kinsing | hxxps://thebetslife[.]com/

Analysis

max time kernel
299s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://thebetslife.com/

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506775109010613"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

380 chrome.exe
380 chrome.exe
3236 chrome.exe
3236 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

380 chrome.exe
380 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe
Token: SeShutdownPrivilege	380	chrome.exe
Token: SeCreatePagefilePrivilege	380	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe
380	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 380 wrote to memory of 4932	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4932	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 1172	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4548	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4548	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe
PID 380 wrote to memory of 4480	380	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://thebetslife.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd45359758,0x7ffd45359768,0x7ffd45359778
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1900,i,10119889636404854357,18108169332970949632,131072 /prefetch:2
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1900,i,10119889636404854357,18108169332970949632,131072 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1900,i,10119889636404854357,18108169332970949632,131072 /prefetch:8
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1900,i,10119889636404854357,18108169332970949632,131072 /prefetch:1
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1900,i,10119889636404854357,18108169332970949632,131072 /prefetch:1
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1900,i,10119889636404854357,18108169332970949632,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 --field-trial-handle=1900,i,10119889636404854357,18108169332970949632,131072 /prefetch:8
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1900,i,10119889636404854357,18108169332970949632,131072 /prefetch:8
2⤵
PID:1628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
864B

MD5
e61c29fde71144ebb9a0c99d0ba22323

SHA1
078cdb47be1343aa7ee32556b7365e3d02ee0b93

SHA256
d1efb44b79c63ce8be529f549c343d56bfac18cc13870d82fc687126fcec41d0

SHA512
806734ce6692238b04b9a7485d3a609da7cced0e7f91c396f874e2d2259ce4fdf6c1bcb0c992b851cc5a43e411145d86e0c293ea1e96f6957e891b9052da89fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
816B

MD5
5d41a635f67f013c42cd4a65a54706bf

SHA1
a5a2ec16709a4aea94a9e67f33fa25fbc3a31433

SHA256
b7b8034475db4a29377a10ed02de2f00b0c0c917b835c941eadadf03e91ca546

SHA512
33eda0a12bf2483ae032e1e7960c38d783153c68c5e2581188f0de762e593c50c117cdfb86e89d6862caf76da552126864397fc3be55136f1b00a13a8988ec26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
f1c2f75a9ac8ba5a8d0a5577f790eccd

SHA1
43351aba8b14a50fa2c1d3ba54dcd6f60cef60b4

SHA256
2d079a663bf16625cd46ca03fa1cd3cfd36d9dd6b55dc88bfa5c76fe656906c8

SHA512
0ca6512abffffc2cd837262808997a21f9d9347cc698c98f347632a2f4226340db57442260160ee5ecafdca218d0b6bb509d1c4f95708e96a211fb30b01f0f06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
654d8df443fa64fd2f6e63eeaa4ef867

SHA1
64a40480b242641213cbf3735e0326540b38c410

SHA256
696a2558b1df9ecb02b5b46ef238ba40117681a719b032f0df2fa6ffa6868c7b

SHA512
21328fd3daca8282e3ea118b989a4324f5ed59cfb1ea1ea0c6fb78408788296984c8502e700bb410a9605a61b130ab5fb74900d05868d8a748c2685ec10e1bf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
043ce76848806bfad80789507bed31dd

SHA1
aba56608940f1c4425e6a0bcd686cf28097369f2

SHA256
235e266b0fab2110463efb353e355d349e5310d3d7dee4a86c3a4e0baa6731bc

SHA512
605800e9b1dda213ab4e3da51d137670a565ed08d2de37d138da51ddec7caf993a151b99df9967719d274217d6a6ef2bb9a8cd2d37a6e64f7718e60c2cb28efb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3898ff875abc89fe6be8d200c9f1e128

SHA1
14e9f309a72932fa96d72afb5005c5ffe168e01d

SHA256
5cb3154ecaf202591f16dd17d38a784c7ee02171a6d8b6ad51e4c874999781c6

SHA512
9a1a3b069a5850471e44fdadc0c2f9c6b861ba18bf35c28e996de2d8bd1ff9117bb2bf2e120dcee010b25069401148001989424473bbdb07c0604641f37bfcb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
90ded17093cbe0a027cb9257bc28bada

SHA1
8be27a1dd34b5a0ec436b863734625a19c6b54d9

SHA256
a9c4867a1a278acaeca33d57ea171445fc51d48365b33c68864559a8522bb1ec

SHA512
104da8207c2d37871cce7706af2569852ed8a10bc5bcce45e6ebd7b30c352dea050fbdb505f2d2744a5f996f602bdece23b1ebc319f05f23af67197e3ef63bb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_380_UOJTJJOMJFMYFQMO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit