:BnEOei99xNKkOzyIT2PzfTyRNrex1amaYA9Y2ibyZdI4CC2AXxrciu1BHTOSPP:He+fAz16PHyK2bcyT55K9PP

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Drops desktop.ini file(s) 4 IoCs

Processes:

74f4aed732c61e9a1e8c86fc73add304.exe

description	ioc	process
File created	\??\c:\Program Files\desktop.ini	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\desktop.ini	74f4aed732c61e9a1e8c86fc73add304.exe
File created	\??\c:\$Recycle.Bin\S-1-5-21-3791175113-1062217823-1177695025-1000\desktop.ini	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-3791175113-1062217823-1177695025-1000\desktop.ini	74f4aed732c61e9a1e8c86fc73add304.exe

Drops file in Program Files directory 64 IoCs

Processes:

74f4aed732c61e9a1e8c86fc73add304.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encodings.Web.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\System.Windows.Input.Manipulations.resources.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Controls.Ribbon.resources.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\lib\jconsole.jar	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\msdaosp.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.DataContractSerialization.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\hu.txt	74f4aed732c61e9a1e8c86fc73add304.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	74f4aed732c61e9a1e8c86fc73add304.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-memory-l1-1-0.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File created	\??\c:\Program Files\Common Files\System\ado\adojavas.inc	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\msado26.tlb	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\host\fxr\6.0.25\hostfxr.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationProvider.resources.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	74f4aed732c61e9a1e8c86fc73add304.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\PresentationUI.resources.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Xaml.resources.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jmc.txt	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sq.txt	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	74f4aed732c61e9a1e8c86fc73add304.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\CompleteWrite.dotm	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\fr.txt	74f4aed732c61e9a1e8c86fc73add304.exe
File created	\??\c:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\UIAutomationTypes.resources.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\vcruntime140_1.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Windows.Forms.Primitives.resources.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\hostpolicy.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	74f4aed732c61e9a1e8c86fc73add304.exe
File created	\??\c:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md	74f4aed732c61e9a1e8c86fc73add304.exe
File created	\??\c:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Sockets.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\javaws.exe	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\javapackager.exe	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif	74f4aed732c61e9a1e8c86fc73add304.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\eo.txt	74f4aed732c61e9a1e8c86fc73add304.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3904 1976 WerFault.exe 74f4aed732c61e9a1e8c86fc73add304.exe

pid	pid_target	process	target process
3904	1976	WerFault.exe	74f4aed732c61e9a1e8c86fc73add304.exe

C:\Users\Admin\AppData\Local\Temp\74f4aed732c61e9a1e8c86fc73add304.exe
"C:\Users\Admin\AppData\Local\Temp\74f4aed732c61e9a1e8c86fc73add304.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 676
2⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1976 -ip 1976
1⤵
PID:1884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm
Filesize
314KB

MD5
4584be42d242860637da756ff4765925

SHA1
62aac2544e4968c66632860a1d3ef863232ec8c3

SHA256
c01391aa6740cf49889e02b0613d5ce6ab37e2b16305819cc806f2b541f25041

SHA512
96069d358d0340650057bf36f151a15c3a4a05f0ffaf9906687e277b691cc14edc2ae468492b18eb5cb65dd965460892cdecf02d82e0d07102d6094da03eb80a

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar
Filesize
5B

MD5
b5b682b742431a52ea8b17c72ad9c572

SHA1
326320f469235708c59f678c9a7357dca552d306

SHA256
30d9045a9f172208b13161d1f5204e5787e5e07bfbb4f490d0041b03b7f44f76

SHA512
4e1bd7cc616b3115baf6be7ebd29fe2d1123bc0f25464865a0cf9207b0344fba70747a5ce6f00e8d9c696881f6db1e12f81736bc748b6f2b60bf84c681a49163

Download Submit
memory/1976-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1976-2229-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing