Analysis Overview
SHA256
602b4b65bb376518a94d6d5886463dd6a6fd0c88e2eea948072c7fe75500e73d
Threat Level: Known bad
The file 751db4c302ac5d5e738b647e9ea3ae98 was found to be: Known bad.
Malicious Activity Summary
Kinsing
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:39
Reported
2024-01-25 17:42
Platform
win7-20231215-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80C.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80C.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2108 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe | C:\Users\Admin\AppData\Local\Temp\80C.tmp |
| PID 2108 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe | C:\Users\Admin\AppData\Local\Temp\80C.tmp |
| PID 2108 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe | C:\Users\Admin\AppData\Local\Temp\80C.tmp |
| PID 2108 wrote to memory of 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe | C:\Users\Admin\AppData\Local\Temp\80C.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe
"C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe"
C:\Users\Admin\AppData\Local\Temp\80C.tmp
"C:\Users\Admin\AppData\Local\Temp\80C.tmp" --splashC:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe DC5ED212E768A816A9D368EE70E7B8F16FEE7D4C3AF15316EDFDED562165EA980370C2E9743626D886C58EED211CF239E49F7E7B697C2CC1755B362622550137
Network
Files
memory/2108-0-0x0000000000400000-0x00000000005E6000-memory.dmp
\Users\Admin\AppData\Local\Temp\80C.tmp
| MD5 | 10d4e1033367776bc4050458e5e54315 |
| SHA1 | d43952bfcbcb473fc8b83ccdb292811487ae64a3 |
| SHA256 | 59109395b7b1f08afdc59fec8633b12dbdaefddac0da90de8d43d0e71d8d7347 |
| SHA512 | cb6061c8ef55626bb2bad578b3d4a61f1945b0abdf049fcc72e89763ff6461bef07d925e4bda6641cf4b50b102976400f814966fa257b136f0f1728d01ecd7ac |
memory/1132-6-0x0000000000400000-0x00000000005E6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:39
Reported
2024-01-25 17:42
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Kinsing
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\851E.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\851E.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe | C:\Users\Admin\AppData\Local\Temp\851E.tmp |
| PID 2252 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe | C:\Users\Admin\AppData\Local\Temp\851E.tmp |
| PID 2252 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe | C:\Users\Admin\AppData\Local\Temp\851E.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe
"C:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe"
C:\Users\Admin\AppData\Local\Temp\851E.tmp
"C:\Users\Admin\AppData\Local\Temp\851E.tmp" --splashC:\Users\Admin\AppData\Local\Temp\751db4c302ac5d5e738b647e9ea3ae98.exe B04E36A440F7F11FC0B1E5D207D79FF516E0C34F8571F865B320F25D2D9BF97733CCC2623FEB4B48D697EB3AF3168DCE965F17D00E80AF3F64A96AFF0F96104D
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/2252-0-0x0000000000400000-0x00000000005E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\851E.tmp
| MD5 | d18c34c47bbf269424ef741b3f304a0b |
| SHA1 | e56788174d4142dc3d02cbc86c7887fa22f4b906 |
| SHA256 | ea32b3d6594340e7db542e2541a2b345a9bf563413dc6cfb3bd830700a8e0d1e |
| SHA512 | 2d7658e7927096056ebc19f06638d04d1b1b5b86c17d65688cadc2142507e9f23aef3b511b19e98f6b7bdcd1e1a626b4c64c52db3cb7d00034faa2a72c164265 |
memory/1428-5-0x0000000000400000-0x00000000005E6000-memory.dmp