kinsing | 64b60550791a0b5e64d7b528aed4c05dcd9ea0641197c2bd31f49dce128cd0e2

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_83815ae6e673da0594adb8baa378e476_cryptolocker.exe
Size

38KB
MD5

83815ae6e673da0594adb8baa378e476
SHA1

97e552b4a3c8b38ffadc6da141f10bb368fdf926
SHA256

64b60550791a0b5e64d7b528aed4c05dcd9ea0641197c2bd31f49dce128cd0e2
SHA512

71b6d3806fd5a5e064f22ccdfea19fd351d6603f2c72a463e560191f12c2aeaf225997eea389ece6acf8189263dd912847ecfa135ec3fe483e45d1c0095f8bed
SSDEEP

768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6Dy8Pu:bIDOw9a0Dwo3P1ojvUSDhm

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\lossy.exe	CryptoLocker_rule2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-01-25_83815ae6e673da0594adb8baa378e476_cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	2024-01-25_83815ae6e673da0594adb8baa378e476_cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

lossy.exe

pid process

1368 lossy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1368	lossy.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-01-25_83815ae6e673da0594adb8baa378e476_cryptolocker.exe

description	pid	process	target process
PID 932 wrote to memory of 1368	932	2024-01-25_83815ae6e673da0594adb8baa378e476_cryptolocker.exe	lossy.exe
PID 932 wrote to memory of 1368	932	2024-01-25_83815ae6e673da0594adb8baa378e476_cryptolocker.exe	lossy.exe
PID 932 wrote to memory of 1368	932	2024-01-25_83815ae6e673da0594adb8baa378e476_cryptolocker.exe	lossy.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_83815ae6e673da0594adb8baa378e476_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_83815ae6e673da0594adb8baa378e476_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\lossy.exe
"C:\Users\Admin\AppData\Local\Temp\lossy.exe"
2⤵
- Executes dropped EXE
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
39KB

MD5
d822e7f760f48308b0a2dd5aafc01af1

SHA1
a8fcab90288a6e247b6436afe94315ed285fc2cc

SHA256
ebc079cf002bf6b0aec4cba5d637aa67580943358f65f11841834d5e0b81e86a

SHA512
dbc7ec24ec046108b5951bca4d476866ba3354fbc43c9857fa4687efa42956a21a0f7550efce48e0850319bbd7adf33744a7cf4b082bb3da231eff89db81f854

Download Submit
memory/932-0-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/932-1-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/932-2-0x0000000002230000-0x0000000002236000-memory.dmp

Filesize
24KB

Download
memory/1368-17-0x0000000002040000-0x0000000002046000-memory.dmp

Filesize
24KB

Download
memory/1368-19-0x00000000021D0000-0x00000000021D6000-memory.dmp

Filesize
24KB

Download