Overview

overview

10

Static

static

7

751aa92eb8...46.exe

windows7-x64

7

751aa92eb8...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 17:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    751aa92eb84f2498cff9054af3cd3646.exe

  • Size

    936KB

  • MD5

    751aa92eb84f2498cff9054af3cd3646

  • SHA1

    bf75b832f192821ce890ee87ccc4d71d48d7eec2

  • SHA256

    1e0e3286fc42990da65ebb86e421a41f020f750a657d1257e221f7d2e19d5430

  • SHA512

    cbe4c36e4420086cda17f17a78258cceb0a508ad422d3f345d0580c8993394fa3856b32f12e534db4f101f967d1a781d8f59720c387e0995699cb45a81beec88

  • SSDEEP

    24576:59GgrW1jF6aD6buUlyxMd+BmK5CXJ9D2ND:7GJtSByySmeCZc

Score
10/10
kinsingloaderpersistencespywarestealerupx

Malware Config

Signatures

  • Kinsing

    Kinsing is a loader written in Golang.

    loaderkinsing
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\751aa92eb84f2498cff9054af3cd3646.exe
    "C:\Users\Admin\AppData\Local\Temp\751aa92eb84f2498cff9054af3cd3646.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKqhZ.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run32.dll" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Run32.exe" /f
        3⤵
        • Adds Run key to start application
        PID:5108
    • C:\Users\Admin\AppData\Roaming\Run32.exe
      "C:\Users\Admin\AppData\Roaming\Run32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Users\Admin\AppData\Roaming\Run32.exe
        C:\Users\Admin\AppData\Roaming\Run32.exe
        3⤵
        • Executes dropped EXE
        PID:4324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\xKqhZ.bat
    Filesize

    134B

    MD5

    52dd81881fa3a9e2f376bb73bde15b00

    SHA1

    9440375fb9fb0368f982754f76e2efd295b25463

    SHA256

    a937077f0e234149b1e15e413d33c9f55ad3f427be87d806719c96b3b95209a2

    SHA512

    80c8f687f6c58bd0549c29e7df64fa5585fa877ac5505a72772ba0cae44b01397bd4e2c217681f8662ea5aff69f115c3fbc306c6b1c3e33d9089aa4f887d2fb0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Run32.exe
    Filesize

    320KB

    MD5

    d3805ac7fe57373282563f1a39df5f03

    SHA1

    c8942e191d3c5f8288e38bb45cb18d62ad4ad5e6

    SHA256

    5cb786b09f1a65603923b4006683ca38f81ed8e259b077ac378465b87647e108

    SHA512

    6c95e7e319fcf8d5948b75e8c3d1282a4ff4405f6fe6ad8de112b220ec3a8faf774bada4aa0193b6af25f153247a0e60b2ed97d144a365931dbd46102313a257

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Run32.exe
    Filesize

    128KB

    MD5

    44d841875b683c5baa2e2ad730730514

    SHA1

    a6291b5b8cb9623fc32d60ede209c3f3a81f7842

    SHA256

    9c9177ed4016bea9b1cf02648831127ef39bb6e3597526de425b6da916f1490e

    SHA512

    1ebae8e3234fe1f9d1f6b673d4c751904a8656494b0772941639d029ea2d7698bfbde6dfe8c6f233d58376b5196817dc00c1ce39cf2f310b682a68032ab30b59

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Run32.exe
    Filesize

    247KB

    MD5

    63009d63b9316e27f51bc930b372e748

    SHA1

    33d2774b8efa89978c79461a35f82e792f26a88f

    SHA256

    2e5f4482936f99be5028cd3a102268cd6c46dc06a820d9d1cff5c93c63042d02

    SHA512

    d8492f71c8456527f7d168ef058ed80d3434c9c570cc5c11fa07afd7b8fa629772a03cdacf27c16e7b14fed3c04d75f2a505829bda78d6e3c8f632e97e215f77

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Run32.exe
    Filesize

    654KB

    MD5

    2c1f5b87d4d8a39d5662238ddba3a0d3

    SHA1

    cb2c28648d033048741e3ca0a8e4ecbb08662150

    SHA256

    b66ca32da39fddc5e8826da8e56024ef6ce6cfc5f32a988131c3af1041ba46e4

    SHA512

    38c80b162a0d26a6deca9f03d3ecdf7b1b9832492ca469934f94379c1f2185243a079bfcdd9441e6c308742a7dea7b18c5bda0ef289a00b0a3ddb198958495e4

    Download Submit

  • memory/3452-18-0x0000000000400000-0x0000000000D7F000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/3452-25-0x0000000000400000-0x0000000000D7F000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/4324-22-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4324-26-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4324-30-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4816-0-0x0000000000400000-0x0000000000D7F000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/4816-19-0x0000000000400000-0x0000000000D7F000-memory.dmp

    Filesize

    9.5MB

    Download