Malware Analysis Report

2024-10-23 21:11

Sample ID 240125-v7xgasbha7
Target 2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid
SHA256 9d5530e0f6f0ab505d97cd6e85873203553dd0594ce9602b03e23dd62a87c725
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d5530e0f6f0ab505d97cd6e85873203553dd0594ce9602b03e23dd62a87c725

Threat Level: Known bad

The file 2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:38

Reported

2024-01-25 17:41

Platform

win7-20231215-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Panel\Autorun.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Panel\Autorun.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe N/A
File opened for modification C:\Program Files\Panel\Autorun.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe"

C:\Program Files\Panel\Autorun.exe

"C:\Program Files\Panel\Autorun.exe" "33201"

Network

N/A

Files

\Program Files\Panel\Autorun.exe

MD5 7a7ac635ee9e9d42bd1a0a8ed3228a02
SHA1 061032c4a9ddb23feeb9a60d0487f1edd7c50a14
SHA256 2f629d9c18dad0894034d337c499ca9c1946b0687db0dd3d14ae0fb5ce3d7007
SHA512 28d9f4891146a2ded565e402e9d63af09325d2ed896d5457b20eb9a75a6d9c8e32cc394e0dca1b791ff9a3a02548e6f4a371046ca1c19b8fe2466cfec19b8774

C:\Program Files\Panel\Autorun.exe

MD5 1bb5d4406c8e6d50651ef254926196c4
SHA1 3271472866a7432e4ad96d3d6d862a1abdaea35c
SHA256 f9eb1a7892da587b0af95e6d9098eab8c30d97a20a65571b8b31a31882cd589b
SHA512 445d699cce1b1d8c23286dd8ad48f9c4ae47443fd75d5c23a71ec58f678a7b7269e7c00fa40f022deb89d5effd6b51afc12df59e5e0f8b2775236307c925922c

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:38

Reported

2024-01-25 17:41

Platform

win10v2004-20231222-en

Max time kernel

88s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe"

Signatures

Kinsing

loader kinsing

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Autorun\compact.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Autorun\compact.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe N/A
File opened for modification C:\Program Files\Autorun\compact.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d74cf6fc8064864e1c0b427d6bef792b_icedid.exe"

C:\Program Files\Autorun\compact.exe

"C:\Program Files\Autorun\compact.exe" "33201"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Program Files\Autorun\compact.exe

MD5 7872aa02192a2d998d3ea1e3b1adcaa6
SHA1 901b87f39e11912bef405bde3c163b866d372267
SHA256 72f3676de225f84a9739a8ddf403960ca1278e2c0c73b0155423461d3cd4ec52
SHA512 ab620508ec473267baf7d9dc188784205ef5f5557b4aac78ab04bfd51057b9d549b3a9ebfa5344188499c3ea9d0ec0cc01467f0dd3907a2c8379c7442c196f25