kinsing | 3c07283e8d6141eefda2255d0a7b77f45b167e5af4b935bf6a9887b42bbb5512

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_ff807ac80356d2d8dedc39d1be70d3e1_cryptolocker.exe
Size

49KB
MD5

ff807ac80356d2d8dedc39d1be70d3e1
SHA1

46e1506428eb69854a18e6e591dc65514b1e1f40
SHA256

3c07283e8d6141eefda2255d0a7b77f45b167e5af4b935bf6a9887b42bbb5512
SHA512

08048fdff58a0e02342a822e2b2695d3e6eb54e9571e874ff8d1e8c150e653db4a5528a130f04291942b683cae97aa0a6d9a965d3bed6260ddfef967623824e2
SSDEEP

768:V6LsoEEeegiZPvEhHSG+gDYQtOOtEvwDpjeJQ7suIlsw92KFXpQenhu2:V6QFElP6n+gMQMOtEvwDpjeJQ7pojkR2

Score

10^/10

kinsing loader

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Detection of CryptoLocker Variants 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_rule2

Detection of Cryptolocker Samples 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\asih.exe	CryptoLocker_set1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-01-25_ff807ac80356d2d8dedc39d1be70d3e1_cryptolocker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	2024-01-25_ff807ac80356d2d8dedc39d1be70d3e1_cryptolocker.exe

Executes dropped EXE 1 IoCs

Processes:

asih.exe

pid process

2872 asih.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2872	asih.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-01-25_ff807ac80356d2d8dedc39d1be70d3e1_cryptolocker.exe

description	pid	process	target process
PID 5024 wrote to memory of 2872	5024	2024-01-25_ff807ac80356d2d8dedc39d1be70d3e1_cryptolocker.exe	asih.exe
PID 5024 wrote to memory of 2872	5024	2024-01-25_ff807ac80356d2d8dedc39d1be70d3e1_cryptolocker.exe	asih.exe
PID 5024 wrote to memory of 2872	5024	2024-01-25_ff807ac80356d2d8dedc39d1be70d3e1_cryptolocker.exe	asih.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_ff807ac80356d2d8dedc39d1be70d3e1_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_ff807ac80356d2d8dedc39d1be70d3e1_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\asih.exe
"C:\Users\Admin\AppData\Local\Temp\asih.exe"
2⤵
- Executes dropped EXE
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
50KB

MD5
ed9e99557f3c1338b06c7840396c9489

SHA1
72b3529ec5d7f1266225bd393466d35665c10467

SHA256
e627caaf8acffcc1b6b200a2f47af86a58d71e064a79e3affc92a02c73df09a5

SHA512
e2702c2f9a79ee0ca8c1db6adb9826bef68e51a514bb586886211653b9ee5ca3f2be4741a24a6bdf30c84b41be32d4cc407e64465f21134434a92c275e13adec

Download Submit
memory/2872-17-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/5024-0-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/5024-1-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/5024-2-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download