Malware Analysis Report

2024-10-19 08:27

Sample ID 240125-v4pbhscfdl
Target 2024-01-25_8bda594e8bace24782556d903a9b4818_mafia
SHA256 508f99c09bb8caf08846b21e3d6feb1c12defce64e892f90c7a2d83025632de6
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

508f99c09bb8caf08846b21e3d6feb1c12defce64e892f90c7a2d83025632de6

Threat Level: Known bad

The file 2024-01-25_8bda594e8bace24782556d903a9b4818_mafia was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Executes dropped EXE

Loads dropped DLL

Deletes itself

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:32

Reported

2024-01-25 17:35

Platform

win7-20231129-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8bda594e8bace24782556d903a9b4818_mafia.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_8bda594e8bace24782556d903a9b4818_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8bda594e8bace24782556d903a9b4818_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\86A.tmp

"C:\Users\Admin\AppData\Local\Temp\86A.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-25_8bda594e8bace24782556d903a9b4818_mafia.exe 1AF23D484F76BDB6B191EA5D003002D007D4D0BBD175F6FD93D9B06DE1943BA09A4FC911C7AE2DD32A1518B4601F5A30C2FFE533994A79EA744F554E1A9C74A9

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\86A.tmp

MD5 1c038247e53a9ef32717981dc989f9d8
SHA1 eddf9a4d30dec6472021280e284763df6ef93e2e
SHA256 58c5e82079c262f08389a3704b462abeac39fc40ebea1a5af770d00c9fbd377f
SHA512 773ddf40e6866ab916a03ea5a6f16499534bcab6330adb23512c422c946305cb0729818b0338a508504bf568880ed9e735a3adc9c79a98af92b08081f4ca4ad6

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:32

Reported

2024-01-25 17:35

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8bda594e8bace24782556d903a9b4818_mafia.exe"

Signatures

Kinsing

loader kinsing

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4B80.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4B80.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_8bda594e8bace24782556d903a9b4818_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_8bda594e8bace24782556d903a9b4818_mafia.exe"

C:\Users\Admin\AppData\Local\Temp\4B80.tmp

"C:\Users\Admin\AppData\Local\Temp\4B80.tmp" --helpC:\Users\Admin\AppData\Local\Temp\2024-01-25_8bda594e8bace24782556d903a9b4818_mafia.exe CB958502D5D1183BE34B6E675FA81446DF3B978030261B5561527201BA48A6A4B67F2F7B420FF64B74F8F02DEE11C803E8134643F94F891FBC7A430BA49F0056

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\4B80.tmp

MD5 f7daa47f41b66dff73d9294d7f2a47ca
SHA1 3a517f76ec383df0450421c2f60941725b5dc692
SHA256 afb9b2c664baeeca328c883ae349bb96b7cee8ad2f1121255437cb1be2434af1
SHA512 801bb0fcc5a0d99504d2567165e0ddd5b362b8572bbe1d22d2db23cb2e4f75e89ab69b9a722046fe10d566454d9c0ceaf07d8735b6bbdc96cd10791448dc83e2