kinsing | 314c051136e3767a6848a8bfb7f1ab7dbd8cc219eaf08a65a40b30b641ef7eef

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_ad6562c0751562b129cdeea6fce97260_cryptolocker.exe
Size

46KB
MD5

ad6562c0751562b129cdeea6fce97260
SHA1

67a283b892fef575cc38d4b2a06843644cf1176e
SHA256

314c051136e3767a6848a8bfb7f1ab7dbd8cc219eaf08a65a40b30b641ef7eef
SHA512

b98a5b301eabeba16802fb3fef728c6f71aa9a6cba564374e6d1bdf6c752fb43953f4619f74a7056f1f80c19556a42571ee95c0691a327ff6fff065d0bfee965
SSDEEP

768:vQz7yVEhs9+js1SQtOOtEvwDpjz9+4/Uth8igNrr46xdUUuuMX:vj+jsMQMOtEvwDpj5Hczer5ixuMX

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000700000002321a-12.dat	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000700000002321a-12.dat	CryptoLocker_set1

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-01-25_ad6562c0751562b129cdeea6fce97260_cryptolocker.exemisid.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2024-01-25_ad6562c0751562b129cdeea6fce97260_cryptolocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	misid.exe

Executes dropped EXE 1 IoCs

Processes:

misid.exe

pid	Process
4976	misid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-01-25_ad6562c0751562b129cdeea6fce97260_cryptolocker.exe

description	pid	Process	procid_target
PID 3940 wrote to memory of 4976	3940	2024-01-25_ad6562c0751562b129cdeea6fce97260_cryptolocker.exe	69
PID 3940 wrote to memory of 4976	3940	2024-01-25_ad6562c0751562b129cdeea6fce97260_cryptolocker.exe	69
PID 3940 wrote to memory of 4976	3940	2024-01-25_ad6562c0751562b129cdeea6fce97260_cryptolocker.exe	69

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ad6562c0751562b129cdeea6fce97260_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ad6562c0751562b129cdeea6fce97260_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\misid.exe
  "C:\Users\Admin\AppData\Local\Temp\misid.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\misid.exe

Filesize
46KB

MD5
47685b5afca149acb89bfac57ef30a24

SHA1
7e09aa1fa3ee863fdd63c0699768f05f5f655218

SHA256
2d1e8b53e11bd0af25be28801f20dd565d1eafa031b7cb3229100f0763cae9e0

SHA512
3bd519c9fb6ad62d44bc7da3f8009cc6218aa5896e416bc7ceac2d68f2fb274c4791c8c7654bd0a5885741899e6f7be341e8f60af5859be489fead69afc785a1

Download Submit
memory/3940-0-0x00000000021A0000-0x00000000021A6000-memory.dmp

Filesize
24KB

Download
memory/3940-2-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/3940-1-0x00000000021A0000-0x00000000021A6000-memory.dmp

Filesize
24KB

Download
memory/4976-17-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/4976-23-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download