kinsing | 202ecdd3d57ba69a070c9d3448d56019981e14c14e05b3f3a788021f5f7570d2

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:35

Target

751bc7284282d568166cd73f6dfdb44b.exe
Size

598KB
MD5

751bc7284282d568166cd73f6dfdb44b
SHA1

ccbd61c67a70a696d982820cb520d81d11706275
SHA256

202ecdd3d57ba69a070c9d3448d56019981e14c14e05b3f3a788021f5f7570d2
SHA512

10dd2ce80c5cec1d5db57b52d834c706f02c3e4efa1a5743ce8c0bb99324a24be60d6bb180ce53dcd92fe1a312ef3a141b97364637210886f06550585a3d338f
SSDEEP

12288:+TwHlx1//xGf8GkkgwIAIEFXcbyg+yw1BRrMTGFrIsQg:+T2lxx4f8OFcbOrMTGlQg

Score

10^/10

kinsing loader

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

751bc7284282d568166cd73f6dfdb44b.exe751bc7284282d568166cd73f6dfdb44b.exe751bc7284282d568166cd73f6dfdb44b.exe

pid process

4376 751bc7284282d568166cd73f6dfdb44b.exe
5024 751bc7284282d568166cd73f6dfdb44b.exe
3992 751bc7284282d568166cd73f6dfdb44b.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

751bc7284282d568166cd73f6dfdb44b.exe

description	pid	process	target process
PID 4376 wrote to memory of 3992	4376	751bc7284282d568166cd73f6dfdb44b.exe	751bc7284282d568166cd73f6dfdb44b.exe
PID 4376 wrote to memory of 3992	4376	751bc7284282d568166cd73f6dfdb44b.exe	751bc7284282d568166cd73f6dfdb44b.exe
PID 4376 wrote to memory of 3992	4376	751bc7284282d568166cd73f6dfdb44b.exe	751bc7284282d568166cd73f6dfdb44b.exe
PID 4376 wrote to memory of 5024	4376	751bc7284282d568166cd73f6dfdb44b.exe	751bc7284282d568166cd73f6dfdb44b.exe
PID 4376 wrote to memory of 5024	4376	751bc7284282d568166cd73f6dfdb44b.exe	751bc7284282d568166cd73f6dfdb44b.exe
PID 4376 wrote to memory of 5024	4376	751bc7284282d568166cd73f6dfdb44b.exe	751bc7284282d568166cd73f6dfdb44b.exe

C:\Users\Admin\AppData\Local\Temp\751bc7284282d568166cd73f6dfdb44b.exe
watch
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5024

C:\Users\Admin\AppData\Local\Temp\751bc7284282d568166cd73f6dfdb44b.exe
start
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3992

memory/3992-9-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3992-7-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3992-15-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3992-14-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3992-10-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4376-8-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4376-1-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4376-3-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4376-4-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4376-0-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4376-2-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5024-12-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5024-5-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5024-13-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/5024-11-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5024-16-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download