kinsing | 4678f587420c2e5b0d36545f84c0add26c99ff80c40e611d1c89143e30cae215

General

Target

751adf5ecbf0e57c3870b117201bd97a.exe
Size

691KB
MD5

751adf5ecbf0e57c3870b117201bd97a
SHA1

bf19f350bc8c3efb371feed74a08cfafffeb3037
SHA256

4678f587420c2e5b0d36545f84c0add26c99ff80c40e611d1c89143e30cae215
SHA512

e487885ef268fad64b613bb234236e707fd7c9faf5208e2de1bf264a785c359ca3eb4a7449813df3d8b864ac61f65e69f0ee949100a0042e8b382fcc5c9bfbc6
SSDEEP

12288:9LHAnRDs4sSZA+gxIhTQAYcGJScvcgVhrRQ6DqF3Z4mxxXoEtlK+kt9T2MRzE0:9LgK41Z+SdG3vRhrRQ6WQmX4GQ

Score

10^/10

kinsing loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Executes dropped EXE 2 IoCs

Processes:

1.exeHacker.com.cn.exe

pid process

436 1.exe
1624 Hacker.com.cn.exe

pid	process
436	1.exe
1624	Hacker.com.cn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

751adf5ecbf0e57c3870b117201bd97a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	751adf5ecbf0e57c3870b117201bd97a.exe

Drops file in Windows directory 2 IoCs

Processes:

1.exe

description ioc process

File opened for modification C:\Windows\Hacker.com.cn.exe 1.exe
File created C:\Windows\Hacker.com.cn.exe 1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1.exeHacker.com.cn.exe

description pid process

Token: SeDebugPrivilege 436 1.exe
Token: SeDebugPrivilege 1624 Hacker.com.cn.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Hacker.com.cn.exe

pid process

1624 Hacker.com.cn.exe

description	ioc	process
File opened for modification	C:\Windows\Hacker.com.cn.exe	1.exe
File created	C:\Windows\Hacker.com.cn.exe	1.exe

description	pid	process
Token: SeDebugPrivilege	436	1.exe
Token: SeDebugPrivilege	1624	Hacker.com.cn.exe

pid	process
1624	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

751adf5ecbf0e57c3870b117201bd97a.exeHacker.com.cn.exe

description	pid	process	target process
PID 4000 wrote to memory of 436	4000	751adf5ecbf0e57c3870b117201bd97a.exe	1.exe
PID 4000 wrote to memory of 436	4000	751adf5ecbf0e57c3870b117201bd97a.exe	1.exe
PID 4000 wrote to memory of 436	4000	751adf5ecbf0e57c3870b117201bd97a.exe	1.exe
PID 1624 wrote to memory of 4660	1624	Hacker.com.cn.exe	IEXPLORE.EXE
PID 1624 wrote to memory of 4660	1624	Hacker.com.cn.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe
"C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1624

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
2⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
Filesize
226KB

MD5
03d1b81af1849b71129e2171df76cd34

SHA1
77dd832ffd09bd97ddfbbf8d2111319025f2644f

SHA256
e0e510deee0b9982cdb17e11befaa3f47d23a7f9be28645526b8927a08707b8a

SHA512
3896dea7572a60d84affa98bc2f1e117c5c4db032764976207f581a6dfdaf535c8d48c437b4b54bbce670db4ed5fcd108cbc8eb7227531b57bf9f532f761efbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
Filesize
262KB

MD5
37a5d63de3be3bde95668a98430b9766

SHA1
44ab2432c26e8edf1e644ee59d32c4d97340c54c

SHA256
5a9a5739ec3b1291c3572e3cfee7a169ae719f6ff24702fd5ce541c542fc4618

SHA512
42b5f9b0b13b8c8bd9bd4b81542ea638e3d076fd81c6f63b53d50675fc8583d1858d40e08e12dbd64cef5d6da4e437a20df4e036e89de330035a654286f527ce

Download Submit
C:\Windows\Hacker.com.cn.exe
Filesize
57KB

MD5
b9f8aef2b730cd4c3ac29fe3cb9c5f76

SHA1
d171b5ba46cebcaa7204e106024e418115fd2cc8

SHA256
66b19cb31b327eeaeb6f148e17a623a62526f291d921c069f0bb6bbc0ba4e872

SHA512
bac14ab0ec4870513f8dbbf738d5dd2e97ad7d952cc3733897294872e3ea65d5268b4101c001bb7c9261dc1a2d6ee09be1764919a9ccb3e491fbd7b3c82be467

Download Submit
C:\Windows\Hacker.com.cn.exe
Filesize
743KB

MD5
b98674a3b72348c8198b443719c9e730

SHA1
d167b93c2c8780286f605e952efdc1a974bb579e

SHA256
4ddf26da506428e92302815daee5803616aaf5361e0365eebc0899255b9aa53f

SHA512
32407bfa0f8cd1939617087e89c02402df8e2f18691957138c0bff846cc1e7aacd303b976d5fb13a318aa5d7fbad3e9486c1ce64848a5210a8ddd76acf0b82cd

Download Submit
memory/436-31-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/436-25-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1624-34-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1624-30-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4000-17-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/4000-10-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/4000-19-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/4000-0-0x0000000001000000-0x00000000010BD000-memory.dmp

Filesize
756KB

Download
memory/4000-15-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4000-18-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4000-6-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/4000-14-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4000-13-0x0000000003180000-0x0000000003183000-memory.dmp

Filesize
12KB

Download
memory/4000-12-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4000-11-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4000-16-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/4000-9-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4000-8-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4000-7-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4000-3-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4000-4-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4000-5-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4000-33-0x0000000000AC0000-0x0000000000B14000-memory.dmp

Filesize
336KB

Download
memory/4000-32-0x0000000001000000-0x00000000010BD000-memory.dmp

Filesize
756KB

Download
memory/4000-1-0x0000000001000000-0x00000000010BD000-memory.dmp

Filesize
756KB

Download
memory/4000-2-0x0000000000AC0000-0x0000000000B14000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads