kinsing | hxxps://email-signature-image[.]com/signature[.]gif?u=3142635&e=491417617&v=cc660b2db6531faced1e4f44e33ac7693794975ea0c5c22fc084fff5a90ab9fd

General

Target

https://email-signature-image.com/signature.gif?u=3142635&e=491417617&v=cc660b2db6531faced1e4f44e33ac7693794975ea0c5c22fc084fff5a90ab9fd

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506733858332844"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

968 chrome.exe
968 chrome.exe
4064 chrome.exe
4064 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

968 chrome.exe
968 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 968 wrote to memory of 804	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 804	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 1720	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 2192	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 2192	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe
PID 968 wrote to memory of 3784	968	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://email-signature-image.com/signature.gif?u=3142635&e=491417617&v=cc660b2db6531faced1e4f44e33ac7693794975ea0c5c22fc084fff5a90ab9fd
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4a089758,0x7ffc4a089768,0x7ffc4a089778
2⤵
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1888,i,14713476714416768657,1614390690439675150,131072 /prefetch:8
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1888,i,14713476714416768657,1614390690439675150,131072 /prefetch:2
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1888,i,14713476714416768657,1614390690439675150,131072 /prefetch:8
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1888,i,14713476714416768657,1614390690439675150,131072 /prefetch:1
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1888,i,14713476714416768657,1614390690439675150,131072 /prefetch:1
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1888,i,14713476714416768657,1614390690439675150,131072 /prefetch:8
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1888,i,14713476714416768657,1614390690439675150,131072 /prefetch:8
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 --field-trial-handle=1888,i,14713476714416768657,1614390690439675150,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
4c194f5e4df660f32585eb836aaf6b33

SHA1
c1deffe991a298ee580fc21b63c02d8dc785f743

SHA256
0dfae6ec91a77ba71e6a2e677c2cd7f842b70c3260c5fd84fddd05d5c3b38e41

SHA512
069f7325733d11968495fb95eb596dbf84bdc1c9aef23c4a59d3e0555bd8ef23345fbf899e368b84fc3faad89c39251d2b174111baa5dc29e054146dd3fdeaf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f33278d5ffdc6f59c41e3d6ede995b61

SHA1
86145647f15f1507cd99c187d6c3d76b6bcd0017

SHA256
d5b9af2a458b5cb0ddaf3a8776a93ec8827148b1174767142af63c0c11640e27

SHA512
72d327c542eb1c5927806f6226a126851f744eb8d26a509df1fd0ec3facefa5fe476d9402c93ab7abca27bc350077e4658d923b21ae33170063b51cebca405bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
fc1eed1d7e818fb1c96defd55a68d5e0

SHA1
47941be33eee7e7f679501aab9e001350e78ac8d

SHA256
7f4dacc35fff1de54421a9b81d60e14b90c6f967995d4083812861549b527b4b

SHA512
f727ac0de8842791b5a767147b14a930e01461cfa4aa083272f461668c375b9e7dbf07d567cd953bfd9d53914433eb9a223c237eced2f6a6095e47d1f4625f63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
aa7cd47e0955a85b9ab25b534dd3302f

SHA1
e1f8b15ef7d04ead0ff5a34477c2236b0b0b464d

SHA256
1d57a9739bb0648cba762c57e14e0b7c9019c394d3d59205e1a699e315e6f6e5

SHA512
1c0c38bbf5b8b4fb27cc1215e4ded8c1410c94a768da75c3068453c4d2aec94a5e5216297c646168ddc1f2ef0bb2c5c361996a698c7aaf0043c0005eb9ac177a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_968_DNHRILENULUGMXQC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads