kinsing | 768ec8c6fe1bc71cc496c618cfdb12292237a24b90f32d569792000c7fe7fb11

Analysis

max time kernel
89s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe
Size

122KB
MD5

7b4a875ab88f62fd28eec2985a0d7a63
SHA1

ef40e8ade1521c5f9e68d7ac50f7ef8055f68b5d
SHA256

768ec8c6fe1bc71cc496c618cfdb12292237a24b90f32d569792000c7fe7fb11
SHA512

4d61d5fe5bcb606d779624b671075b593062b6636f6dc4b86dae43343a5fa4c029fd267d2a68c563dcfa3b439cbbeb0ee47bac9b00e3f09c5ad9321571e76798
SSDEEP

768:gUQz7yVEhs9+4T/1bytOOtEvwDpjNbZ7uyA36S7MpxRIIXVe3mU9TYwlOBTZ+mjP:gUj+AIMOtEvwDpjNbwQEIPlemUhYpVa4

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\misid.exe	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

misid.exe2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	misid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid process

2028 misid.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2028	misid.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe

description	pid	process	target process
PID 4036 wrote to memory of 2028	4036	2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe	misid.exe
PID 4036 wrote to memory of 2028	4036	2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe	misid.exe
PID 4036 wrote to memory of 2028	4036	2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe	misid.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_7b4a875ab88f62fd28eec2985a0d7a63_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\misid.exe
"C:\Users\Admin\AppData\Local\Temp\misid.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
122KB

MD5
4bdee09290cd2b88218c659bec8e4884

SHA1
ea7a22f0ff5b3d74f5e8896486eb3cef96df25a5

SHA256
2665bf85735487b0604dfd61d50e267da23794dfe4be005b7cef868031fcc928

SHA512
6da506b7de380fade91990a0f66324ed1b19c9551f0974a865f86138bd259844d3612327d51930e318bdb70095fdcf48ab1ed396ffdcc7c737de4a83682a20cf

Download Submit
memory/2028-17-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/2028-20-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/4036-0-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/4036-1-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/4036-2-0x00000000021B0000-0x00000000021B6000-memory.dmp

Filesize
24KB

Download