kinsing | 380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907

General

Target

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
Size

1.1MB
MD5

805cc740136e4935b8b796601e7ea697
SHA1

15a4ac632e7dea6ef5744a1f7301cb36f5aa0e07
SHA256

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907
SHA512

4408ad772d0c57bfa30e1c0bc8015c84163d3bead7d375393373b9b1774b7dd58444468492d44d9b7311f444cc56851cc60def4cca1acaf231a67dbd7e001b55
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QN:CcaClSFlG4ZM7QzMm

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

4584 svchcst.exe
Executes dropped EXE 2 IoCs

Processes:

svchcst.exesvchcst.exe

pid process

4584 svchcst.exe
112 svchcst.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4584	svchcst.exe

pid	process
4584	svchcst.exe
112	svchcst.exe

Modifies registry class 3 IoCs

Processes:

WScript.exeWScript.exe380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exesvchcst.exe

pid	process
4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe
4584	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe

pid process

4600 380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exesvchcst.exesvchcst.exe

pid	process
4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
4584	svchcst.exe
4584	svchcst.exe
112	svchcst.exe
112	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exeWScript.exeWScript.exe

description	pid	process	target process
PID 4600 wrote to memory of 4868	4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 4600 wrote to memory of 4868	4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 4600 wrote to memory of 4868	4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 4600 wrote to memory of 2708	4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 4600 wrote to memory of 2708	4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 4600 wrote to memory of 2708	4600	380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe	WScript.exe
PID 2708 wrote to memory of 4584	2708	WScript.exe	svchcst.exe
PID 2708 wrote to memory of 4584	2708	WScript.exe	svchcst.exe
PID 2708 wrote to memory of 4584	2708	WScript.exe	svchcst.exe
PID 4868 wrote to memory of 112	4868	WScript.exe	svchcst.exe
PID 4868 wrote to memory of 112	4868	WScript.exe	svchcst.exe
PID 4868 wrote to memory of 112	4868	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe
"C:\Users\Admin\AppData\Local\Temp\380ef6b062746f2c2a8631a7851b07ac2b64492637509e0cc577240a7a891907.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2db50e925945b30dce18b3a872508882

SHA1
d2ef10036ea16e4ea75026e3a0c0894409172b55

SHA256
21221d9c0c3e5d60f5baa30797eafd8aae22d70a168d05bb5ad262df88591db3

SHA512
2c54d45cb270caaba91ddd12f2eaaf01ec68c0d5ba234521e802fc462ca10830c8c976cdfec68338c828dfadd399bc4a7b9f8e5f48f8e3b99dde41c262c9f977

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8791c5205b8ec6cb1cd4d4c51ecc3adf

SHA1
3e515dc50e3de3ce6a750f29e21d586734364e1a

SHA256
4824cc251ab8b85936072ee82e3d3869c3c36b27d0b52b3846e26b3b4bfa9f90

SHA512
15b3bef94414ebac1424d2bb46de705d4f7104de69e3b1c82d76f8b12b0dd36eb10c16c3ec4af160550c6835343bbb48b7165468c7529917ad34d67469ba0ca3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads