Malware Analysis Report

2024-10-19 08:28

Sample ID 240125-v69egacgbp
Target 751c97e1a0c439ad6fefbaadf85f4727
SHA256 6b4d0caf422b1cd502bbc8a17fae96df4d9b425d7e729797b488e2e193d40960
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b4d0caf422b1cd502bbc8a17fae96df4d9b425d7e729797b488e2e193d40960

Threat Level: Known bad

The file 751c97e1a0c439ad6fefbaadf85f4727 was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:37

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\751c97e1a0c439ad6fefbaadf85f4727.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa00000000020000000000106600000001000020000000c660b1e27be85925ee76efa68318ec5c1bf27738a1dc567e5e8e16662e86e24c000000000e8000000002000020000000330c927c9b5e27f5023cf7ac9d6e3548dae5458f1be5005e3c3926ac743b0bf120000000f5f413b24d6d0c252523971b4e3a08aeb2cd30b2855ec54cf36c722f8effef9840000000c8d656e0e970c5cffe44c8c36cdbc04233f90dd20ae90a7708fe9c69de2a7965a67ea44041402c4d29e2defb328b9c00bc54aec09ddc74f6ea2191f1cb8cfa61 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412366111" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{65AA3F21-BBA8-11EE-BA54-D2016227024C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa000000000200000000001066000000010000200000001c77270e6f4a291e4a315852098c26573c673aed9f2d3f1b0e610c8480975b85000000000e80000000020000200000006c74505241abdac9f3a083965d5a5868e2b96b0f85d6901d4c6f97e77e290941900000007c08a86ae0ab39a6800ef33571812a2e1984b141f407f9aabc77a1567ec6ebcbc35792b775da7af151c549a463aff3576018ed9e7cdb9be6ab37f2560ebcbc66ac62605b8b3f2a00cdf520bbe578f4de19e58f6150d3dc964d4b1f06f165e5e45ee70797a813cb81a7edf2b35d1a001f83fc1efbb9e12a5698dc1a3b89a1543ef5ff032bc50005c6139233ea8d54b90440000000710ecbfb04b67b1b94b4afcd60694b0bea0c195b0a3d20af0805552d3e69fa04d8463fae468e0e8e9e6700d4fa083e2d219c215e46c6387da6108b4aa88d017f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a00b2e6db54fda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\751c97e1a0c439ad6fefbaadf85f4727.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.rsvme.com udp
US 8.8.8.8:53 zagevqsoii.biz udp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab57B3.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar5862.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d1a6200466875b7d73f4c74cf4ddf99
SHA1 3e4283ca12942d186893400bf982792091b3207e
SHA256 646f7b7b5b5e9485a46b019934cb345c9d5b3f0b2ef3571ed8b0054e7cd8c4ee
SHA512 229507118e5cfa79f9178b97d40cde309bb5d81cfc5edfb470b89a3aed1bb838a9a6c37bd0bddb3c0a4a841df5c55313b5d030aa23c648923d3edeb32417b230

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 609e8bd583ac393da480b204da63803a
SHA1 4f01490679114caedacdba776a6ac43dcb3f0ca3
SHA256 03a10066f2e6306ab3b99f155aec6dc8bd02f9f425b0fa5e62bc8af1f76e656e
SHA512 aec54e10d21a5da5289e40f63cee117dd0f3b37c1f0b3550693b4092ef6b9f847421e39875c994dc7ac2ff59a6cd02082a92a77d0c4983e92930376909138426

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7227bb68dd2b1f8d4571b697e27ab19
SHA1 f34bcf0b777f162771517bec81092e0bd4f691d5
SHA256 23ea947811d8553b12220dc776f4d8177faac2262199bbf4f411147b94d16227
SHA512 c64ae73ee296396a16d83336d6fb2600ce9e9be686587460a37613c12ac6a3edcda99205c55e9fd31b3ddf5c49f6286f75fb6ac4f307ce41d6385ea55a26679e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9c7553d029a370f5c8ba2543c66240d
SHA1 bd80ac19765d52a7435b9a659dd69bbbeacdaade
SHA256 cdc5f0c4fa2faf63453b0939c24b64ddafe6f7482e68ce9dedd9724f7d057e98
SHA512 02844c9f4db2e8bb834385c04779ae03d716c75f4f1cf536d2026e992e82b99f636aae967df1adca71e1983728f87f3298a9066f708556deb5dd9d6c71943369

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34df0eef88a3ad5cff0d352bfc48c41b
SHA1 9610ecba3c55d6e895a53b00fbea654477f70fe3
SHA256 6655362b73db65accded6095991709fd1b4d82f533eadec4c97b3ffcf880355d
SHA512 2e44240179747166e3effd6624e2b5fb210ed9d2c4f0b8034eda15274361c13ed76d001e5a123a199040b62c4aa431bd5de751fcaf73c821b1d84619e918f2c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36d73a94bfbb7d4569f97e0616e18673
SHA1 27873d4366bee1dfaa55334d20df146c1646cbd0
SHA256 f69fdd05a047e61e2efe306706af1dc7469f01b767fe27091713fe3c1351c342
SHA512 17f77cd2d2ee7c6fdd1a630dc6509c0a210060e88b5676712083df75d20dba4415997a7c571f9d213dc0eb24689c168ca480376f174336fc54cb28ca2c7ee4f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88ca52295739bcee0cd4d799d5fe6d71
SHA1 a5422ba3f86b72aca1083ce5e4b17352f4ecbb2b
SHA256 b39c44724345f029ef9d62a61e259c09fcb4f55d8b50b4ae921525ee06b7e02f
SHA512 2f01fb3a5de611003335eae9724efc71c9efb42789ba8f332437051f17027edf1df103c8ab73c21903fcf02d30d746b5c211d2902ca14e9b4c6ad53509db46f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab2608fbdc4bcc18861926a37eb35713
SHA1 c1ca768f59a80200bfdcc77b60e5853737a77e1d
SHA256 7a19e0d1d3c10e3b489a895388d55872df503452b7b9866deaabf121e4fc3479
SHA512 4fa64a4b270bdaa348cb87aea054460262f1b584672124898e6d0810cbc32432e4a6f222d45a2d73ca1e813f9b8bb910bb280c8424559e8f612c1e13bc8924a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34e80c84fa99fe955a7442b2411d2f39
SHA1 8f3a3128c453c89f2c0872e5bbd478cbb6e2f45e
SHA256 e5972bf0786037428b8a5cf121b634d552f7abb4f282c3b24ca9504d532a2336
SHA512 94b9a30f6c1c6bea0bfa677bd238fd5be9c003df6b76b960bc8b4ccaef58df172fc4e62c925267774b8e75f08857df98a356cfb9daebbaaa14a0d1c504d4dced

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a927bf3305cca9fc7791ddb04f72cadf
SHA1 59dfa4aba0d60a13b2fad769c539b06609c5eb18
SHA256 8c3ef20ddf30e14cc02673a1715ccacb5c6a20ead41e0673529866caa79bc2e0
SHA512 4b87a72dd6091e4f306e15fccd4d4f6d0ea503b424848618ccbae2d323c691db0d8d99b7b610f7edcefb56b20c77cce4f4c2e47a639f206cfe2cfebe9d50d0ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f5ec4c484569a85c3b1814857c72e52
SHA1 a183bd5d793f1280e366e6b6de0d039bc2ee78e6
SHA256 6336e9b819462be72b2e735b4663638bec4d6962a200a722f9fa63182a78da3f
SHA512 04f3abc1ba738fb887eb962815ddb41d69f363688d7374fb4f94d172dbd98c2fbc73154e8adab94af44db8fe02bfbb59f37ad58030123cd49d254dcac23e6d0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6f152298aea0d75fe1251a79386351f
SHA1 67fb96373f6d09a1abbe6bc7b7414e993917e1de
SHA256 953aeae82883619c76fda14c73589d6873b572f5399ef0bd6bd8172c12cf61cd
SHA512 f7c75eb278d92bec3d1ce21581de1b2fe28fbf6350240334d97ecb225b2d092b4598b0750098838123127055d922c541d41e94eadaeb8afebb1b6fd430e676b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 681dbc4eed61d5187d0e2a2c8565bbbc
SHA1 d33b9b921472606c4d5b06ace3851b8702cb1aee
SHA256 9e4f0d50a6d9f1b099b3bfabdfc3a77e75b1d1b8169860fe3ac877f87955ac27
SHA512 9d24e393df5241e74a3884583e330890b21500355d32b8f36efde0f7e8b02cdda8c36c5721be860e82f2572e350ebd59003b933578a8ee5b8c61370f82c6ce4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb5f23ea08f06982bfbabf39a2b6d60b
SHA1 c79013f0e475fce0951832baa6896c171bc45006
SHA256 6b34b7bc495ed4385554c1d144940d83704bc6230d2679a244ab5813fb1f100e
SHA512 aae43214279b137a40c5d4556d4b41407681a386dc2c525f8f2272a659ebfe534bc2c97556dc73fc4aaa1135428c755271c13af8a84cab7d77ff46ebe288d397

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fb53e3d3a613a212e5f3048bd6bb1fb
SHA1 024a3d1943776912f476ce086418841842b935a1
SHA256 a971ddec78a7f5c85f01e935f1b9969fee26ad1eb5fdd74323d09445a1151260
SHA512 b7ee45c18688a5b477a1a33a5760a7d3302051473d2f90c76026e91655a6d85be61a2062e0d67fd4feff48f6628c88cad78b9647162f2440639f17b9fd7066ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 661a9500f6551929e39be17fe1a688fe
SHA1 990200ddd2e8f6473018ce7afc5ae15a8554a0ec
SHA256 e4f4ab1675ebdd40667c3157a80ca1742d21757ea992e4ee91e416eaa28f5233
SHA512 24f15b549e62e428f4c95886b30d880498044d5832fe39e1863a7cd72f7647b12cba1f709d801c235dc5b482a096f1eaa0a6bfff083d5b7a0fb545eb3b70dc19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a1d4d91260b91585141d97e5dcea1fe
SHA1 11c9c88191c149d9e605bd9a841533ec4272c7b2
SHA256 2ff3ffff6575df4ab7da24cfbbc4924f4be6ff8b8553af07f3c6bf4a9eda6856
SHA512 e3cb158f01306be929a776d56a168ef9b49da4bbcc3fce74cbbcc8e0cf0717106fe22f2589159c2bccbc6a76ee4567b07dd267e27c00dbc25dbf28b538a1bd9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3c1816a85b04921a941b654f4efba90
SHA1 53a8d5c22114cec25e10ff54d8d36ea5355113f3
SHA256 0ddd15f1094f3c37a23cf402e28f2b1a37b1145e173d91ebb3b74efd4e8a1396
SHA512 d58f1a90bea82eabab59f10dba82238f5ee493123408ca1037255e167d05a0da4c9e0c90e40cd45b9cbf64f4845a3dcb5bbefad7430075ec2278d67b8e0b6c53

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:37

Reported

2024-01-25 17:39

Platform

win10v2004-20231222-en

Max time kernel

89s

Max time network

150s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\751c97e1a0c439ad6fefbaadf85f4727.html

Signatures

Kinsing

loader kinsing

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "966881375" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "966881375" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31084469" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31084469" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{653F0A72-BBA8-11EE-AA35-6207E08AD8FF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412969216" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "971881537" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003c221304981e5f4bbaa9a99b1399bd8a00000000020000000000106600000001000020000000f926345d52e5695d0c32771244fa0a2bafb1ac52dae2c954d08814fe6bef2a46000000000e8000000002000020000000b54cab4b76b9390610cd2941182756e5d02dcdb5da1505f4fd5fe6de283041725000000070970d37c1f54eb2a3603423c35372c3cdbb8abd10ebf1e7bce5c31cde41210f80bc86cc6becf165b06f1e5822a54f62e1548c1113669ff1322f1290edfae84284fe4db575672ed7064ca4b3e7684697400000008de9e13cbdad6b2abed3d9047ece161e5cb67a53f4a2b450509e05e15dfc2d4ccc683a9c22170dffcb2634357fdecebd5d29581d7c0c3c278f7e9244d4e99a02 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31084469" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 0d1285d26635da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003c221304981e5f4bbaa9a99b1399bd8a00000000020000000000106600000001000020000000c7f1331d9a52368194a6c80d582eb8342050e56f7b0db173910e790d9408be72000000000e8000000002000020000000745afb83e4f4b23e7bf66180ae0fcf5421eca3f29e53aedc6c06a816147329b510000000fa24e1cec238cdd4cea66d4882a26a5a400000001219ef4742cac3da6fd56e3a6c7a630ed559a03f647de77797cae982b89b4225f53c9aea9977f72e151cc02603e3c93769e643e7eca554d858d6adeacc36806c C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\751c97e1a0c439ad6fefbaadf85f4727.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:448 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.rsvme.com udp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 8.8.8.8:53 zagevqsoii.biz udp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
GB 92.123.128.187:443 www.bing.com tcp
GB 92.123.128.187:443 www.bing.com tcp
US 8.8.8.8:53 187.128.123.92.in-addr.arpa udp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 206.132.28.42:80 www.rsvme.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 1d7f25dc2d6699e79619c31ff8908f6c
SHA1 de3c1be6c3f3e7f6eadbe715ae575794e5bf1221
SHA256 845c8a47772a9c534cf13a177c83c40db250a6dbbd0a369401ea884b8d058d6e
SHA512 7a6e1765a31821e79b766ea0675ed17d735a40766d5fcd6cc305a8d33b8257d11e492d4ad8626f2909e1c2c2d93e8d04ed133effd0a3ec29324ec3ca36a22a1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 a26fe33a94d5b85aed2cfe4ad75f3b0c
SHA1 9a461fb5a00565d0fe9b96d0f60fccb36b960ccb
SHA256 ecdde38fafd2add72dec909312c718e92115c15543ff38e9efb29a8c985e80d5
SHA512 7ba5df9a099c25a102811ce3431dba69109293a8d1d14bef847482b78982b5a73e754e31d59707190a6f5d6bd612f536e3611aa0bc5e9321c8cd11dc29474604

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8D1Z5HG5\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee