kinsing | e0134835020ff6c813e46ba7b1aa3cd8c877ada7e716b7793e7f1df6d3978b31 | Triage

Analysis

max time kernel
86s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
25-01-2024 17:39

Sharing

Report Analysis Logs

General

Target

partyparrot.bat
Size

338B
MD5

ade3ba332761aca09bec54758e5537f9
SHA1

70598e01ab239786fbf0dc1a74955f3d0f9c2fe0
SHA256

e0134835020ff6c813e46ba7b1aa3cd8c877ada7e716b7793e7f1df6d3978b31
SHA512

f201d52298a68153cee9acecee18dfaa751c4f228085e2f23e2e3a15bc6a47c11970cb94d706f5f60ce08302f286dbd5bd2d2126ef9ffd8b576098c1e6f34aa2

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Delays execution with timeout.exe 1 IoCs

Processes:

timeout.exe

pid	Process
4628	timeout.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exe

description	pid	Process	procid_target
PID 3720 wrote to memory of 4628	3720	cmd.exe	80
PID 3720 wrote to memory of 4628	3720	cmd.exe	80
PID 3720 wrote to memory of 3740	3720	cmd.exe	81
PID 3720 wrote to memory of 3740	3720	cmd.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\partyparrot.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\system32\timeout.exe
  timeout 7
  2⤵
  - Delays execution with timeout.exe
  PID:4628
- C:\Windows\system32\curl.exe
  curl parrot.live
  2⤵
  PID:3740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2876

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:596

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads