kinsing | 049fd29e28518c49846313741fce7875e5c2dc80e4bf9e6f51ca427f8a027ecf

General

Target

751aed4594b234563c560cc8a308739d.exe
Size

954KB
MD5

751aed4594b234563c560cc8a308739d
SHA1

425fff11797b20e15bf1015fa463d546e8efdd60
SHA256

049fd29e28518c49846313741fce7875e5c2dc80e4bf9e6f51ca427f8a027ecf
SHA512

d461c51f9847433697865a027bdea1971dbc5164a260224eccfe8eaa19de6178f5e2ac2e776ea26d6c057d7ec649310bbd3e8c8b90a6a8df6484f277de3dfd88
SSDEEP

24576:zooS8us2n3hr++Iv+qBYmBBriQ9gEIpMGcGSZbCvjb1u6Bd:vu5sg2xg5+l3Wd

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

751aed4594b234563c560cc8a308739d.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe"	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe"	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\ = "Inst Class"	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\FLAGS\ = "0"	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ = "IBoot"	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\ = "{D99171C3-089D-4F04-8B43-6BC26B08AE1E}"	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\FLAGS	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID\ = "bouncily.lowbrows.1"	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Version\ = "1.0"	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Programmable	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\Version = "1.0"	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\ = "{D99171C3-089D-4F04-8B43-6BC26B08AE1E}"	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib\Version = "1.0"	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe\""	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\Programmable	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\TypeLib	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID\ = "bouncily.lowbrows"	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\LocalServer32	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer\ = "bouncily.lowbrows.1"	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\VersionIndependentProgID	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\ = "Inst Class"	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\TypeLib\ = "{d99171c3-089d-4f04-8b43-6bc26b08ae1e}"	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ = "IBoot"	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\751aed4594b234563c560cc8a308739d.exe:typelib"	751aed4594b234563c560cc8a308739d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FDB480A6-79EC-483D-8934-05039A1D812D}\ProxyStubClsid32	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows\CurVer	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}\ProgID	751aed4594b234563c560cc8a308739d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D99171C3-089D-4F04-8B43-6BC26B08AE1E}\1.0\HELPDIR	751aed4594b234563c560cc8a308739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bouncily.lowbrows.1\CLSID\ = "{f4668d3f-904f-4959-bdf0-9e4fa328c2d2}"	751aed4594b234563c560cc8a308739d.exe

NTFS ADS 1 IoCs

Processes:

751aed4594b234563c560cc8a308739d.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib 751aed4594b234563c560cc8a308739d.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

751aed4594b234563c560cc8a308739d.exe

pid process

2004 751aed4594b234563c560cc8a308739d.exe
2004 751aed4594b234563c560cc8a308739d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib	751aed4594b234563c560cc8a308739d.exe

pid	process
2004	751aed4594b234563c560cc8a308739d.exe
2004	751aed4594b234563c560cc8a308739d.exe

C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe
"C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\751aed4594b234563c560cc8a308739d.exe:typelib

Filesize
8KB

MD5
f7c6ba6b4ce77d3ed810c7fb1b470e51

SHA1
1d3b0471b77204b5c0ca17ada602bed8f45a3562

SHA256
851e5f7092e0a5c5652cd48d370b13d1c2799b90d405b1dd1e5aa52b46c399a0

SHA512
da61398fc36fade218c240314a38e8b76ff815dcf9c4e0e942a485c42d849fcea7cf7f63bc82da42de8c6684589fe0f42881dc3b60ec668c368b4c785e8d4b2e

Download Submit
memory/2004-0-0x0000000000300000-0x00000000004E3000-memory.dmp

Filesize
1.9MB

Download
memory/2004-7-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/2004-14-0x0000000000300000-0x00000000004E3000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing