Overview

overview

10

Static

static

3

SQLi Dumper v8.3.exe

windows7-x64

7

SQLi Dumper v8.3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SQLi Dumper v8.3.exe

  • Size

    7.0MB

  • MD5

    d3c358f1785594fb5619cda521b9ff04

  • SHA1

    9c4a88b66da3fab2bc1b8fe2d2d4bc12903d7603

  • SHA256

    4879007515fc16fd0b22156852f2af0424c947f8cf543f5f4cccf1aed52bc97d

  • SHA512

    3ad1c58d7ba5b509ba4dd292ac62efa9e1f8f39660d3b55a5853b15e55ff6a15a3f8c7fed3b6dac4a5a00987e4ef6052829071342edb182916409819e9b21ee8

  • SSDEEP

    196608:sDKjAQxVBnZwfZ1l6yYrWOVr62bXfwvZR8T3WkYoZx8n:vjAOVBZwfQWyWAfwaG4Gn

Score
10/10
kinsingloader

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

    loaderkinsing
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SQLi Dumper v8.3.exe
    "C:\Users\Admin\AppData\Local\Temp\SQLi Dumper v8.3.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1288
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:436
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1428
      2⤵
      • Program crash
      PID:5104
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1992 -ip 1992
    1⤵
      PID:4032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1992-0-0x0000000075060000-0x0000000075611000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1992-1-0x0000000001B00000-0x0000000001B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1992-2-0x0000000075060000-0x0000000075611000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1992-12-0x0000000075060000-0x0000000075611000-memory.dmp

      Filesize

      5.7MB

      Download