Malware Analysis Report

2024-10-19 08:27

Sample ID 240125-v428dacfep
Target 751adf5ecbf0e57c3870b117201bd97a
SHA256 4678f587420c2e5b0d36545f84c0add26c99ff80c40e611d1c89143e30cae215
Tags
persistence kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4678f587420c2e5b0d36545f84c0add26c99ff80c40e611d1c89143e30cae215

Threat Level: Known bad

The file 751adf5ecbf0e57c3870b117201bd97a was found to be: Known bad.

Malicious Activity Summary

persistence kinsing loader

Kinsing

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:33

Reported

2024-01-25 17:36

Platform

win7-20231215-en

Max time kernel

143s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe N/A
N/A N/A C:\Windows\Hacker.com.cn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Hacker.com.cn.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe N/A
File opened for modification C:\Windows\Hacker.com.cn.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Hacker.com.cn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Hacker.com.cn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe

"C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

C:\Windows\Hacker.com.cn.exe

C:\Windows\Hacker.com.cn.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 afgd.3322.org udp
CN 157.122.62.205:8000 afgd.3322.org tcp
CN 157.122.62.205:8000 afgd.3322.org tcp
US 8.8.8.8:53 afgd.3322.org udp
CN 157.122.62.205:8000 afgd.3322.org tcp

Files

memory/2528-0-0x0000000001000000-0x00000000010BD000-memory.dmp

memory/2528-1-0x00000000003B0000-0x0000000000404000-memory.dmp

memory/2528-3-0x0000000000450000-0x0000000000451000-memory.dmp

memory/2528-14-0x0000000003120000-0x0000000003123000-memory.dmp

memory/2528-13-0x0000000003130000-0x0000000003131000-memory.dmp

memory/2528-12-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2528-11-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/2528-10-0x0000000000480000-0x0000000000481000-memory.dmp

memory/2528-9-0x0000000000490000-0x0000000000491000-memory.dmp

memory/2528-8-0x0000000000420000-0x0000000000421000-memory.dmp

memory/2528-5-0x0000000000430000-0x0000000000431000-memory.dmp

memory/2528-4-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/2528-2-0x0000000000470000-0x0000000000471000-memory.dmp

memory/2528-15-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2528-16-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2528-17-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2528-18-0x0000000003150000-0x0000000003151000-memory.dmp

memory/2528-19-0x0000000003140000-0x0000000003141000-memory.dmp

memory/2528-20-0x00000000031B0000-0x00000000031B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

MD5 b98674a3b72348c8198b443719c9e730
SHA1 d167b93c2c8780286f605e952efdc1a974bb579e
SHA256 4ddf26da506428e92302815daee5803616aaf5361e0365eebc0899255b9aa53f
SHA512 32407bfa0f8cd1939617087e89c02402df8e2f18691957138c0bff846cc1e7aacd303b976d5fb13a318aa5d7fbad3e9486c1ce64848a5210a8ddd76acf0b82cd

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

MD5 87cd14e42463c615163b41722ead55b0
SHA1 377b0a72ab469a5cbdf0db33a77425a577934f56
SHA256 a5ae15466de97171d0c7c37f07380f8c53d30d52c1dc54b0e9bd9a171f3ef6c0
SHA512 0939587f2b6ec40768a6c24a6ef699ca89cb9ce31e7471ea22c5667798e4420b0c51420118c9bcf52e0c397746405114aab204b56bad1edad8c901e29b5d9349

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

MD5 424a13b36cdd7059ae8c5e94fd51a49a
SHA1 2cce49eeaa9a80ef065234e88dce2e10daa79bb5
SHA256 cbbcb1e1fe5e9d0fef5e335e7abe48874ceb9776abc36e559741334387592405
SHA512 7941bd133d62fc690a15b7fdd6808269e72ab2df62bb4b4767dc4776bd6b9d8c7ebb54d468f1460047006f8d972e34036c52953816e51121ae88aa4acb694e50

memory/2724-28-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

MD5 3b64923f450aaf62b72bc464748750ce
SHA1 fe37044804b5cbad6d8ceacdb6809033153cc7b0
SHA256 dc8cdb623a4c35bc6dd8f16ea1a5175111ec0c4a08a7e8181da3eb513c268f3a
SHA512 d9953d84f50b5a25acae179f1303140741c4d34ce01fab0d3cec51338fd1f3bd694733b34d24438d71f607edd40e95b960ba29ad41a2aa2f27a5b633c9726364

memory/2852-33-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2724-35-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2528-37-0x00000000003B0000-0x0000000000404000-memory.dmp

memory/2528-36-0x0000000001000000-0x00000000010BD000-memory.dmp

memory/2852-38-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2852-39-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2852-40-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2852-44-0x0000000000400000-0x00000000004C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:33

Reported

2024-01-25 17:36

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe"

Signatures

Kinsing

loader kinsing

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe N/A
N/A N/A C:\Windows\Hacker.com.cn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Hacker.com.cn.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe N/A
File created C:\Windows\Hacker.com.cn.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Hacker.com.cn.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Hacker.com.cn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe

"C:\Users\Admin\AppData\Local\Temp\751adf5ecbf0e57c3870b117201bd97a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

C:\Windows\Hacker.com.cn.exe

C:\Windows\Hacker.com.cn.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 afgd.3322.org udp
CN 157.122.62.205:8000 afgd.3322.org tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
CN 157.122.62.205:8000 afgd.3322.org tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 afgd.3322.org udp
CN 157.122.62.205:8000 afgd.3322.org tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

memory/4000-0-0x0000000001000000-0x00000000010BD000-memory.dmp

memory/4000-2-0x0000000000AC0000-0x0000000000B14000-memory.dmp

memory/4000-1-0x0000000001000000-0x00000000010BD000-memory.dmp

memory/4000-5-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/4000-4-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

memory/4000-6-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

memory/4000-18-0x00000000031A0000-0x00000000031A1000-memory.dmp

memory/4000-17-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/4000-19-0x0000000003210000-0x0000000003211000-memory.dmp

memory/4000-16-0x00000000031C0000-0x00000000031C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

MD5 37a5d63de3be3bde95668a98430b9766
SHA1 44ab2432c26e8edf1e644ee59d32c4d97340c54c
SHA256 5a9a5739ec3b1291c3572e3cfee7a169ae719f6ff24702fd5ce541c542fc4618
SHA512 42b5f9b0b13b8c8bd9bd4b81542ea638e3d076fd81c6f63b53d50675fc8583d1858d40e08e12dbd64cef5d6da4e437a20df4e036e89de330035a654286f527ce

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

MD5 03d1b81af1849b71129e2171df76cd34
SHA1 77dd832ffd09bd97ddfbbf8d2111319025f2644f
SHA256 e0e510deee0b9982cdb17e11befaa3f47d23a7f9be28645526b8927a08707b8a
SHA512 3896dea7572a60d84affa98bc2f1e117c5c4db032764976207f581a6dfdaf535c8d48c437b4b54bbce670db4ed5fcd108cbc8eb7227531b57bf9f532f761efbb

memory/4000-15-0x00000000005F0000-0x00000000005F1000-memory.dmp

C:\Windows\Hacker.com.cn.exe

MD5 b9f8aef2b730cd4c3ac29fe3cb9c5f76
SHA1 d171b5ba46cebcaa7204e106024e418115fd2cc8
SHA256 66b19cb31b327eeaeb6f148e17a623a62526f291d921c069f0bb6bbc0ba4e872
SHA512 bac14ab0ec4870513f8dbbf738d5dd2e97ad7d952cc3733897294872e3ea65d5268b4101c001bb7c9261dc1a2d6ee09be1764919a9ccb3e491fbd7b3c82be467

memory/436-25-0x0000000002280000-0x0000000002281000-memory.dmp

memory/4000-14-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/4000-13-0x0000000003180000-0x0000000003183000-memory.dmp

memory/4000-12-0x0000000003190000-0x0000000003191000-memory.dmp

memory/4000-11-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

memory/4000-10-0x0000000000D50000-0x0000000000D51000-memory.dmp

memory/4000-9-0x0000000000D20000-0x0000000000D21000-memory.dmp

memory/4000-8-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/4000-7-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/4000-3-0x0000000000D10000-0x0000000000D11000-memory.dmp

C:\Windows\Hacker.com.cn.exe

MD5 b98674a3b72348c8198b443719c9e730
SHA1 d167b93c2c8780286f605e952efdc1a974bb579e
SHA256 4ddf26da506428e92302815daee5803616aaf5361e0365eebc0899255b9aa53f
SHA512 32407bfa0f8cd1939617087e89c02402df8e2f18691957138c0bff846cc1e7aacd303b976d5fb13a318aa5d7fbad3e9486c1ce64848a5210a8ddd76acf0b82cd

memory/1624-30-0x0000000000630000-0x0000000000631000-memory.dmp

memory/4000-33-0x0000000000AC0000-0x0000000000B14000-memory.dmp

memory/4000-32-0x0000000001000000-0x00000000010BD000-memory.dmp

memory/436-31-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1624-34-0x0000000000630000-0x0000000000631000-memory.dmp