Malware Analysis Report

2024-10-19 08:28

Sample ID 240125-v6zv2acgar
Target 751c52cd42065e2c68e761ba9ea058ce
SHA256 0a3fee19ce5e36d114444cc2ba797c9154149ca1f81bc4ad55f457f91a85fd38
Tags
upx kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a3fee19ce5e36d114444cc2ba797c9154149ca1f81bc4ad55f457f91a85fd38

Threat Level: Known bad

The file 751c52cd42065e2c68e761ba9ea058ce was found to be: Known bad.

Malicious Activity Summary

upx kinsing loader

Kinsing

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:36

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win7-20231215-en

Max time kernel

119s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe

"C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe"

C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe

C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1420-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1420-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1420-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe

MD5 3ae2122ef82be6fd449b8d47bd0880f4
SHA1 88320f9360ca9210bf2201d44daf8143291aae93
SHA256 4895c69ac08557b64c71aa2fc3bc424472738ce6f2fc55a929a665733a888697
SHA512 8e27542ea58870f2f91e54c5e8353bac2bbd842d0f31b9a3a565382606b7ce4f52e4675f29a037e3064ccbfc7fb60ed9949b59eadbf3120366fbad579075f20b

C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe

MD5 20c1d0ac8d15cbaaf5a2148f3c266340
SHA1 030c11b1b7594e313714efd5a06ef623443645ce
SHA256 cb4cfc287557a6933ebbc49ae1fe83fc769ad2a0ff07fb5a85f33a6d13287182
SHA512 5dd8eb152a870d5c7104d036b5cefb40dfbd8756c7d712ccc6b824fa8f9b1ba5c075d8cf79168aae966359e0f0ab6ba02ab505d245353aabb78f4af1050b0de9

memory/1420-15-0x00000000037F0000-0x0000000003CDF000-memory.dmp

memory/2944-17-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2944-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1420-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2944-19-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2944-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2944-24-0x0000000003410000-0x000000000363A000-memory.dmp

memory/1420-31-0x00000000037F0000-0x0000000003CDF000-memory.dmp

memory/2944-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:36

Reported

2024-01-25 17:39

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe"

Signatures

Kinsing

loader kinsing

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe

"C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe"

C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe

C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/2468-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2468-1-0x0000000001D30000-0x0000000001E63000-memory.dmp

memory/2468-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\751c52cd42065e2c68e761ba9ea058ce.exe

MD5 5da062de31e7964ba2ca210b0346364a
SHA1 c153f3b4e287b7e08d2df633be9d748118048645
SHA256 88ab0085708feee911cac7aff3e1542fc59d3eedf2ea4af7027ae57da47e5a2c
SHA512 938c3269b4b792c85d477899d62d742aed53687ef4eedcd414d7e686abfcebcf86428e736fb3a62a6400159d70448e332ae82cab9d7d593818dec0984e28e87f

memory/2468-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/5116-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/5116-14-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/5116-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/5116-20-0x00000000055D0000-0x00000000057FA000-memory.dmp

memory/5116-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/5116-28-0x0000000000400000-0x00000000008EF000-memory.dmp