kinsing | 94354463bfa6788e255cd863e16920c969413b9f11e6169a07a4627a76db2c21

General

Target

2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Size

288KB
MD5

57cc69f1531d6e9e59bb86b507d25142
SHA1

dc74f73576ab35d7109021402df9958edcc68f63
SHA256

94354463bfa6788e255cd863e16920c969413b9f11e6169a07a4627a76db2c21
SHA512

c0fce2ce65456f8f8d590db133ccaa7f95f65b71bc6db1d4851c007e89b881522de5decb5483755167c97c412c129d72abdbf21c3bafa913d4bd5232ecff7287
SSDEEP

6144:9Q+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:9QMyfmNFHfnWfhLZVHmOog

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe

Executes dropped EXE 2 IoCs

Processes:

wlogon32.exewlogon32.exe

pid process

3468 wlogon32.exe
2812 wlogon32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3468	wlogon32.exe
2812	wlogon32.exe

Modifies registry class 30 IoCs

Processes:

2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\DefaultIcon	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\shell\runas	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\Content-Type = "application/x-msdownload"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas\command	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\wlogon32.exe\" /START \"%1\" %*"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open\command	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\shell\runas\command\ = "\"%1\" %*"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\DefaultIcon\ = "%1"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\shell\runas\command	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\shell\open	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\ = "haldriver"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\DefaultIcon\ = "%1"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\wlogon32.exe\" /START \"%1\" %*"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\DefaultIcon	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\.exe\shell	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\ = "Application"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\Content-Type = "application/x-msdownload"	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\shell\open\command	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\haldriver\shell	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wlogon32.exe

description pid process

Token: SeIncBasePriorityPrivilege 3468 wlogon32.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3468	wlogon32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exewlogon32.exe

description	pid	process	target process
PID 4732 wrote to memory of 3468	4732	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe	wlogon32.exe
PID 4732 wrote to memory of 3468	4732	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe	wlogon32.exe
PID 4732 wrote to memory of 3468	4732	2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe	wlogon32.exe
PID 3468 wrote to memory of 2812	3468	wlogon32.exe	wlogon32.exe
PID 3468 wrote to memory of 2812	3468	wlogon32.exe	wlogon32.exe
PID 3468 wrote to memory of 2812	3468	wlogon32.exe	wlogon32.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_57cc69f1531d6e9e59bb86b507d25142_mafia_nionspy.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe"
3⤵
- Executes dropped EXE
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\wlogon32.exe
Filesize
288KB

MD5
401dc1e7a80535eb5bc9792901ad6e6d

SHA1
f78327139174c884a095135dc2f13e62985d7f7a

SHA256
daf53572005e6a5ddbc3234e13588202cb6981a55f73c652827f9af7b13eb7e8

SHA512
6ea8c445b1a1fb8073c8cbcef354c840dec317921b7f406208862964693fa0f820612b4da00fa2906f59454bc5f42633d40606c902a44fdba9111e6074976556

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads