kinsing | efd85583ad5df1e4033da39a713f3348e500a64c3fef9ba527d41858ad83eb85

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74f7db9c6976a33b3b2411d8a37b0619.exe
Size

506KB
MD5

74f7db9c6976a33b3b2411d8a37b0619
SHA1

d15504292e54bb4c3e5837635210eb60754ff6c0
SHA256

efd85583ad5df1e4033da39a713f3348e500a64c3fef9ba527d41858ad83eb85
SHA512

d399604ed8c52d90b2e9dde58e0ac83a8cf1235880a33d3bfd2668f1613050965e2941bd7f0f66e4829a93c3464898a6c658588a9f04b50405b1fb228d635bd9
SSDEEP

12288:UXsyl/1WmGX62m6gjx28EWld2XGkkTMmCDNXchcPAocNuVpa1+o/g:Csy2jZpg2CBTTgiCAo4uVpfo/g

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

74f7db9c6976a33b3b2411d8a37b0619.exe

pid process

3536 74f7db9c6976a33b3b2411d8a37b0619.exe
Executes dropped EXE 1 IoCs

Processes:

74f7db9c6976a33b3b2411d8a37b0619.exe

pid process

3536 74f7db9c6976a33b3b2411d8a37b0619.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 pastebin.com
10 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

74f7db9c6976a33b3b2411d8a37b0619.exe

pid process

3536 74f7db9c6976a33b3b2411d8a37b0619.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1432 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

74f7db9c6976a33b3b2411d8a37b0619.exe

pid process

3536 74f7db9c6976a33b3b2411d8a37b0619.exe
3536 74f7db9c6976a33b3b2411d8a37b0619.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

74f7db9c6976a33b3b2411d8a37b0619.exe

pid process

4684 74f7db9c6976a33b3b2411d8a37b0619.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

74f7db9c6976a33b3b2411d8a37b0619.exe74f7db9c6976a33b3b2411d8a37b0619.exe

pid process

4684 74f7db9c6976a33b3b2411d8a37b0619.exe
3536 74f7db9c6976a33b3b2411d8a37b0619.exe

pid	process
3536	74f7db9c6976a33b3b2411d8a37b0619.exe

pid	process
3536	74f7db9c6976a33b3b2411d8a37b0619.exe

flow	ioc
8	pastebin.com
10	pastebin.com

pid	process
3536	74f7db9c6976a33b3b2411d8a37b0619.exe

pid	process
1432	schtasks.exe

pid	process
3536	74f7db9c6976a33b3b2411d8a37b0619.exe
3536	74f7db9c6976a33b3b2411d8a37b0619.exe

pid	process
4684	74f7db9c6976a33b3b2411d8a37b0619.exe

pid	process
4684	74f7db9c6976a33b3b2411d8a37b0619.exe
3536	74f7db9c6976a33b3b2411d8a37b0619.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

74f7db9c6976a33b3b2411d8a37b0619.exe74f7db9c6976a33b3b2411d8a37b0619.exe

description	pid	process	target process
PID 4684 wrote to memory of 3536	4684	74f7db9c6976a33b3b2411d8a37b0619.exe	74f7db9c6976a33b3b2411d8a37b0619.exe
PID 4684 wrote to memory of 3536	4684	74f7db9c6976a33b3b2411d8a37b0619.exe	74f7db9c6976a33b3b2411d8a37b0619.exe
PID 4684 wrote to memory of 3536	4684	74f7db9c6976a33b3b2411d8a37b0619.exe	74f7db9c6976a33b3b2411d8a37b0619.exe
PID 3536 wrote to memory of 1432	3536	74f7db9c6976a33b3b2411d8a37b0619.exe	schtasks.exe
PID 3536 wrote to memory of 1432	3536	74f7db9c6976a33b3b2411d8a37b0619.exe	schtasks.exe
PID 3536 wrote to memory of 1432	3536	74f7db9c6976a33b3b2411d8a37b0619.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\74f7db9c6976a33b3b2411d8a37b0619.exe
"C:\Users\Admin\AppData\Local\Temp\74f7db9c6976a33b3b2411d8a37b0619.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Temp\74f7db9c6976a33b3b2411d8a37b0619.exe
C:\Users\Admin\AppData\Local\Temp\74f7db9c6976a33b3b2411d8a37b0619.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\74f7db9c6976a33b3b2411d8a37b0619.exe" /TN Google_Trk_Updater /F
3⤵
- Creates scheduled task(s)
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74f7db9c6976a33b3b2411d8a37b0619.exe
Filesize
506KB

MD5
11c4adbac15d6f883fba03a08515b2b5

SHA1
35c95bfa7673ad760959a6f7c62cc20e4ec2246b

SHA256
76089180d93858a68cf62ec8f3489b08aa1107a74c3f0c8d94b2d3e47e579ab8

SHA512
928cf4751185b01043ee1b0f93455544b843e0e7b68b105b6210f07471cea6a7d1dbba0929dc1f547a9e44192f6903c4aa27c014fea2db17f962ac2a85cac799

Download Submit
memory/3536-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3536-20-0x0000000004F50000-0x0000000004FCE000-memory.dmp

Filesize
504KB

Download
memory/3536-16-0x0000000001560000-0x00000000015E3000-memory.dmp

Filesize
524KB

Download
memory/3536-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3536-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4684-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4684-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4684-1-0x0000000001660000-0x00000000016E3000-memory.dmp

Filesize
524KB

Download
memory/4684-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download