Malware Analysis Report

2024-10-19 08:28

Sample ID 240125-v7e71scgcj
Target 2024-01-25_c66e7a84408bf6e8c00f9eddf6adf9e2_icedid
SHA256 9bcc13bce6bbff4b73904e8adde81556424da71216008e8a9b62b36c278df3cc
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bcc13bce6bbff4b73904e8adde81556424da71216008e8a9b62b36c278df3cc

Threat Level: Known bad

The file 2024-01-25_c66e7a84408bf6e8c00f9eddf6adf9e2_icedid was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:37

Reported

2024-01-25 17:40

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c66e7a84408bf6e8c00f9eddf6adf9e2_icedid.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Suppress\status.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Suppress\status.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_c66e7a84408bf6e8c00f9eddf6adf9e2_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_c66e7a84408bf6e8c00f9eddf6adf9e2_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c66e7a84408bf6e8c00f9eddf6adf9e2_icedid.exe"

C:\Program Files\Suppress\status.exe

"C:\Program Files\Suppress\status.exe" "33201"

Network

N/A

Files

C:\Program Files\Suppress\status.exe

MD5 fe5598c4a228950a1634296496572c1b
SHA1 c1add335e5699a4a100b7bcd85e5ac9721449b51
SHA256 81f0c20c57a097f606c19f3fa74c07208e3bdbdf5f1444dab76a1989ef0f3eb2
SHA512 0046a9ce81fab4bf4456a52b05caeef989a9735a33f3cba9d524afd1025a6c8248f6ee6db965e518f5a7c542e2f3274a4c5db7be32c126fc04b25d0d82704e2d

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:37

Reported

2024-01-25 17:40

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c66e7a84408bf6e8c00f9eddf6adf9e2_icedid.exe"

Signatures

Kinsing

loader kinsing

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\status\novice.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\status\novice.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_c66e7a84408bf6e8c00f9eddf6adf9e2_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_c66e7a84408bf6e8c00f9eddf6adf9e2_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_c66e7a84408bf6e8c00f9eddf6adf9e2_icedid.exe"

C:\Program Files\status\novice.exe

"C:\Program Files\status\novice.exe" "33201"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Program Files\status\novice.exe

MD5 e2642538220c4529e64c6ca6bddcfe0f
SHA1 0f73698374d5f9eaa7314256c67f3b4212ae4cf6
SHA256 39a93a0b8d4ed5e9737dbb976cd29db283e3af7ccfab0cf2d516475fcc9f1bb7
SHA512 2349d73e6713244d82765eeb2b49df10dabeae749a8951e61ca7d058e2f98b71f79976cf2059ded0631347496c1426ca7f4de4b3eb57b736c1528bd6bab24760