kinsing | de2058855ca75f93be81dd6f8acddd29fa378500ce8bf7e6a90b52045082ee88

Analysis

max time kernel
117s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:35

Target

751bbb23bcf8ee61ae292ca47eeca991.exe
Size

5.3MB
MD5

751bbb23bcf8ee61ae292ca47eeca991
SHA1

24cba516d0d043d401e5dc94f08c771ab5cfbce5
SHA256

de2058855ca75f93be81dd6f8acddd29fa378500ce8bf7e6a90b52045082ee88
SHA512

2be4b4fc4e3790c3b797c5e50369f1c931fe2ef5dbedf8511c66c3d8d1e525101b3580b7afc1280e57c6f4012a7296dbdd7ae5a68448fe5ff48021166bb14fe6
SSDEEP

98304:4Z7KYK31oifL8cZXwHktBcwQDM2YIDULHweOWL8JuyTn3SJxnxJHktBcwQDM2YIO:4FKYK31oEL8cZgschDHIQtW4rzSPnLs5

Score

10^/10

kinsing loader upx

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Deletes itself 1 IoCs

Processes:

751bbb23bcf8ee61ae292ca47eeca991.exe

pid process

932 751bbb23bcf8ee61ae292ca47eeca991.exe
Executes dropped EXE 1 IoCs

Processes:

751bbb23bcf8ee61ae292ca47eeca991.exe

pid process

932 751bbb23bcf8ee61ae292ca47eeca991.exe

pid	process
932	751bbb23bcf8ee61ae292ca47eeca991.exe

pid	process
932	751bbb23bcf8ee61ae292ca47eeca991.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/2712-0-0x0000000000400000-0x00000000008E7000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\751bbb23bcf8ee61ae292ca47eeca991.exe	upx

Suspicious behavior: RenamesItself 1 IoCs

Processes:

751bbb23bcf8ee61ae292ca47eeca991.exe

pid process

2712 751bbb23bcf8ee61ae292ca47eeca991.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

751bbb23bcf8ee61ae292ca47eeca991.exe751bbb23bcf8ee61ae292ca47eeca991.exe

pid process

2712 751bbb23bcf8ee61ae292ca47eeca991.exe
932 751bbb23bcf8ee61ae292ca47eeca991.exe

pid	process
2712	751bbb23bcf8ee61ae292ca47eeca991.exe

pid	process
2712	751bbb23bcf8ee61ae292ca47eeca991.exe
932	751bbb23bcf8ee61ae292ca47eeca991.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

751bbb23bcf8ee61ae292ca47eeca991.exe

description	pid	process	target process
PID 2712 wrote to memory of 932	2712	751bbb23bcf8ee61ae292ca47eeca991.exe	751bbb23bcf8ee61ae292ca47eeca991.exe
PID 2712 wrote to memory of 932	2712	751bbb23bcf8ee61ae292ca47eeca991.exe	751bbb23bcf8ee61ae292ca47eeca991.exe
PID 2712 wrote to memory of 932	2712	751bbb23bcf8ee61ae292ca47eeca991.exe	751bbb23bcf8ee61ae292ca47eeca991.exe

C:\Users\Admin\AppData\Local\Temp\751bbb23bcf8ee61ae292ca47eeca991.exe
Filesize
920KB

MD5
1f7fd82f3edacaf49380f22600996065

SHA1
fb83eecb2fc1e99f5d0070a9c2208eb04403696a

SHA256
c79b1ced64b2ec4d2efa8f48613476a832f722302249f64f79f86fd115545989

SHA512
6b998916fc42fb932666827a0788c6b1d35a5d825c51607467a919981933696c37b53ec4e6eaa2eeaa6613713540807f63126d12b21db4acbcaab7a28a4f1604

Download Submit
memory/932-16-0x0000000001CE0000-0x0000000001E11000-memory.dmp

Filesize
1.2MB

Download
memory/932-14-0x0000000000400000-0x00000000008E7000-memory.dmp

Filesize
4.9MB

Download
memory/932-13-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/932-21-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/932-20-0x00000000055D0000-0x00000000057F2000-memory.dmp

Filesize
2.1MB

Download
memory/932-28-0x0000000000400000-0x00000000008E7000-memory.dmp

Filesize
4.9MB

Download
memory/2712-0-0x0000000000400000-0x00000000008E7000-memory.dmp

Filesize
4.9MB

Download
memory/2712-1-0x0000000001CC0000-0x0000000001DF1000-memory.dmp

Filesize
1.2MB

Download
memory/2712-2-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2712-12-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download