kinsing | 9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e

General

Target

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
Size

1.1MB
MD5

3cb1210ca16b02ff71866835040bda3c
SHA1

9107c0c91a73ee5b45b560abaedd06594e9f94d2
SHA256

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e
SHA512

f328ed0540efbfb22bf88fcafc0ee974a31a2d33556fec96ab9b7a0e74d0a59c4075a913bd7f68ad62802d62c02991c0eab30e5b9a9ef94109ae7edc98752601
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qf:CcaClSFlG4ZM7QzMo

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1216 svchcst.exe
Executes dropped EXE 2 IoCs

Processes:

svchcst.exesvchcst.exe

pid process

1216 svchcst.exe
4936 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1216	svchcst.exe

pid	process
1216	svchcst.exe
4936	svchcst.exe

Modifies registry class 3 IoCs

Processes:

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exesvchcst.exe

pid	process
1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe

pid process

1624 9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exesvchcst.exesvchcst.exe

pid	process
1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
1216	svchcst.exe
1216	svchcst.exe
4936	svchcst.exe
4936	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exeWScript.exeWScript.exe

description	pid	process	target process
PID 1624 wrote to memory of 1400	1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe	WScript.exe
PID 1624 wrote to memory of 1400	1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe	WScript.exe
PID 1624 wrote to memory of 1400	1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe	WScript.exe
PID 1624 wrote to memory of 800	1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe	WScript.exe
PID 1624 wrote to memory of 800	1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe	WScript.exe
PID 1624 wrote to memory of 800	1624	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe	WScript.exe
PID 800 wrote to memory of 1216	800	WScript.exe	svchcst.exe
PID 800 wrote to memory of 1216	800	WScript.exe	svchcst.exe
PID 800 wrote to memory of 1216	800	WScript.exe	svchcst.exe
PID 1400 wrote to memory of 4936	1400	WScript.exe	svchcst.exe
PID 1400 wrote to memory of 4936	1400	WScript.exe	svchcst.exe
PID 1400 wrote to memory of 4936	1400	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
"C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4b5a0a618e78ccbe04e0786d8c283ce0

SHA1
c937fb61b98879f219aab77cf0844320f69ba0ba

SHA256
177a1c11edd7f933c52ccc6bef99bfeeda7c342243872be1276cca5e27cdf33d

SHA512
1043469036b8b3371c07bd43bd45ea2b8441db0fa5fd369086b8236560561e208542d472aa428a2677a3b789dadeb204c911fb1af2e7ae85dfd26f72a18ba16b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f469cdf8df240e14025ba8608a893e94

SHA1
9ed94d56da438f293ba371373f3f204c7d1c5269

SHA256
3627e902a55ffa64f7e1a096ab4d5e9a7fa66d444e4e476b9726ce8c075d3778

SHA512
ec6645adea7634428a5502a53c47501ef71456c893d740b3d47c5ef4effa566521f5ab31d9d1adc64c3ab2d188e03b205412490aace3a75734b758fd59095f5f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads