kinsing | 66ff1380b6da5e5997c23c0302019836237df45cd2dfe1f57a15ba566ae51680

Analysis

max time kernel
139s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7519909800d261e7a6c4e3e02b0f1799.exe
Size

13KB
MD5

7519909800d261e7a6c4e3e02b0f1799
SHA1

87f6fee12beefc4ecf8d1adbd9d0281b5e087369
SHA256

66ff1380b6da5e5997c23c0302019836237df45cd2dfe1f57a15ba566ae51680
SHA512

0c72a951a0379ba0361643b56d9fbe981a41831e146387e8f2452277ba8b97692c5ab40e55d5513004a66dff1f209bdc0c56b6cc414f312dff70c91cbf69fa96
SSDEEP

192:mrO3Nxh2Ts4VHs+xClc09HNGa9L2PpAxXwCMrpY7e8LqPZo5LdCfq1Rn6O3shC6:mrMuTsjmsLeAxXr6+e9Pfqbn1if

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7519909800d261e7a6c4e3e02b0f1799.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7519909800d261e7a6c4e3e02b0f1799.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

WScript.exe

pid	Process
4248	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

7519909800d261e7a6c4e3e02b0f1799.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	7519909800d261e7a6c4e3e02b0f1799.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7519909800d261e7a6c4e3e02b0f1799.exe

pid	Process
4844	7519909800d261e7a6c4e3e02b0f1799.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7519909800d261e7a6c4e3e02b0f1799.exe

description	pid	Process	procid_target
PID 4844 wrote to memory of 4248	4844	7519909800d261e7a6c4e3e02b0f1799.exe	89
PID 4844 wrote to memory of 4248	4844	7519909800d261e7a6c4e3e02b0f1799.exe	89
PID 4844 wrote to memory of 4248	4844	7519909800d261e7a6c4e3e02b0f1799.exe	89

C:\Users\Admin\AppData\Local\Temp\7519909800d261e7a6c4e3e02b0f1799.exe
"C:\Users\Admin\AppData\Local\Temp\7519909800d261e7a6c4e3e02b0f1799.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\a.vbs"
  2⤵
  - Checks computer location settings
  - Deletes itself
  PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\a.vbs

Filesize
1KB

MD5
8aa2a3ec169445fa757f9ef1518c4dc3

SHA1
495bdd81e7f070f0a2637f1739e47c672d5afe9f

SHA256
3b6d3a8bf0be13f7802e084862404276deaa381298d5c8842b727bd72eb1d91f

SHA512
3bc33b254dc98f55663f34096004a4a69222219292110e91b5e78aeaa4ca2b55df856563d42f58904c3421c723725c0d3b62826862f07d9d58566f7877acc84b

Download Submit
memory/4844-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download