kinsing | 300fe6224578b1254a43444f7e1783dd608a6c065d4e6089e7560e719fc787b2

Analysis

max time kernel
93s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edmtd.exe
Size

68KB
MD5

206bdf1db7e2ffe38950ac59aaa20ea1
SHA1

43a814f9093e9c58c3ae285bdd2cd511f5435012
SHA256

3b7cd3479ddf35d5d803a14db014a6e7a1748afc8574e95b38e72990245fb473
SHA512

a5a141801a33c5e3bbfb02a0153457a480bee35706c3f5598e5509c958424b058d5934eaeb6f4dbfa0a624f2f5f387af6bbd54f726f1ae1641e98b344f9f933c
SSDEEP

1536:e3EAK3nQW/XNrcvkN4koAhdqp+e6ulcIgsuN9mB:HtnQW/XokN4koAhdq1cFsKmB

Score

10^/10

kinsing loader upx

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

edmtd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation edmtd.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

4768 regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	edmtd.exe

pid	process
4768	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral12/memory/4364-0-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral12/memory/4364-5-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A474BD59-F29A-4559-95B9-B4E13FA51FAA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A474BD59-F29A-4559-95B9-B4E13FA51FAA}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A474BD59-F29A-4559-95B9-B4E13FA51FAA}\1.0\ = "DTService 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A474BD59-F29A-4559-95B9-B4E13FA51FAA}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A474BD59-F29A-4559-95B9-B4E13FA51FAA}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A474BD59-F29A-4559-95B9-B4E13FA51FAA}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A474BD59-F29A-4559-95B9-B4E13FA51FAA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\dtservice.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A474BD59-F29A-4559-95B9-B4E13FA51FAA}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A474BD59-F29A-4559-95B9-B4E13FA51FAA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A474BD59-F29A-4559-95B9-B4E13FA51FAA}\1.0\0	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

regsvr32.exe

pid process

4768 regsvr32.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

regsvr32.exe

pid process

4768 regsvr32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

regsvr32.exe

pid process

4768 regsvr32.exe

pid	process
4768	regsvr32.exe

pid	process
4768	regsvr32.exe

pid	process
4768	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

edmtd.exe

description	pid	process	target process
PID 4364 wrote to memory of 4768	4364	edmtd.exe	regsvr32.exe
PID 4364 wrote to memory of 4768	4364	edmtd.exe	regsvr32.exe
PID 4364 wrote to memory of 4768	4364	edmtd.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\edmtd.exe
"C:\Users\Admin\AppData\Local\Temp\edmtd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s dtservice.dll
2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dtservice.dll
Filesize
29KB

MD5
fb4e5543f8eb5a10f324b6f549b7af73

SHA1
e7342ceeb93b53d42a40174c6801a104f1e20a1f

SHA256
c796a8e4fed7c57ecf7c00193a1356175f18446541947244b84d777b079e4444

SHA512
0febd58aa3e92a0836491628821cc3e3e4d6e62be2776608ca121238fceb62621b99072918fe093e7d2a204051ac8715d1713e86c1d296e9e96aad1f4866b13b

Download Submit
memory/4364-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4364-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download