Malware Analysis Report

2024-10-19 08:29

Sample ID 240125-v8rbnscgen
Target partyparrot.bat
SHA256 e0134835020ff6c813e46ba7b1aa3cd8c877ada7e716b7793e7f1df6d3978b31
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0134835020ff6c813e46ba7b1aa3cd8c877ada7e716b7793e7f1df6d3978b31

Threat Level: Known bad

The file partyparrot.bat was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Drops file in Windows directory

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:39

Reported

2024-01-25 17:42

Platform

win11-20231222-en

Max time kernel

86s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\partyparrot.bat"

Signatures

Kinsing

loader kinsing

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3720 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3720 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3720 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\partyparrot.bat"

C:\Windows\system32\timeout.exe

timeout 7

C:\Windows\system32\curl.exe

curl parrot.live

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

Network

Country Destination Domain Proto
N/A 127.0.0.1:49753 tcp
US 8.8.8.8:53 parrot.live udp
SG 206.189.36.145:80 parrot.live tcp
GB 92.123.26.209:443 tcp
US 13.89.179.9:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.186:443 r.bing.com tcp
GB 92.123.128.186:443 r.bing.com tcp
GB 92.123.128.186:443 r.bing.com tcp
GB 92.123.128.186:443 r.bing.com tcp
GB 92.123.128.186:443 r.bing.com tcp
GB 92.123.128.186:443 r.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

N/A