kinsing | 54f78bfaea6c1f2938875cadd4060e5ca115d5445b1b6f8f3b5a617fae90e045

General

Target

2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Size

288KB
MD5

14841626aafdc901eef87a0caa146766
SHA1

451d7c145bfbdf9a0fd5cee42627eb4f7d48d72f
SHA256

54f78bfaea6c1f2938875cadd4060e5ca115d5445b1b6f8f3b5a617fae90e045
SHA512

959fd81fb5cbac4ffcd9b6edc983cc4aca5fd4a9acd8cf4f6439c642582bda20e98e090128558f719ea4018bfd8c9e56e069b053eb3af73e24fda726291e8659
SSDEEP

6144:XuQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:+QMyfmNFHfnWfhLZVHmOog

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

Processes:

sidebar2.exesidebar2.exe

pid process

760 sidebar2.exe
2544 sidebar2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
760	sidebar2.exe
2544	sidebar2.exe

Modifies registry class 30 IoCs

Processes:

2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\Content-Type = "application/x-msdownload"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\sidebar2.exe\" /START \"%1\" %*"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\runas\command\ = "\"%1\" %*"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\DefaultIcon	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\open\command	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\open	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\ = "prochost"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\DefaultIcon	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open\command	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\sidebar2.exe\" /START \"%1\" %*"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas\command	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\ = "Application"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\runas\command	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\DefaultIcon\ = "%1"	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\prochost\shell\runas	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sidebar2.exe

description pid process

Token: SeIncBasePriorityPrivilege 760 sidebar2.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	760	sidebar2.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exesidebar2.exe

description	pid	process	target process
PID 60 wrote to memory of 760	60	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe	sidebar2.exe
PID 60 wrote to memory of 760	60	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe	sidebar2.exe
PID 60 wrote to memory of 760	60	2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe	sidebar2.exe
PID 760 wrote to memory of 2544	760	sidebar2.exe	sidebar2.exe
PID 760 wrote to memory of 2544	760	sidebar2.exe	sidebar2.exe
PID 760 wrote to memory of 2544	760	sidebar2.exe	sidebar2.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_14841626aafdc901eef87a0caa146766_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe"
3⤵
- Executes dropped EXE
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\sidebar2.exe
Filesize
288KB

MD5
8b571810fda4ccf2e44840c02e32a25d

SHA1
066f08c9145ed37ba0f86248226b8a19961e0f2e

SHA256
0ab893d1299dee54e207a477a2d92cdef05ec386c47fd0eb07578a8edd86df04

SHA512
590528c2a2fbc0905a98eec4b562bd590e22977dc99fadf275315716ed787042a15a93cbc3bc29e832ae694b8f964d071e8ccb75c327c050aa6d417dc9710be7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads