Malware Analysis Report

2024-10-19 08:29

Sample ID 240125-v8ja3acgek
Target 751db4c302ac5d5e738b647e9ea3ae98
SHA256 602b4b65bb376518a94d6d5886463dd6a6fd0c88e2eea948072c7fe75500e73d
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

602b4b65bb376518a94d6d5886463dd6a6fd0c88e2eea948072c7fe75500e73d

Threat Level: Known bad

The file 751db4c302ac5d5e738b647e9ea3ae98 was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:39

Reported

2024-01-25 17:42

Platform

win7-20231215-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80C.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80C.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe

"C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe"

C:\Users\Admin\AppData\Local\Temp\80C.tmp

"C:\Users\Admin\AppData\Local\Temp\80C.tmp" --splashC:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe DC5ED212E768A816A9D368EE70E7B8F16FEE7D4C3AF15316EDFDED562165EA980370C2E9743626D886C58EED211CF239E49F7E7B697C2CC1755B362622550137

Network

N/A

Files

memory/2108-0-0x0000000000400000-0x00000000005E6000-memory.dmp

\Users\Admin\AppData\Local\Temp\80C.tmp

MD5 10d4e1033367776bc4050458e5e54315
SHA1 d43952bfcbcb473fc8b83ccdb292811487ae64a3
SHA256 59109395b7b1f08afdc59fec8633b12dbdaefddac0da90de8d43d0e71d8d7347
SHA512 cb6061c8ef55626bb2bad578b3d4a61f1945b0abdf049fcc72e89763ff6461bef07d925e4bda6641cf4b50b102976400f814966fa257b136f0f1728d01ecd7ac

memory/1132-6-0x0000000000400000-0x00000000005E6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:39

Reported

2024-01-25 17:42

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe"

Signatures

Kinsing

loader kinsing

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\851E.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\851E.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe

"C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe"

C:\Users\Admin\AppData\Local\Temp\851E.tmp

"C:\Users\Admin\AppData\Local\Temp\851E.tmp" --splashC:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe B04E36A440F7F11FC0B1E5D207D79FF516E0C34F8571F865B320F25D2D9BF97733CCC2623FEB4B48D697EB3AF3168DCE965F17D00E80AF3F64A96AFF0F96104D

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/2252-0-0x0000000000400000-0x00000000005E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\851E.tmp

MD5 d18c34c47bbf269424ef741b3f304a0b
SHA1 e56788174d4142dc3d02cbc86c7887fa22f4b906
SHA256 ea32b3d6594340e7db542e2541a2b345a9bf563413dc6cfb3bd830700a8e0d1e
SHA512 2d7658e7927096056ebc19f06638d04d1b1b5b86c17d65688cadc2142507e9f23aef3b511b19e98f6b7bdcd1e1a626b4c64c52db3cb7d00034faa2a72c164265

memory/1428-5-0x0000000000400000-0x00000000005E6000-memory.dmp