Malware Analysis Report

2024-10-19 08:29

Sample ID 240125-v8f6psbhb7
Target 2024-01-25_db0a1976254507508571121c0245dfcf_icedid
SHA256 f9b936661d154152e16fdd54b0993f1594a8153eb354b9e7624db09e736cef2f
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9b936661d154152e16fdd54b0993f1594a8153eb354b9e7624db09e736cef2f

Threat Level: Known bad

The file 2024-01-25_db0a1976254507508571121c0245dfcf_icedid was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:39

Reported

2024-01-25 17:41

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_db0a1976254507508571121c0245dfcf_icedid.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Publishers\Trip.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Publishers\Trip.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_db0a1976254507508571121c0245dfcf_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_db0a1976254507508571121c0245dfcf_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_db0a1976254507508571121c0245dfcf_icedid.exe"

C:\Program Files\Publishers\Trip.exe

"C:\Program Files\Publishers\Trip.exe" "33201"

Network

N/A

Files

\Program Files\Publishers\Trip.exe

MD5 3051408c237c595323abdeb8f2f5d291
SHA1 e730b642b7ec9c4c2e8800985e9d654253ee40c3
SHA256 691188539d4210ad4834ca01786522ef07bff709a706cad18b27327e65f31c3e
SHA512 d73ee59af9c3c7cf0ef73b8a39870e2b465cfab81d9f53971c6aa92ce8e447f977c50abc6044b1564ea0a0de9bec1970a033ca204bb3586e5ec8b0a8a099f822

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:39

Reported

2024-01-25 17:42

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_db0a1976254507508571121c0245dfcf_icedid.exe"

Signatures

Kinsing

loader kinsing

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Composition\Performance.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Composition\Performance.exe C:\Users\Admin\AppData\Local\Temp\2024-01-25_db0a1976254507508571121c0245dfcf_icedid.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-25_db0a1976254507508571121c0245dfcf_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-25_db0a1976254507508571121c0245dfcf_icedid.exe"

C:\Program Files\Composition\Performance.exe

"C:\Program Files\Composition\Performance.exe" "33201"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

C:\Program Files\Composition\Performance.exe

MD5 438bf88c6ce67eb536b97e4897c052c4
SHA1 25426dc43719e959e80726e71dd87203a8f36b52
SHA256 71337bac7f5e65b289fa21b5f088efdb4f97aedcdf887d1b01f2d5667baeb64f
SHA512 2054c1a1567171879564317279bbe977a0d5a10a775f44a2fbec5ca401040330ff5a1ddfbfdd646ce10f25f3894ddee754a83b2841e20df63b78d92777927ce5